Small blog about system administration.

HOWTO: Hide DNS Software Version

Sometimes a new vulnerability is found in DNS software and script kiddies are scanning the Internet to exploit unpatched systems. It's a best practice to hide software version on your DNS servers, although this is not a real protection it just makes a little harder to find your servers via scanning.
Use dig command to find which version is running on your name servers:
$ dig +short @ns1.example.com version.bind txt chaos
"9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1"

Bind

To hide version in when using Bind, open named.conf configuration file using your favorite editor, go to options section and set a custom version string using version option.
Example:
// /etc/named.conf
options {
  // Hide bind version
  version "unknown";
};
Restart the server (use bind9 instead of named on systems based on Debian):
$ sudo service named restart
Stopping named: .                                          [  OK  ]
Starting named:                                            [  OK  ]
Verify that server is returning new version string:
$ dig +short @ns1.example.com version.bind txt chaos
"unknown"

Knot

Edit knot.conf and set version parameter in system section to off:
system {
  # Used for answer to CH TXT 'version.server' or 'version.bind'
  version off;
}
Restart the server to apply changes:
$ sudo service knot restart
Stopping knot: .                                          [  OK  ]
Starting knot:                                            [  OK  ]

NSD

Edit nsd.conf configuration file and set hide-version parameter to yes in server section.
server:
  # /etc/nsd/nsd.conf
  # Don't answer VERSION.BIND and VERSION.SERVER CHAOS class queries
  hide-version: yes
Restart NSD server:
$ sudo service nsd restart
Stopping nsd:                                              [  OK  ]
Starting nsd:                                              [  OK  ]

TinyDNS

TinyDNS doesn't expose version.

Microsoft DNS

To control how the server responds to version query, use dnscmd command with EnableVersionQuery parameter. Possible values:
  • 0x00000000 (DNS_VERSION_QUERY_OFF) No version information will be returned.
  • 0x00000001 (DNS_VERSION_QUERY_FULL) The server responds with major operating system version, minor operating system version, and operating system revision.
  • 0x00000002 (DNS_VERSION_QUERY_MINIMAL) The server responds with major operating system version and minor operating system version.
Example:
dnscmd /config /EnableVersionQuery 0
On Windows Server 2008 and Windows Server 2008 R2, the default value is 0x00000001. On Windows Server 2012 and Windows Server 2012 R2, the default value is 0x00000000.

No comments :

Post a Comment