MS DNS Server - Remove respons to CHAOS bind.version query

Hello,

I have been using domain tools provided by dnsstuff.com and upon running checks on my domain, came across this :

Nameserver software version
Issues a warning if the nameservers respond to the CHAOS bind.version query.

One or more nameservers responded to version queries. This can be considered a breach of security. If a malicious person or program had access to a version-specific exploit for your DNS server, displaying the version info openly will make their attack much easier. This should be removed or obscured. The nameservers that responded to version queries are:

xx.xx.xx.xx responded with "Microsoft DNS 6.1.7601 (1DB1446A)"
xx.xx.xx.xx responded with "Microsoft DNS 6.1.7601 (1DB1446A)"


Any thoughts on how to provent my MS DNS servers from giving this information? This warning seems to sound valid..
Robin_OttawaAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

thehagmanCommented:
I cannot find an option to achieve this goal, so the following hints may not satusfy you:

Searching support.microsoft.com only reveals informatoin how to *query* the version - I assume you searched there before anyway - so it might not be possible at all (at least not with all versions).
On the other hand I just checked with a few Windows 2003 DNS servers and did not get a reply to the version query.

There is no such thing as security by obscurity. If it were possible to disguise your MS DNS server as  a different version, attackers won't trust its answer anyway and simply try all possible exploits. (Since modern bind versions can disguise and probably most public DNS servers are binds, relying on the version reply is not advisable for an attacker at all)
If you are afraid of MS DNS being vulnerable, you should not expose it to the internet at all

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
PapertripCommented:
I have been monitoring this hoping for a solid answer, as I came to the same conclusion that thehagman did, but wasn't sure if I had all the answers as I run BIND and not MS DNS so could not test.
Robin_OttawaAuthor Commented:
Thanks guys, will look into whether to stay with Windows DNS or move to BIND...
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
DNS

From novice to tech pro — start learning today.