[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


MS DNS Server - Remove respons to CHAOS bind.version query

Posted on 2011-10-05
Medium Priority
Last Modified: 2012-06-27

I have been using domain tools provided by dnsstuff.com and upon running checks on my domain, came across this :

Nameserver software version
Issues a warning if the nameservers respond to the CHAOS bind.version query.

One or more nameservers responded to version queries. This can be considered a breach of security. If a malicious person or program had access to a version-specific exploit for your DNS server, displaying the version info openly will make their attack much easier. This should be removed or obscured. The nameservers that responded to version queries are:

xx.xx.xx.xx responded with "Microsoft DNS 6.1.7601 (1DB1446A)"
xx.xx.xx.xx responded with "Microsoft DNS 6.1.7601 (1DB1446A)"

Any thoughts on how to provent my MS DNS servers from giving this information? This warning seems to sound valid..
Question by:Robin_Ottawa
LVL 20

Accepted Solution

thehagman earned 1000 total points
ID: 36936286
I cannot find an option to achieve this goal, so the following hints may not satusfy you:

Searching support.microsoft.com only reveals informatoin how to *query* the version - I assume you searched there before anyway - so it might not be possible at all (at least not with all versions).
On the other hand I just checked with a few Windows 2003 DNS servers and did not get a reply to the version query.

There is no such thing as security by obscurity. If it were possible to disguise your MS DNS server as  a different version, attackers won't trust its answer anyway and simply try all possible exploits. (Since modern bind versions can disguise and probably most public DNS servers are binds, relying on the version reply is not advisable for an attacker at all)
If you are afraid of MS DNS being vulnerable, you should not expose it to the internet at all

LVL 21

Expert Comment

ID: 36936297
I have been monitoring this hoping for a solid answer, as I came to the same conclusion that thehagman did, but wasn't sure if I had all the answers as I run BIND and not MS DNS so could not test.

Author Closing Comment

ID: 36951769
Thanks guys, will look into whether to stay with Windows DNS or move to BIND...

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains how a domain name may be inadvertently appended to all DNS queries. This exhibits as described below. (CODE)And / Or: (CODE) Cause This issue can occur in either of these two scenarios. EITHER 1. A Primary DNS S…
Occasionally you run into the website or two that will not resolve properly using your own DNS servers.  Some people simply set up global forwarders for their DNS server.  I don’t recommend doing this because it can cause problems resolving addresse…
Are you ready to place your question in front of subject-matter experts for more timely responses? With the release of Priority Question, Premium Members, Team Accounts and Qualified Experts can now identify the emergent level of their issue, signal…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…
Suggested Courses

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question