?
Solved

DNS named.conf

Posted on 2013-06-20
7
Medium Priority
?
374 Views
Last Modified: 2013-06-22
Hi,

I am a bit on a dead end and think I need to have a second set of eyes look at this since I seem to not be able to hide my dns version with the suggested

version "unknown";
or
version unknown;

bot do not work.
I set it and restart but I do a DIG and it still shows the version.

Now while i show part of my conf file if you see any other issue please let me know.

option.  here is my named.conf and I wonder if you see something that would prevent it from hiding the version.

options {
      allow-query {
            any;
            };
      allow-recursion { trusted; };
           allow-query-cache { trusted; };
      listen-on port 53 { trusted; };
      listen-on-v6 port 53 { ::1; };
      directory       "/var/named/";
      dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
      recursion yes;
      empty-zones-enable no;
      dnssec-enable yes;
      dnssec-validation yes;

      /* Path to ISC DLV key */
      bindkeys-file "/etc/named.iscdlv.key";
      managed-keys-directory "/var/named/dynamic";
          version "unknown";
};

any idea of there is something in options what could prevent the version unknown; from hiding my DNS version?

Thank you for the help.

Best wishes,
Thom
0
Comment
Question by:Thomanji
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
7 Comments
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 39262281
I think it's your client's local nscd showing you old version info from its cache.

http://linux.die.net/man/8/nscd
http://linux.die.net/man/5/nscd.conf
0
 

Author Comment

by:Thomanji
ID: 39262302
Interesting, would make sense but it seems it is not installed. Just searched for it but only have some.

/usr/lib/python2.6/site-packages/sos/plugins/nscd.py
/usr/lib/python2.6/site-packages/sos/plugins/nscd.pyc
/usr/lib/python2.6/site-packages/sos/plugins/nscd.pyo
/usr/share/man/man5/nscd.conf.5.gz
/usr/share/man/man8/nscd.8.gz
/usr/share/man/man8/nscd_selinux.8.gz
/usr/share/selinux/devel/include/services/nscd.if

also
> nscd -i
> -bash: nscd: command not found

I think I might just need to wait for it to resolve but this was not mentioned on any of my google results. Well lets see, maybe time resolves it.

Do you see any other issue or security hole in my options block?

Best wishes,
thom
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 39262322
Your config looks good so far.

I guess you know it already, but let me point you to the "BIND 9 Security Vulnerability Matrix" nonetheless. Maybe it has something useful for you.

https://kb.isc.org/article/AA-00913/0/BIND-9-Security-Vulnerability-Matrix.html
0
Don't Cry: How Liquid Web is Ensuring Security

WannaCry is just the start. Read how Liquid Web is protecting itself and its customers against new threats.

 
LVL 29

Accepted Solution

by:
Jan Springer earned 2000 total points
ID: 39262418
Are you querying the server directly?

dig @A.B.C.D chaos txt version.bind

where A.B.C.D is the IP address of the DNS server.
0
 

Author Comment

by:Thomanji
ID: 39267514
Hi,

I just did dig one of the domains from another server.
E.g.:

dig accentx.com

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.4 <<>> accentx.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1116
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;accentx.com.                   IN      A

;; ANSWER SECTION:
accentx.com.            3600    IN      A       198.15.83.98

;; AUTHORITY SECTION:
accentx.com.            3600    IN      NS      ns1.dmni.net.
accentx.com.            3600    IN      NS      ns2.dmni.net.

;; ADDITIONAL SECTION:
ns1.dmni.net.           38400   IN      A       198.15.73.157
ns2.dmni.net.           38400   IN      A       198.15.83.126

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Jun 21 23:41:50 2013
;; MSG SIZE  rcvd: 121



actually it times out if I use the version dig

dig @198.15.73.157 chaos txt version.bind

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.4 <<>> @198.15.73.157 chaos txt version.bind
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

I think I need to speak to the data centre and see if there is something in between.
It is complexly strange to me that it does not hide the version, however I am now suspecting that it might hit the data center because the 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.4 does not seem to be my server since I am running CentOS. Then again I do not understand why it would do this.

I will contact them and then update here too.

Best wishes,
thom
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 39267992
I see your changes:

; (1 server found)                                                                          
;; global options: +cmd                                                                    
;; Got answer:                                                                              
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48504                                  
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;version.bind.                  CH      TXT

;; ANSWER SECTION:
version.bind.           0       CH      TXT     "unknown"

;; AUTHORITY SECTION:
version.bind.           0       CH      NS      version.bind.

;; Query time: 83 msec
;; SERVER: 198.15.73.157#53(198.15.73.157)
;; WHEN: Sat Jun 22 08:05:29 2013
;; MSG SIZE  rcvd: 64
0
 

Author Closing Comment

by:Thomanji
ID: 39268052
Yes, I did it wrong. From the outside its working now.
Thank to point me to realize.
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
One of the most often confused topics in the area DNS is the idea of GLUE records. Specifically, what they are, when they are needed, when they are provided, and how they are created. First, WHAT IS GLUE? To understand GLUE, you must first under…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question