The DNS Name Server software must be configured to refuse queries for its version information.
An XCCDF Rule
Description
<VulnDiscussion>Each newer version of the name server software, especially the BIND software, generally is devoid of vulnerabilities found in earlier versions because it has design changes incorporated to address those vulnerabilities. The vulnerabilities have been exploited (i.e., some form of attack was launched), and sufficient information has been generated with respect to the nature of those exploits. It makes good business sense to run the latest version of name server software because theoretically it is the safest version. In some installations, it may not be possible to switch to the latest version of name server software immediately. If the version of the name server software is revealed in queries, this information may be used by attackers looking for a specific version of the software that has a discovered weakness. To prevent information about which version of name server software is running on a system, name servers should be configured to refuse queries for its version information.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-259403r1001264_rule
- Severity
- Medium
- References
- Updated
Remediation - Manual Procedure
To disable the version being returned in queries, execute the following command:
dnscmd /config /EnableVersionQuery 0 <enter>