What version of bind are you running?
If you are running a name server, chances are it’s bind (Berkeley
Internet Name Domain) which implements the Domain Name System (DNS) protocols.
Normally, the executable is called named. For more information on bind,
see the bind home page at http://www.isc.org/products/BIND/.
I
found this little gem whilst idling in undernet’s #freebsd IRC channel. It’s a quick
way of finding out what version of bind you are running without having to restart
bind.
$ nslookup -q=txt -class=CHAOS version.bind. 0 Server: ducky.nz.freebsd.org Address: 0.0.0.0 VERSION.BIND text = "8.2.2-P5"
Other bind gems (added on 4 April 2000)
Dan Harnett wrote in with this information. Thanks for sharing.
dig
can also be used to determine the version of bind.
$ dig @ducky.nz.freebsd.org version.bind chaos txt ; <<>> DiG 8.2 <<>> @ducky.nz.freebsd.org version.bind chaos txt ; (1 server found) ;; res options: init recurs defnam dnsrch ;; got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUERY SECTION: ;; version.bind, type = TXT, class = CHAOS ;; ANSWER SECTION: VERSION.BIND. 0S CHAOS TXT "8.2.2-P5" ;; Total query time: 325 msec ;; FROM: mail.wzrd.com to SERVER: ducky.nz.freebsd.org 203.79.82.27 ;; WHEN: Mon Apr 3 09:25:51 2000 ;; MSG SIZE sent: 30 rcvd: 63
Also, with recent versions of bind, the following is possible:
$ named -v named 8.2.2-P5-NOESW Mon Jan 24 13:43:58 EST 2000 danh@noc.wzrd.com:/usr/obj/usr/src/usr.sbin/named
[Ed. note: sometimes named is not in the path, such as on my box, and you have to
specify /usr/local/sbin/named.]
If you wish to hide what version is given in reply, just edit /usr/src/contrib/bind/Version
and recompile from /usr/src/usr.sbin/named. Here is an example of what
you can do:
$ dig @ns.wzrd.com version.bind chaos txt ; <<>> DiG 8.2 <<>> @ns.wzrd.com version.bind chaos txt ; (1 server found) ;; res options: init recurs defnam dnsrch ;; got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUERY SECTION: ;; version.bind, type = TXT, class = CHAOS ;; ANSWER SECTION: VERSION.BIND. 0S CHAOS TXT "Wizard Communication Systems" ;; Total query time: 1 msec ;; FROM: mail.wzrd.com to SERVER: ns.wzrd.com 206.99.165.2 ;; WHEN: Mon Apr 3 09:26:21 2000 ;; MSG SIZE sent: 30 rcvd: 83
Tell bind what version it is (added on 6 April 2000)
Renato Murilo Langona wrote in to mention this very nice solution:
Another way to hide your BIND version is putting the:
version "anything";in the options section of your named.conf. Better than recompiling it
options { directory "/var/named"; version "[Secured]"; };
Restrict access to the version command (added on 6 April 2000)
Henk Wevers wote about using ACL to control who can get the version:
You can do also in /etc/named.conf:
acl "trusted" { {127.0.0/8; }; }; zone "bind" chaos { type master; file "/var/named/bind"; allow-query { trusted; }; allow-transfer { none; }; };Then create this file in /var/named/bind:
TTL 1D $ORIGIN bind. @ 1D CHAOS SOA localhost. root.localhost. ( 1 3H 1H 1W 1D ) CHAOS NS localhost.This will disallow any query on version except from local host.
Listing the zone files (added on 20 May 2000)
Alex Root wrote in to say this:
I dont know if this has anything to do with "bind" itself. but when you type
nslookup then type: ls -d domain.com it will show you the zone file for that domain.
I’m not sure but I ‘think’ this only works if the domain is hosted on your
nameserver. If it’s not, you can type : server ns.of-domain.com then ls -d
domain.com and it should show you the zone files. Try it out
I prefer the dig @dns.server domain.com axfr for domain listing.
Yes, I prefer dig as well. Either way will work only if the nameserver you query allows transfers. This is controlled in BIND 8 & 9 with the allow-query { a.b.c.d; …; }; option block.
the ls -d zone file listing is only allowed if zone transfers are allowed. To further restrict this time of informaiton leaking out, TCP port 53 can be filtered from all but trsuted DNS secondaries. ls -d’s run against a domain will result in a server timeout, confounding anyone attempting to get a full listing of all the machines in your network. Leaving UDP 53 open will still allow individual queries for hostname resolution.