Glen Turner (vk5tu) wrote,

BIND's version command is a misfeature

You can ask the version of BIND with a command

$ dig +norecurse @ns1.aarnet.net.au ch txt version.bind

Of course not everyone is keen on that information leakage. So BIND has a version command which allows you to give arbitrary text. You often see configurations like

options {
  version "Some all-too-long text trying all-too-hard to be funny";
};

Please don't do this. All you are doing is sending a longer packet than you received in response to a connectionless unauthenticated request. Can you say "handy for use in a traffic multiplier attack?"

Instead simply return a REFUSED for the zone. This is the same size as the request.

Set up a zone ...

TTL 1D
$ORIGIN bind.
@ 1D  CHAOS SOA localhost.  root.localhost. (
   1
   3H
   1H
   1W
   1D  )
 CHAOS  NS localhost.

... and then prohibit access to it:

zone "bind" chaos {
  type master;
  file ".../bind";
  allow-query {
    none;
  };
  allow-transfer {
    none;
  };
};
Tags: linux
  • Post a new comment

    Error

    default userpic

    Your reply will be screened

    Your IP address will be recorded  

  • 0 comments