Security check - version query
The Security check - version attempts a CHAOS class TXT query for version.bind to collect information about name server software and version.
It is always a good security practice to avoid information leaks of any kind. Left unchanged the default configuration of many DNS software will share software and version information, possibly even operating system versions. This feature is helpful for administrators to quickly retrieve information about DNS servers but this information should not be shared with the world. Just look at it as a remnant of a time when trust wasn't an issue...
The check will issue a Warning message when it encounter any string of characters in the ANSWER section of a NOERROR response. The associated message will inform you which string the DNS server respond with.
Note 1. A string in a query response might be OK as long as it doesn't display the kind of information an attacker might find useful.
Note 2. The implementation of the namespace in the CHAOS class and its use differs between different DNS vendors as can be read in the Informational RFC 4892. Different DNS vendors also have their own interpretation of how to disallow these queries. As a result, no matter how you chose to configure the server to respond to these type of queries, an attacker might figure out the type of software used by analysing the content of the response.
Event severities and messages
WARNING
Version query response: string
If the string represents the software and version you use, chance are you still use the default configuration or you have a very relaxed security policy.
Our suggestion is, in order to give up as little information as possible to configure the name server to respond with a neutral query response, preferably an empty NOERROR response.
You could, of course, already have dealt with this problem by supplying your own text string in the response and are happy with that, we have no problem with that approach, although the check will continue to show the WARNING message.
If you think the warning message is annoying, you can easily turn off this check by right clicking in the check cell and toggle the check to the off position in the pop-up menu.
Solutions, tips & tricks
version controls how your name server responds to CHAOS class version queries.
The following statement forces the BIND server to respond with an empty NOERROR response. options {
version none;
} The following statement forces the BIND server to respond with the string "None of your business". options {
version "None of your business";
} By omitting the version statement the BIND server will respond with its compiled version number.server: configuration statements version and hide-version controls how the NSD server responds to CHAOS class version queries.
The following statement forces the NSD server to respond with an empty NOERROR response. server:
hide-version: yes The following statement forces the NSD server to respond with the string "unknown". server:
version: "unknown"
hide-version: No (or omitted)
By omitting the version and hide-version statements altogether the NSD server will respond with its compiled version number.version in the server section of knot.conf controls how the server responds to CHAOS class version queries and should be set to an empty value. server:
version: ""The recommended suggestion from PowerDNS is that you use the setting below in the pdns.conf file. The setting anonymous will return a SERVFAIL response (which we accept as OK in this check). Be aware that PowerDNS and Microsoft DNS responds this way which may give a potential attacker valuable clues about your server software.
version-string=anonymous
Our suggestion is that you use an empty string in the pdns.conf file instead of the recommended one to force an empty response which is more neutral than the SERVFAIL response.
version-string=""
The YADIFA server can prevent the CHAOS class version to show by edit the main configuration section statement version.
The following statement forces the YADIFA server to respond with an empty NOERROR response.
<main>
version ""
</main>