Disable bind 9.3.6 hostname disclosure

"There is no remedy as of December 18, 2010." Wrong, so very wrong. There has been a fix since February 2006 (at least). Put this in your BIND config (it probably is there already):

options {
  version "none";
}

Let me "craft" this "special" query (don't attempt this at home):

$ nslookup -q=txt -class=CHAOS authors.bind. localhost
Server:         localhost
Address:        127.0.0.1#53

*** Can't find authors.bind.: No answer

For more info on securing BIND have a look at http://www.cymru.com/Documents/secure-bind-template.html

You can hide hostname and version this way:

# /etc/named.conf
options {
    // hide bind info
    hostname "unknown";
    version "unknown";
}

Hostname querying example:

[vitalie@silver ~]$ dig @ns1.kappa.ro hostname.bind chaos txt

; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_5.3 <<>> @ns1.kappa.ro hostname.bind chaos txt
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46430
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;hostname.bind.                 CH      TXT

;; ANSWER SECTION:
hostname.bind.          0       CH      TXT     "linux.kappa.ro"

;; AUTHORITY SECTION:
hostname.bind.          0       CH      NS      hostname.bind.

;; Query time: 6 msec
;; SERVER: 194.102.255.3#53(194.102.255.3)
;; WHEN: Wed Jan  5 15:08:14 2011
;; MSG SIZE  rcvd: 72

You can disable hostname.bind by putting this in named.conf (valid in BIND 9.9 that I use):

options {  
  hostname none;  
}