Introduction:
There are certain vulnerabilities that might be targeted towards only certain versions of a DNS server. To protect against such vulnerabilities it's a best practice to hide the software version for your DNS servers.
You can run the following command to see if it's possible to find which version of a DNS server is running on your system:
dig chaos txt version.bind @IP_ADDDRESS +short
Note: You need to replace IP_ADDRESS with the IP address of your server. If you see something like the following in response, then this means that the software version is publically exposed:
"PowerDNS Authoritative Server 4.3.1 (built Mar 10 2021 14:04:28 by root@rpmbuild-64-centos-8.dev.cpanel.net)"
How To Hide The DNS Server Version?
BIND:
In BIND you need to modify the main configuration file /etc/named.conf and add the following configuration option to the option{ } blcok.
version
This is the version the server should report via a query of the name version.bind with type TXT and class CHAOS. The default is the real version number of this server. Specifying version none disables processing of the queries.
Setting version to any value (including none) also disables queries for authors.bind TXT CH.
So this is how it should look after the appropriate changes have been made:
options {
// Hide bind version
version "unknown";
};
PowerDNS:
For PowerDNS the main configuration file is this:
/etc/pdns/pdns.conf
And the option that needs to be modified is this:
version-string
- Any of:
anonymous,powerdns,full, String - Default: full
When queried for its version over DNS (dig chaos txt version.bind @pdns.ip.address), PowerDNS normally responds truthfully. With this setting you can overrule what will be returned. Set the version-string to full to get the default behaviour, to powerdns to just make it state Served by PowerDNS - https://www.powerdns.com/. The anonymous setting will return a ServFail, much like Microsoft nameservers do. You can set this response to a custom value as well.
So after the changes are made the file should contain the following line:
grep -Eiv "(^#.*|^$)" /etc/pdns/pdns.conf | grep -Ei version
version-string=anonymous
Comments
0 comments
Article is closed for comments.