Applies To:

Show Versions Show Versions

sol6827: Disabling the DNS version response on the BIG-IP GTM system
How-ToHow-To

Original Publication Date: 08/27/2009
Updated Date: 01/31/2014

Purpose

You should consider using this procedure under the following condition:

  • You want to prevent Berkeley Internet Name Domain (BIND) from revealing its version number.

Prerequisites

You must meet the following prerequisites to use this procedure:

  • You must have access to either the command line or the Configuration utility.
  • If you are accessing by way of the command line, you must have familiarity with a Linux text editor, such as vi or nano.

Description

BIND is a daemon that processes Domain Name System (DNS) requests on the BIG-IP GTM system. By default, BIND responds with its version number when it receives a DNS request that sends a query. Typically a DNS request that queries for the BIND version number can be generated using either the dig (dig @<BIND IP> version.bind chaos txt) or nslookup (nslookup -type=txt -class=chaos version.bind <BIND IP>) utility. Depending on your requirement, you may want to change this default behavior and configure BIND on the BIG-IP GTM system to hide its version number when it responds to such a request. You can change this default behavior by adding a version parameter in the options section of the BIND configuration file. To do so, you can modify the BIND configuration file using either the command line or the Configuration utility, by performing one of the following procedures:

Procedures

Configuring BIND to hide its version number using the command line

Impact of procedure: BIND may momentarily stop responding to DNS requests during the restart, and then resume responding to the requests when the process successfully restarts.

  1. Log in to the BIG-IP GTM command line.
  2. Stop the ZoneRunner process on the BIG-IP system by typing the following command:

    bigstart stop zrd

    Note: Stopping the zrd process does not prevent the BIG-IP GTM system from processing wide IP requests or BIND from processing DNS requests.

  3. Change directories to the /var/named/config/ directory by typing the following command:

    cd /var/named/config/

  4. Back up the current named.conf file by typing the following command:

    cp named.conf named.conf.original

  5. Using a text editor, edit the named.conf file.

    Note: F5 does not support editing the named.conf file directly on BIG-IP Link Controller-only systems. This action may result in DNS zone file synchronization issues if the Synchronize DNS Zone Files settings is enabled on the BIG-IP Link Controller system.
  6. Locate the options section and add the following line to the end of the section:

    version " ";

    Note: You can type anything within the quotes, or leave the space between the quotes blank.

    For example:

    options {
    listen-on port 53 {
    127.0.0.1;
    "zrd-acl-000-000";
    };
    listen-on-v6 port 53 {
    ::1;
    };
    recursion no;
    directory "/config/namedb";
    allow-transfer {
    localhost;
    };
    version " ";
    };

  7. Save the changes and exit the text editor.
  8. Restart named by entering the following command:

    bigstart restart named

    Restart the ZoneRunner process by entering the following command:

    bigstart start zrd

  9. Test the changes by typing one of the following commands from the command line:
    • If you are connected locally, type the following command:

      dig @localhost version.bind chaos txt

    • If you are connected remotely, type the following command:

      dig @<listener IP address> version.bind chaos txt

    After you make the modifications and restart the process, BIND returns a version query with the text designated within the quotation marks that you have configured in Step 6.

Configuring BIND to hide its version number using the Configuration utility (11.5.0 and later)

To configure BIND to hide its version number using the Configuration utility, perform the following procedure:

Impact of procedure: BIND may momentarily stop responding to DNS requests during the restart, and then resume responding when the process successfully restarts.

  1. Log in to the BIG-IP Configuration utility.
  2. Navigate to DNS > Zones > ZoneRunner > named Configuration.
  3. Scroll down the named Options window until you see "options {".
  4. In the options section, add a version definition.

    For example:

    version " ";

    Note: You can add any text you want between the quotation marks. Spaces and non-alphanumeric characters will display.

    Important: Make sure there is a semi-colon ( ; ) at the end of the definition.

  5. Click Update.
  6. Test the changes by typing one of the following two commands from the command line:
    • If you are connected locally, type the following command:

      dig @localhost version.bind chaos txt

    • If you are connected remotely, type the following command:

      dig @<listener IP address> version.bind chaos txt

Configuring BIND to hide its version number using the Configuration utility (9.x - 11.4.1)

To configure BIND to hide its version number using the Configuration utility, perform the following procedure:

Impact of procedure: BIND may momentarily stop responding to DNS requests during the restart, and resume responding when the process successfully restarts.

  1. Log in to the BIG-IP Configuration utility.
  2. Navigate to Global Traffic > ZoneRunner > Named Configuration.
  3. Scroll down the Named Options window until you see "options {".
  4. In the options section, add a version definition.

    For example:

    version " ";

    Note: You can add any text you want between the quotation marks. Spaces and non-alphanumeric characters will display.

    Important: Make sure there is a semi-colon ( ; ) at the end of the definition.

  5. Click Update.
  6. Test the changes by typing one of the following two commands from the command line:
    • If you are connected locally, type the following command:

      dig @localhost version.bind chaos txt

    • If you are connected remotely, type the following command:

      dig @<listener IP address> version.bind chaos txt

Supplemental Information

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)