.::: How to Hidden BInd Version /DNS Version :::.

Sometimes a new vulnerability is found in DNS software and script kiddies are scanning the Internet to exploit unpatched systems. It's a best practice to hide software version on your DNS servers, although this is not a real protection it just makes a little harder to find your servers via scanning.
Use dig command to find which version is running on your name servers:

1. Verify that bind server is before hidden version
# dig @127.0.0.1 version.bind chaos txt

as example

[root@bindserver network-scripts]# dig @127.0.0.1 version.bind chaos txt

; <<>> DiG 9.9.4-RedHat-9.9.4-74.el7_6.1 <<>> @127.0.0.1 version.bind chaos txt
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47026
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;version.bind.            CH    TXT

;; ANSWER SECTION:
version.bind.        0    CH    TXT    "9.9.4-RedHat-9.9.4-74.el7_6.1"

;; AUTHORITY SECTION:
version.bind.        0    CH    NS    version.bind.

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Jun 17 14:54:47 WIB 2019
;; MSG SIZE  rcvd: 97

[root@bindserver network-scripts]#

2. add/edit on configuration named.conf , change version to none

[root@bindserver network-scripts]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html

options {
    .......
    version none;
/*
 ....
 
 3. restart bind service

[root@bindserver network-scripts]#
[root@bindserver network-scripts]# systemctl restart named
[root@bindserver network-scripts]#
4. Verify that server is returning new version string:

# dig @127.0.0.1 version.bind chaos txt
as example

[root@bindserver network-scripts]# dig @127.0.0.1 version.bind chaos txt

; <<>> DiG 9.9.4-RedHat-9.9.4-74.el7_6.1 <<>> @127.0.0.1 version.bind chaos txt
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7726
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;version.bind.            CH    TXT

;; AUTHORITY SECTION:
version.bind.        86400    CH    SOA    version.bind. hostmaster.version.bind. 0 28800 7200 604800 86400

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Jun 17 15:00:59 WIB 2019
;; MSG SIZE  rcvd: 88

[root@bindserver network-scripts]#
[root@bindserver network-scripts]#


https://1.bp.blogspot.com/-s_DF9Z-mDLk/XQdL7c9cIYI/AAAAAAAAJEw/CvS5qLKwDa0Xx8oAvaBFo2T6hVKTukzzwCLcBGAs/s1600/dns%2Bcewek%2B-%2BCopy.jpg

\

https://1.bp.blogspot.com/-yDX1VdA0zhE/XQdMT_y-WBI/AAAAAAAAJE4/34pR_-bApRkPysB9p5tWM_9haRA5GqXVQCLcBGAs/s1600/dns%2Bcewek.jpg