I have two servers running Bind 9.3.1 and unfortunately bad guys can use the following to check the version number:
$dig @nameserver version.bind txt chaos
;; ANSWER SECTION:
VERSION.BIND. 0 CH TXT "9.3.1"
This is a security risk as hackers can check if the version in use contain buffer overflow vulnerabilities.
A simple work-around remedy is to insert the following in /var/named/chroot/etc/named.conf :
options {
version "Not disclosed";
}
Upon the same query, the answer returned is :
;; ANSWER SECTION:
VERSION.BIND. 0 CH TXT "Not disclosed"
I recommend system administrators to do the same for security sake.
No comments:
Post a Comment