Introduction:
There are certain vulnerabilities that might be targeted towards only certain versions of a DNS server. To protect against such vulnerabilities it's a best practice to hide the software version for your DNS servers.
You can run the following command to see if it's possible to find which version of a DNS server is running on your system:
dig chaos txt version.bind @IP_ADDDRESS +short
Note: You need to replace IP_ADDRESS with the IP address of your server. If you see something like the following in response, then this means that the software version is publically exposed:
"PowerDNS Authoritative Server 4.3.1 (built Mar 10 2021 14:04:28 by root@rpmbuild-64-centos-8.dev.cpanel.net)"
How To Hide The DNS Server Version?
BIND:
In BIND you need to modify the main configuration file /etc/named.conf and add the following configuration option to the option{ } blcok.
version
This is the version the server should report via a query of the name version.bind
with type TXT
and class CHAOS
. The default is the real version number of this server. Specifying version none
disables processing of the queries.
Setting version
to any value (including none
) also disables queries for authors.bind TXT CH
.
So this is how it should look after the appropriate changes have been made:
options {
// Hide bind version
version "unknown";
};
PowerDNS:
For PowerDNS the main configuration file is this:
/etc/pdns/pdns.conf
And the option that needs to be modified is this:
version-string
- Any of:
anonymous
,powerdns
,full
, String - Default: full
When queried for its version over DNS (dig chaos txt version.bind @pdns.ip.address
), PowerDNS normally responds truthfully. With this setting you can overrule what will be returned. Set the version-string
to full
to get the default behaviour, to powerdns
to just make it state Served by PowerDNS - https://www.powerdns.com/
. The anonymous
setting will return a ServFail, much like Microsoft nameservers do. You can set this response to a custom value as well.
So after the changes are made the file should contain the following line:
grep -Eiv "(^#.*|^$)" /etc/pdns/pdns.conf | grep -Ei version
version-string=anonymous
Comments
0 comments
Article is closed for comments.