"Hiding" version.bind in /etc/bind/named.conf.options doesn't work
Bob Harold
rharolde at umich.edu
Wed Feb 28 15:57:02 UTC 2018
On Wed, Feb 28, 2018 at 8:55 AM, Ing. Pedro Pablo Delgado Martell <
ppmartell at eleka.co.cu> wrote:
> Good morning, I'm trying to make it more difficult for an attacker to get
> my DNS server version. I have been following several posts about doing this
> and mostrly all of them suggest to modify the
> */etc/bind/named.conf.options* file and add the lines:
>
> options {
>
> version "Not available"; // Or any bogus info or
> just none without quotes
>
> }
>
> Then restart the service (*service bind9 restart*) and the version will
> not be shown, only the defined text, in this case "Not available". However,
> after doing this and restarting the service I'm still getting my server
> version. Am I placing this lines in the wrong file? Thanks in advance!
>
> ------------------------------------
>
> Bind version: 9.10.2-P3
>
> OS: Debian GNU/Linux 8 (jessie)
>
> Those instructions assume that the */etc/bind/named.conf.options* file
is 'included' in the main named.conf file.
Just add the "version" line to your named.conf file options section.
If you don't know where your named.conf file is, try this command:
ps -ef | grep named
which should get some result, like maybe:
named 1728 1 0 Feb11 ? 01:55:51 /usr/local/sbin/named -t
/replicated/jail/named -u named -n 2 -U 2 -S 16384
If there was a "-c" option, it would tell you the name of the config file.
If not, like this example, the default is "/etc/named.conf".
Note the "-t" option, which says we are doing chroot to
/replicated/jail/named
So my config file is at:
/replicated/jail/named/etc/named.conf
--
Bob Harold
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20180228/7c9aa63c/attachment.html>
More information about the bind-users
mailing list