Hello, I wrote this patch for BIND 8.1.2 that will change the version number returned and (most importantly) write to your logs that a person attempted to do so. To apply: cd src/bin/named patch < patchfile.name re-compile and run (preferably chrooted()) (See http://www.psionic.com/papers/dns.html or http://www.homeport.org/~adam/dns.html for more information) Test using command: dig @127.0.0.1 version.bind chaos txt You should see "Go away." come back instead of the BIND version number and your log should have an "attackalert" message in it with the IP of the perpetrator. This can be grep'd for if you use an automated logfile auditing tool like swatch or <ahem> logcheck, which already looks for this keyword: http://www.psionic.com/abacus/abacus_logcheck.html ;) While I don't suspect this will break anything, I would like to hear if it does. I've been running the patch without incident, but no guarantees as usual. Thanks, -- Craig *** ns_req.c Tue Jun 9 21:56:26 1998 --- ns_req.new Tue Jun 9 21:46:58 1998 *************** *** 665,673 **** PUTLONG(0, *cpp); /* TTL */ tp = *cpp; /* Temp RdLength */ PUTSHORT(0, *cpp); ! copyCharString(cpp, ShortVersion); PUTSHORT((*cpp) - (tp + INT16SZ), tp); /* Real RdLength */ *msglenp = *cpp - msg; /* Total message length */ return (Finish); } --- 665,674 ---- PUTLONG(0, *cpp); /* TTL */ tp = *cpp; /* Temp RdLength */ PUTSHORT(0, *cpp); ! copyCharString(cpp, "Go away."); PUTSHORT((*cpp) - (tp + INT16SZ), tp); /* Real RdLength */ *msglenp = *cpp - msg; /* Total message length */ + ns_info(ns_log_security, "attackalert: BIND version query from %s", sin_ntoa(from)); return (Finish); }
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:57:44 PDT