Well, you can always create a "bind" zone of type CH and populate this
with information that will satisfy the ISS scanner. A very good
example of this can be found in the "Secure BIND Template" at
http://www.cymru.com/Documents/secure-bind-template.html. This can
hide both the "version.bind" and "authors.bind" information.
But this won't hide the "authors.bind" information and ISS was
complaining about "authors.bind" information too.
Now, two points to make. Does hiding the version of BIND that is
running make any difference in the security of the system? I would say
no, if there are security problems with BIND then simply hiding the
version information will not make the security problems go away.
Second, there are other ways to determine the version of BIND that is
run besides looking at the "version.bind" information that the server
supplies. Even on a system that hides the "version.bind" information,
the type and version of DNS server software can be identified. This
includes non-BIND DNS servers such as Microsoft, UltraDNS, etc.

These are arguments that you must take up with your security people,
and don't expect to get them to change their opinion. My opinion is
that many (not all) computer security "professionals" simply follow a
set of check lists without understanding the underlying reasons why the
check lists were created.

Wouldn't it be interesting to run a BIND 4.x version that doesn't
provide any "version.bind" response. Would that be good enough to
convince the security "professionals" that you system was "secure"?
This would provide ISS with an appropriate response and so the
appropriate check mark could be put down on paper.

I would also like to know if anyone is aware of a security attack
against the BIND software that makes use of this version information.
All of the attacks that I am aware of were simply attacking name
servers irrespective of what "version.bind" information was provided.
I would love to hear that some attack could be thwarted simply by
advertising that "version.bind" returned "this version is good", or
something similar.

Bill Larson

Sweet. Thank you.
...
I believe you have crystal balled into my environment.

I appreciate your reply, Bill.

Thank you,
--
Ralph F. Bischof, Jr.
Any opinion within this communication is not necessarily that of NASA.
PGP Key - http://pgpkeys.hq.nasa.gov

A disadvantage of the "Secure BIND Template" in this regard is that
the BIND version string is hardcoded and thus is subject to being
out of sync after an upgrade of the BIND software.

If you're content with the default values and simply want to limit
the information to internal queries, the following view will suffice
(thanks to Mark Andrews for idea):


view "refuse_chaos" chaos {
#
# The BIND name server defines an internal view called "_bind"
# in which data for the following special queries are coded
# directly into the `named' program:
#
# dig @localhost version.bind chaos txt +norec # BIND version
# dig @localhost authors.bind chaos txt +norec # BIND authors
#
# The site auditing policy requires that the BIND name server
# daemon not reveal it version information to outside parties.
# Since the internal "_bind" view is matched last, this view
# ("refuse_chaos") will match external queries for any RRs in
# the CHAOS class and return a status code of REFUSED.
#
match-clients { !authorized-nets;
any;
};
recursion no; # Do not create a view-specific cache.
allow-query { none; };

# min-roots 0; # Not yet implemented by BIND 9.
# Therefore:
zone "." { # Since BIND wants every view to have a
type hint; # root hint zone, this declaration will
file "/dev/null"; # stop a warning message in the syslog.
};

}; # end view "refuse_chaos"

------
Andris

the ISS people are smoking the wrong drugs, in that case.
the remedy is for them to remove this test from their suite. fpdns will
tell anybody who wants to know, exactly what version of code you're running.

Or maybe the people that are saying that this computer cannot be
connected to the network.
At
http://documents.iss.net/literature/InternetScanner/reports/
Line_Mgmt_Host_Vulnerability_Summary_Report.pdf, there is an example of
the report that the ISS scanner produces. In particular, the example
given identifies "BIND servers can be remotely queried for their
version", and the associated severity of this discovery is listed as
"low" (not medium). In fact, this same "low" severity is given to
using traceroute to map the network topology. This scan result also
identifies NFS services with a "low" severity (which I would have some
concerns about).

The implication that I am receiving is that even the ISS folks are
saying that this isn't a real problem, but simply a warning. I am
wondering if the original poster is talking with his security people to
understand what ISS is saying. ISS should be identifying all network
services that the system is providing, including DNS, and all network
services involve some risk. But, if you were to disable all network
services that allow any risk then you would no longer have a network
server.

Then again, maybe this person shouldn't be trying to provide any
network services, including DNS services. Remember that the original
poster is working for a US Government organization.

Bill Larson

Or maybe the people that are saying that this computer cannot be
connected to the network.
At
http://documents.iss.net/literature/InternetScanner/reports/
Line_Mgmt_Host_Vulnerability_Summary_Report.pdf, there is an example of
the report that the ISS scanner produces. In particular, the example
given identifies "BIND servers can be remotely queried for their
version", and the associated severity of this discovery is listed as
"low" (not medium). In fact, this same "low" severity is given to
using traceroute to map the network topology. This scan result also
identifies NFS services with a "low" severity (which I would have some
concerns about).

The implication that I am receiving is that even the ISS folks are
saying that this isn't a real problem, but simply a warning. I am
wondering if the original poster is talking with his security people to
understand what ISS is saying. ISS should be identifying all network
services that the system is providing, including DNS, and all network
services involve some risk. But, if you were to disable all network
services that allow any risk then you would no longer have a network
server.

Then again, maybe this person shouldn't be trying to provide any
network services, including DNS services. Remember that the original
poster is working for a US Government organization.

Bill Larson

the ISS people are smoking the wrong drugs, in that case.
the remedy is for them to remove this test from their suite. fpdns will
tell anybody who wants to know, exactly what version of code you're running.

Hello Bill and all,
Actually, that is a different check than the one I originally posted.
You are correct, BindVrs is a low. BindHostnameDisclosure is a BIND9
check that is a Medium. See below...

Vulnerability Details:
M BindHostnameDisclosure: BIND hostname disclosure
BIND (the Berkeley Internet Name Daemon) is the Domain Name Service for
Unix systems. BIND versions 9.0 and later could allow
a remote attacker to obtain sensitive information. By sending
specially-crafted DNS query for the record AUTHORS.BIND a remote
attacker may learn the BIND software version and the hostname of the DNS
server. This information could be helpful in launching
further attacks.
Remedy:
No remedy available as of January 2005.

L bindvrs: BIND servers can be remotely queried for their version
numbers
BIND (Berkeley Internet Name Domain) servers support the ability to be
remotely queried for their version numbers. An attacker
could use this feature to query computers for vulnerable versions of
BIND. This information could be useful to an attacker in
performing an attack.
Remedy:
Disable the BIND version query feature. Refer to the BIND documentation
for information on this procedure.
NASA has a public presence to the Internet community and the world.
Please see http://www.nasa.gov/

Thank you,
--
Ralph F. Bischof, Jr.
Any opinion within this communication is not necessarily that of NASA.
PGP Key - http://pgpkeys.hq.nasa.gov

AUTHORS.BIND does not give the version or the hostname.
The report above is completely wrong.

As for HOSTNAME.BIND you can turn this off in named.conf.

As for VERSION.BIND you can turn this off in named.conf.

As for AUTHORS.BIND it is disabled if the version is set in
named.conf.
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ***@isc.org