BIND Versions

Last updated: Tue, 09 Aug 2005 12:01:00 GMT

Hide!

People hide BIND versions. It's commonly held as Good Practice, because naughty people might write scripts that use knowledge or your named's version against you. I say that people say it's Good Practice, but I've heard a few people poo-poo that one. In fact, I think every time I've met Jim Reid he's gone off on a rant about it. That and Dan Berstein versus the Zionist BIND Conspiracy.

I think it's probably unfair to characterise Jim, or anyone, as "a guy ranting about Dan Bernstein," but, none the less, Jim does like a rant. So do I.

Anyway, I've always hidden my BIND version, by running my own CHAOS root. It's a simple hack, and the way I've got my BIND config laid out, and rolled out from CVS, it costs me nothing. The counter-argument is that the people who write these scripts aren't really bothered about versions, they just brute-force it and throw everything they've got. And if someone did want to know what version you were running, there are other ways to fingerprint your nameserver. Still, if it stops just one retard, I'm a happy man.

But right now I'm in the process of simplifying my BIND setup, rolling the complex knot of split-view servers and real and virtual IP addresses -- for the LVS loadbalancing, don't you know -- out onto separate boxes. I believe in simplicity. Other people need to be able to sit down and start hacking at my stuff right away. Also, I'm thinking of adopting DNSSEC and IPv6 properly, and I just don't want the pain of working that into the topology I've got right now. For someone who likes simplicity, my current DNS setup's pretty complex.

So, I don't want to be running views, and the way I've got my own CHAOS root configured means running views. Sod that.

I'd done everything else I needed to today, and got two test servers up and running with the new layout, and was really just sitting around, twiddling my thumb and stump, waiting for someone to come back to me and tell me I'd given them a DNS problem. So I thought I'd look for another way to hide my version string. Something l33t. Something that wouldn't hide hostname.bind, but would hide authors.bind and version.bind. This is what I came up with:

--- bind-9.3.1/bin/named/builtin.c      2004-03-08 04:04:18.000000000 +0000
+++ bind-9.3.1_local/bin/named/builtin.c        2005-08-10 17:09:34.823009000 +0100
@@ -89,13 +89,14 @@
 
 static isc_result_t
 do_version_lookup(dns_sdblookup_t *lookup) {
+       char euidversion[] = "YORK Wed Aug 10 17:04:05 BST 2005";
        if (ns_g_server->version_set) {
                if (ns_g_server->version == NULL)
                        return (ISC_R_SUCCESS);
                else
                        return (put_txt(lookup, ns_g_server->version));
        } else {
-               return (put_txt(lookup, ns_g_version));
+               return (put_txt(lookup, euidversion));
        }
 }

@@ -120,18 +121,12 @@
        isc_result_t result;
        const char **p;
        static const char *authors[] = {
-               "Mark Andrews",
-               "James Brister",
-               "Ben Cottrell",
-               "Michael Graff",
-               "Andreas Gustafsson",
-               "Bob Halley",
-               "David Lawrence",
-               "Danny Mayer",
-               "Damien Neil",
-               "Matt Nelson",
-               "Michael Sawyer",
-               "Brian Wellington",
+               "Scooby Dooby Doo, Where Are You? We got some work to do now!",
+               "Scooby Dooby Doo, Where Are You? We need some help from you now.",
+               "Come on Scooby Doo, I see you, pretending you got a sliver.",
+               "But you're not fooling me, cause I can see, the way you shake and shiver.",
+               "Scooby Dooby Doo, here are you, you're ready and you're willin'.",
+               "If we can count on you, Scooby Doo, I know we'll catch that villian.",
                NULL
        };

Yes, I could have just used the version option in my config file, but this solution is way more ghey. Check it out:

; <<>> DiG 9.3.1 <<>> @192.168.0.1 CH version.bind TXT
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 67
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;version.bind.                  CH      TXT

;; ANSWER SECTION:
version.bind.           0       CH      TXT     "YORK Wed Aug 10 17:04:05 BST 2005"

;; AUTHORITY SECTION:
version.bind.           0       CH      NS      version.bind.

;; Query time: 8 msec
;; SERVER: 192.168.0.1#53(192.168.0.1)
;; WHEN: Wed Aug 10 17:47:41 2005
;; MSG SIZE  rcvd: 90

And:

; <<>> DiG 9.3.1 <<>> @192.168.0.1 CH authors.bind TXT
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 306
;; flags: qr aa rd; QUERY: 1, ANSWER: 6, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;authors.bind.                  CH      TXT

;; ANSWER SECTION:
authors.bind.           0       CH      TXT     "Scooby Dooby Doo, Where Are You? We got some work to do now!"
authors.bind.           0       CH      TXT     "Scooby Dooby Doo, Where Are You? We need some help from you now."
authors.bind.           0       CH      TXT     "Come on Scooby Doo, I see you, pretending you got a sliver."
authors.bind.           0       CH      TXT     "But you're not fooling me, cause I can see, the way you shake and shiver."
authors.bind.           0       CH      TXT     "Scooby Dooby Doo, here are you, you're ready and you're willin'."
authors.bind.           0       CH      TXT     "If we can count on you, Scooby Doo, I know we'll catch that villian."

;; AUTHORITY SECTION:
authors.bind.           0       CH      NS      authors.bind.

;; Query time: 7 msec
;; SERVER: 192.168.0.1#53(192.168.0.1)
;; WHEN: Wed Aug 10 17:51:31 2005
;; MSG SIZE  rcvd: 510

Heh. Ph33r mUH sk177z, d00dz.