More on bind versions

What version of bind are you running?

If you are running a name server, chances are it’s bind (Berkeley
Internet Name Domain) which implements the Domain Name System (DNS) protocols.  
Normally, the executable is called named.  For more information on bind,
see the bind home page at http://www.isc.org/products/BIND/.

I
found this little gem whilst idling in undernet’s #freebsd IRC channel.  It’s a quick
way of finding out what version of bind you are running without having to restart
bind.

$ nslookup -q=txt -class=CHAOS version.bind. 0
Server: ducky.nz.freebsd.org
Address: 0.0.0.0 
VERSION.BIND text = "8.2.2-P5"

Other bind gems (added on 4 April 2000)

Dan Harnett wrote in with this information.  Thanks for sharing.

dig
can also be used to determine the version of bind.

$ dig @ducky.nz.freebsd.org version.bind chaos txt

; <<>> DiG 8.2 <<>> @ducky.nz.freebsd.org version.bind chaos txt 
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, 
                                                   ADDITIONAL: 0
;; QUERY SECTION:
;; version.bind, type = TXT, class = CHAOS

;; ANSWER SECTION:
VERSION.BIND. 0S CHAOS TXT "8.2.2-P5"

;; Total query time: 325 msec
;; FROM: mail.wzrd.com to SERVER: ducky.nz.freebsd.org 
                                                   203.79.82.27
;; WHEN: Mon Apr 3 09:25:51 2000
;; MSG SIZE sent: 30 rcvd: 63

Also, with recent versions of bind, the following is possible:

$ named -v
named 8.2.2-P5-NOESW Mon Jan 24 13:43:58 EST 2000
        danh@noc.wzrd.com:/usr/obj/usr/src/usr.sbin/named    

[Ed. note: sometimes named is not in the path, such as on my box, and you have to
specify /usr/local/sbin/named.]

If you wish to hide what version is given in reply, just edit /usr/src/contrib/bind/Version
and recompile from /usr/src/usr.sbin/named.  Here is an example of what
you can do:

$ dig @ns.wzrd.com version.bind chaos txt

; <<>> DiG 8.2 <<>> @ns.wzrd.com version.bind chaos txt 
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, 
                                                  ADDITIONAL: 0
;; QUERY SECTION:
;; version.bind, type = TXT, class = CHAOS

;; ANSWER SECTION:
VERSION.BIND. 0S CHAOS TXT "Wizard Communication Systems"

;; Total query time: 1 msec
;; FROM: mail.wzrd.com to SERVER: ns.wzrd.com 206.99.165.2
;; WHEN: Mon Apr 3 09:26:21 2000
;; MSG SIZE sent: 30 rcvd: 83    

Tell bind what version it is (added on 6 April 2000)

Renato Murilo Langona wrote in to mention this very nice solution:

Another way to hide your BIND version is putting the:

version "anything";

in the options section of your named.conf.  Better than recompiling it

options {
        directory "/var/named";
	version "[Secured]";

};

Restrict access to the version command (added on 6 April 2000)

Henk Wevers wote about using ACL to control who can get the version:

You can do also in /etc/named.conf:

acl "trusted"   { {127.0.0/8; };
};

zone "bind" chaos {
        type master;
        file "/var/named/bind";
        allow-query { trusted; };
        allow-transfer { none; };
};

Then create this file in /var/named/bind:

TTL 1D
$ORIGIN bind.
@	1D  CHAOS SOA	localhost. 	root.localhost. (
			1
			3H
			1H
			1W
			1D  )
	CHAOS  NS	localhost.

This will disallow any query on version except from local host.

Listing the zone files (added on 20 May 2000)

Alex Root wrote in to say this:

I dont know if this has anything to do with "bind" itself. but when you type
nslookup then type: ls -d domain.com it will show you the zone file for that domain.
  I’m not sure but I ‘think’ this only works if the domain is hosted on your
nameserver.  If it’s not, you can type : server ns.of-domain.com then ls -d
domain.com and it should show you the zone files.  Try it out

Leave a Comment

Scroll to Top