MS DNS Server - Remove respons to CHAOS bind.version query

Posted on 2011-10-05
Last Modified: 2012-06-27

I have been using domain tools provided by and upon running checks on my domain, came across this :

Nameserver software version
Issues a warning if the nameservers respond to the CHAOS bind.version query.

One or more nameservers responded to version queries. This can be considered a breach of security. If a malicious person or program had access to a version-specific exploit for your DNS server, displaying the version info openly will make their attack much easier. This should be removed or obscured. The nameservers that responded to version queries are:

xx.xx.xx.xx responded with "Microsoft DNS 6.1.7601 (1DB1446A)"
xx.xx.xx.xx responded with "Microsoft DNS 6.1.7601 (1DB1446A)"

Any thoughts on how to provent my MS DNS servers from giving this information? This warning seems to sound valid..
Question by:Robin_Ottawa
    LVL 20

    Accepted Solution

    I cannot find an option to achieve this goal, so the following hints may not satusfy you:

    Searching only reveals informatoin how to *query* the version - I assume you searched there before anyway - so it might not be possible at all (at least not with all versions).
    On the other hand I just checked with a few Windows 2003 DNS servers and did not get a reply to the version query.

    There is no such thing as security by obscurity. If it were possible to disguise your MS DNS server as  a different version, attackers won't trust its answer anyway and simply try all possible exploits. (Since modern bind versions can disguise and probably most public DNS servers are binds, relying on the version reply is not advisable for an attacker at all)
    If you are afraid of MS DNS being vulnerable, you should not expose it to the internet at all

    LVL 21

    Expert Comment

    I have been monitoring this hoping for a solid answer, as I came to the same conclusion that thehagman did, but wasn't sure if I had all the answers as I run BIND and not MS DNS so could not test.

    Author Closing Comment

    Thanks guys, will look into whether to stay with Windows DNS or move to BIND...

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    If you have a multi-homed DNS setup in windows, you can have issues with connectivity to the server that hosts the DNS services (or even member servers of your domain if this same DNS server is a DC). This is because windows registers all of its IPs…
    Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    10 Experts available now in Live!

    Get 1:1 Help Now