隱藏DNS伺服器版本

如果不讓別人查詢自己BIND的版本,
可在/etc/named.conf中的options段,
更改version的參數:


例1:
將version的參數設成none:

options {
….其他參數….
version none;
….其他參數….
};

# dig txt chaos version.bind @127.0.0.1

; <<>> DiG 9.3.6-P1-RedHat-9.3.6-20.P1.el5 <<>> txt chaos version.bind @127.0.0.1
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45154
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;version.bind. CH TXT

;; AUTHORITY SECTION:
version.bind. 86400 CH SOA version.bind. hostmaster.version.bind. 0 28800 7200 604800 86400
(會跑出這個AUTHORITY SECTION)

;; Query time: 3 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Jan 3 23:35:58 2013
;; MSG SIZE rcvd: 77

# nslookup -q=txt -class=chaos version.bind 127.0.0.1

Server: 127.0.0.1
Address: 127.0.0.1#53

*** Can’t find version.bind: No answer

 

例2:
將version參數設成自己想要的文字:

options {
….其他參數….
version “This is my dns server”;
….其他參數….
};

# dig txt chaos version.bind @127.0.0.1

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6_3.2 <<>> txt chaos version.bind @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57936
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;version.bind. CH TXT

;; ANSWER SECTION:
version.bind. 0 CH TXT “This is my dns server”

;; AUTHORITY SECTION:
version.bind. 0 CH NS version.bind.

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN:
;; MSG SIZE rcvd: 78

# nslookup -q=txt -class=chaos version.bind 127.0.0.1

Server: 127.0.0.1
Address: 127.0.0.1#53

version.bind text = “This is my dns server”

 

例3:
也可在named.conf中用view的方式,禁止查詢chaos記錄:

view “No_chaos” chaos {
    match-clients { any; };
    allow-query { none; };
    zone “.” { 
        type hint; 
        file “/dev/null”; 
    };
}; 

使用view時,要記得其他的zone也要在view裡面,不然會啟動失敗:
view “others” IN {
    match-clients { any; };
    ….其他參數….
    zone “其他的zone” {
    };
};

# dig txt chaos version.bind @127.0.0.1

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6_3.2 <<>> txt chaos version.bind @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 48203
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;version.bind. CH TXT

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN:
;; MSG SIZE rcvd: 30
(沒有任何查詢結果回應)

# nslookup -q=txt -class=chaos version.bind 127.0.0.1

Server: 127.0.0.1
Address: 127.0.0.1#53

** server can’t find version.bind: SERVFAIL