Determining/hiding BIND version number

Both nslookup and dig can query a remote BIND nameserver's version number:

dig @nameserver version.bind txt chaos
VERSION.BIND.           0       CH      TXT     "8.3.4-REL"

nslookup -type=txt -class=chaos version.bind nameserver
VERSION.BIND    text = "8.3.4-REL"

If BIND is installed locally, simply run named -v locally to determine the version of BIND.

Although hiding the BIND version number will not prevent automated cracking tools from exploiting vulnerable nameservers, you should prevent "banner grabbing," or allowing others to gather version information about services running on your machines.

To change the version information returned by your BIND nameserver, create a version line in your named.conf file's options directive.


options {
    version "Not disclosed";

Send the named process a SIGHUP for the change to take effect.

kill -HUP `cat path_to/`

dig @nameserver version.bind txt chaos
VERSION.BIND.           0       CH      TXT     "Not disclosed"

Back to

Last modified: 12/03/2003