Thomas
asked on
DNS named.conf
Hi,
I am a bit on a dead end and think I need to have a second set of eyes look at this since I seem to not be able to hide my dns version with the suggested
version "unknown";
or
version unknown;
bot do not work.
I set it and restart but I do a DIG and it still shows the version.
Now while i show part of my conf file if you see any other issue please let me know.
option. here is my named.conf and I wonder if you see something that would prevent it from hiding the version.
options {
allow-query {
any;
};
allow-recursion { trusted; };
allow-query-cache { trusted; };
listen-on port 53 { trusted; };
listen-on-v6 port 53 { ::1; };
directory "/var/named/";
dump-file "/var/named/data/cache_dum p.db";
statistics-file "/var/named/data/named_sta ts.txt";
memstatistics-file "/var/named/data/named_mem _stats.txt ";
recursion yes;
empty-zones-enable no;
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
version "unknown";
};
any idea of there is something in options what could prevent the version unknown; from hiding my DNS version?
Thank you for the help.
Best wishes,
Thom
I am a bit on a dead end and think I need to have a second set of eyes look at this since I seem to not be able to hide my dns version with the suggested
version "unknown";
or
version unknown;
bot do not work.
I set it and restart but I do a DIG and it still shows the version.
Now while i show part of my conf file if you see any other issue please let me know.
option. here is my named.conf and I wonder if you see something that would prevent it from hiding the version.
options {
allow-query {
any;
};
allow-recursion { trusted; };
allow-query-cache { trusted; };
listen-on port 53 { trusted; };
listen-on-v6 port 53 { ::1; };
directory "/var/named/";
dump-file "/var/named/data/cache_dum
statistics-file "/var/named/data/named_sta
memstatistics-file "/var/named/data/named_mem
recursion yes;
empty-zones-enable no;
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
version "unknown";
};
any idea of there is something in options what could prevent the version unknown; from hiding my DNS version?
Thank you for the help.
Best wishes,
Thom
ASKER
Interesting, would make sense but it seems it is not installed. Just searched for it but only have some.
/usr/lib/python2.6/site-pa ckages/sos /plugins/n scd.py
/usr/lib/python2.6/site-pa ckages/sos /plugins/n scd.pyc
/usr/lib/python2.6/site-pa ckages/sos /plugins/n scd.pyo
/usr/share/man/man5/nscd.c onf.5.gz
/usr/share/man/man8/nscd.8 .gz
/usr/share/man/man8/nscd_s elinux.8.g z
/usr/share/selinux/devel/i nclude/ser vices/nscd .if
also
> nscd -i
> -bash: nscd: command not found
I think I might just need to wait for it to resolve but this was not mentioned on any of my google results. Well lets see, maybe time resolves it.
Do you see any other issue or security hole in my options block?
Best wishes,
thom
/usr/lib/python2.6/site-pa
/usr/lib/python2.6/site-pa
/usr/lib/python2.6/site-pa
/usr/share/man/man5/nscd.c
/usr/share/man/man8/nscd.8
/usr/share/man/man8/nscd_s
/usr/share/selinux/devel/i
also
> nscd -i
> -bash: nscd: command not found
I think I might just need to wait for it to resolve but this was not mentioned on any of my google results. Well lets see, maybe time resolves it.
Do you see any other issue or security hole in my options block?
Best wishes,
thom
Your config looks good so far.
I guess you know it already, but let me point you to the "BIND 9 Security Vulnerability Matrix" nonetheless. Maybe it has something useful for you.
https://kb.isc.org/article/AA-00913/0/BIND-9-Security-Vulnerability-Matrix.html
I guess you know it already, but let me point you to the "BIND 9 Security Vulnerability Matrix" nonetheless. Maybe it has something useful for you.
https://kb.isc.org/article/AA-00913/0/BIND-9-Security-Vulnerability-Matrix.html
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi,
I just did dig one of the domains from another server.
E.g.:
dig accentx.com
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17 .rc1.el6_4 .4 <<>> accentx.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1116
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;accentx.com. IN A
;; ANSWER SECTION:
accentx.com. 3600 IN A 198.15.83.98
;; AUTHORITY SECTION:
accentx.com. 3600 IN NS ns1.dmni.net.
accentx.com. 3600 IN NS ns2.dmni.net.
;; ADDITIONAL SECTION:
ns1.dmni.net. 38400 IN A 198.15.73.157
ns2.dmni.net. 38400 IN A 198.15.83.126
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Jun 21 23:41:50 2013
;; MSG SIZE rcvd: 121
actually it times out if I use the version dig
dig @198.15.73.157 chaos txt version.bind
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17 .rc1.el6_4 .4 <<>> @198.15.73.157 chaos txt version.bind
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
I think I need to speak to the data centre and see if there is something in between.
It is complexly strange to me that it does not hide the version, however I am now suspecting that it might hit the data center because the 9.8.2rc1-RedHat-9.8.2-0.17 .rc1.el6_4 .4 does not seem to be my server since I am running CentOS. Then again I do not understand why it would do this.
I will contact them and then update here too.
Best wishes,
thom
I just did dig one of the domains from another server.
E.g.:
dig accentx.com
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1116
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;accentx.com. IN A
;; ANSWER SECTION:
accentx.com. 3600 IN A 198.15.83.98
;; AUTHORITY SECTION:
accentx.com. 3600 IN NS ns1.dmni.net.
accentx.com. 3600 IN NS ns2.dmni.net.
;; ADDITIONAL SECTION:
ns1.dmni.net. 38400 IN A 198.15.73.157
ns2.dmni.net. 38400 IN A 198.15.83.126
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Jun 21 23:41:50 2013
;; MSG SIZE rcvd: 121
actually it times out if I use the version dig
dig @198.15.73.157 chaos txt version.bind
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
I think I need to speak to the data centre and see if there is something in between.
It is complexly strange to me that it does not hide the version, however I am now suspecting that it might hit the data center because the 9.8.2rc1-RedHat-9.8.2-0.17
I will contact them and then update here too.
Best wishes,
thom
I see your changes:
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48504
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;version.bind. CH TXT
;; ANSWER SECTION:
version.bind. 0 CH TXT "unknown"
;; AUTHORITY SECTION:
version.bind. 0 CH NS version.bind.
;; Query time: 83 msec
;; SERVER: 198.15.73.157#53(198.15.73 .157)
;; WHEN: Sat Jun 22 08:05:29 2013
;; MSG SIZE rcvd: 64
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48504
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;version.bind. CH TXT
;; ANSWER SECTION:
version.bind. 0 CH TXT "unknown"
;; AUTHORITY SECTION:
version.bind. 0 CH NS version.bind.
;; Query time: 83 msec
;; SERVER: 198.15.73.157#53(198.15.73
;; WHEN: Sat Jun 22 08:05:29 2013
;; MSG SIZE rcvd: 64
ASKER
Yes, I did it wrong. From the outside its working now.
Thank to point me to realize.
Thank to point me to realize.
http://linux.die.net/man/8/nscd
http://linux.die.net/man/5/nscd.conf