Sometimes a new vulnerability is found in DNS software and script kiddies are scanning the Internet to exploit unpatched systems. It's a best practice to hide software version on your DNS servers, although this is not a real protection it just makes a little harder to find your servers via scanning.

Use dig command to find which version is running on your name servers:

$ dig +short version.bind txt chaos


To hide version in when using Bind, open named.conf configuration file using your favorite editor, go to options section and set a custom version string using version option.


// /etc/named.conf
options {
  // Hide bind version
  version "unknown";

Restart the server (use bind9 instead of named on systems based on Debian):

$ sudo service named restart
Stopping named: .                                          [  OK  ]
Starting named:                                            [  OK  ]

Verify that server is returning new version string:

$ dig +short version.bind txt chaos


Edit knot.conf and set version parameter in system section to off:

system {
  # Used for answer to CH TXT 'version.server' or 'version.bind'
  version off;

Restart the server to apply changes:

$ sudo service knot restart
Stopping knot: .                                          [  OK  ]
Starting knot:                                            [  OK  ]




Edit nsd.conf configuration file and set hide-version parameter to yes in server section.

  # /etc/nsd/nsd.conf
  # Don't answer VERSION.BIND and VERSION.SERVER CHAOS class queries
  hide-version: yes

Restart NSD server:

$ sudo service nsd restart
Stopping nsd:                                              [  OK  ]
Starting nsd:                                              [  OK  ]




TinyDNS doesn't expose version.

Microsoft DNS

To control how the server responds to version query, use dnscmd command with EnableVersionQuery parameter. Possible values:

  • 0x00000000 (DNS_VERSION_QUERY_OFF) No version information will be returned.
  • 0x00000001 (DNS_VERSION_QUERY_FULL) The server responds with major operating system version, minor operating system version, and operating system revision.
  • 0x00000002 (DNS_VERSION_QUERY_MINIMAL) The server responds with major operating system version and minor operating system version.


dnscmd /config /EnableVersionQuery 0

On Windows Server 2008 and Windows Server 2008 R2, the default value is 0x00000001. On Windows Server 2012 and Windows Server 2012 R2, the default value is 0x00000000.