Hide DNS Software Version
Sometimes a new vulnerability is found in DNS software and script kiddies are scanning the Internet to exploit unpatched systems. It's a best practice to hide software version on your DNS servers, although this is not a real protection it just makes a little harder to find your servers via scanning.
Use dig command to find which version is running on your name servers:
$ dig +short @ns1.example.com version.bind txt chaos
"9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1"
Bind
To hide version in when using Bind, open named.conf configuration file using your favorite editor, go to options section and set a custom version string using version option.
Example:
// /etc/named.conf
options {
// Hide bind version
version "unknown";
};
Restart the server (use bind9 instead of named on systems based on Debian):
$ sudo service named restart
Stopping named: . [ OK ]
Starting named: [ OK ]
Verify that server is returning new version string:
$ dig +short @ns1.example.com version.bind txt chaos
"unknown"
Knot
Edit knot.conf and set version parameter in system section to off:
system {
# Used for answer to CH TXT 'version.server' or 'version.bind'
version off;
}
Restart the server to apply changes:
$ sudo service knot restart
Stopping knot: . [ OK ]
Starting knot: [ OK ]
NSD
Edit nsd.conf configuration file and set hide-version parameter to yes in server section.
server:
# /etc/nsd/nsd.conf
# Don't answer VERSION.BIND and VERSION.SERVER CHAOS class queries
hide-version: yes
Restart NSD server:
$ sudo service nsd restart
Stopping nsd: [ OK ]
Starting nsd: [ OK ]
Microsoft DNS
To control how the server responds to version query, use dnscmd command with EnableVersionQuery parameter. Possible values:
0x00000000 (DNS_VERSION_QUERY_OFF) No version information will be returned.
0x00000001 (DNS_VERSION_QUERY_FULL) The server responds with major operating system version, minor operating system version, and operating system revision.
0x00000002 (DNS_VERSION_QUERY_MINIMAL) The server responds with major operating system version and minor operating system version.
Example:
dnscmd /config /EnableVersionQuery 0
On Windows Server 2008 and Windows Server 2008 R2, the default value is 0x00000001. On Windows Server 2012 and Windows Server 2012 R2, the default value is 0x00000000.