How to Grab | Disable BIND Version Banner

By | 2012/06/07

The BIND DNS server by default will broadcast its version publicly. Security-minded admins may want to disable broadcasting of the BIND banner. I’ll show you how!


Grab BIND banner

It is possible to use dig, host, nslookup or whatever your favorite DNS tool may be to query the BIND banner. I like the host command so here is how it works with host:

$ host -c chaos -t txt version.bind ns1.example.com
Using domain server:
Name: ns1.example.com
Address: 192.168.1.1#53
Aliases: 

version.bind descriptive text "9.3.6-P1-RedHat-9.3.6-20.P1.el5"


Disable BIND banner

To change this banner, edit named.conf and put in whatever version indication you wish. Example:

$ sudo nano /etc/named.conf

Add this in:

options {
version “none”;
}

Restart BIND, and now your DNS server will reflect:

$ host -c chaos -t txt version.bind ns1.example.com
Using domain server:
Name: ns1.example.com
Address: 192.168.1.1#53
Aliases:

version.bind descriptive text "none"

Hack on,

Leave a Reply

Your email address will not be published. Required fields are marked *

Notify me of followup comments via e-mail. You can also subscribe without commenting.