Monday, June 17, 2019

.::: How to Hidden BInd Version /DNS Version :::.

Sometimes a new vulnerability is found in DNS software and script kiddies are scanning the Internet to exploit unpatched systems. It's a best practice to hide software version on your DNS servers, although this is not a real protection it just makes a little harder to find your servers via scanning.
Use dig command to find which version is running on your name servers:

1. Verify that bind server is before hidden version
# dig @127.0.0.1 version.bind chaos txt

as example

[root@bindserver network-scripts]# dig @127.0.0.1 version.bind chaos txt

; <<>> DiG 9.9.4-RedHat-9.9.4-74.el7_6.1 <<>> @127.0.0.1 version.bind chaos txt
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47026
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;version.bind.            CH    TXT

;; ANSWER SECTION:
version.bind.        0    CH    TXT    "9.9.4-RedHat-9.9.4-74.el7_6.1"

;; AUTHORITY SECTION:
version.bind.        0    CH    NS    version.bind.

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Jun 17 14:54:47 WIB 2019
;; MSG SIZE  rcvd: 97

[root@bindserver network-scripts]#


2. add/edit on configuration named.conf , change version to none

[root@bindserver network-scripts]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html

options {
    .......
    version none;
/*
 ....
 

 3. restart bind service

[root@bindserver network-scripts]#
[root@bindserver network-scripts]# systemctl restart named
[root@bindserver network-scripts]#

4. Verify that server is returning new version string:

# dig @127.0.0.1 version.bind chaos txt
as example

[root@bindserver network-scripts]# dig @127.0.0.1 version.bind chaos txt

; <<>> DiG 9.9.4-RedHat-9.9.4-74.el7_6.1 <<>> @127.0.0.1 version.bind chaos txt
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7726
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;version.bind.            CH    TXT

;; AUTHORITY SECTION:
version.bind.        86400    CH    SOA    version.bind. hostmaster.version.bind. 0 28800 7200 604800 86400

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Jun 17 15:00:59 WIB 2019
;; MSG SIZE  rcvd: 88

[root@bindserver network-scripts]#
[root@bindserver network-scripts]#



https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjCArDKiQJ5NAB_ERHaSHgMpKBwAK584MdrqK_ABEZJ3AMrnst-4B9vGO2oMbfO1P3fqkqGzbM0rF6cp8tAxhhVnw-t_V8jdOajJ4R6Z7ogh-535AauCFAzq6APoiiwaf4bymiWbL4ik20U/s1600/dns+cewek+-+Copy.jpg
\
 

No comments:

Post a Comment

Popular Posts