Details

BIND includes a built-in zone, version.bind which may be queried to get the version of the name server. The version may be set to a value of none, to disable reporting of the version information.

Rationale:

Making detailed BIND version information easy to obtain remotely helps attackers automate and target their attacks. The information is not necessary for the health of the server, and should not be disclosed.

Solution

Add or modify the version option to have a value of none in the BIND global options, as shown below.

options {
version none;
. . .
}

Default Value:

Default value returns the current BIND detailed version.

Supportive Information

The following resource is also helpful.

• https://workbench.cisecurity.org/files/1735

This security hardening control applies to the following category of controls within NIST 800-53: System and Communications Protection.This control applies to the following type of system Unix.

References

• 800-53|SC-30(5)
• CSCv6|9

Source

• Tenable.com/audits