GEN:SID | 1:1616 |
Message | DNS named version attempt |
Summary | This event is generated when an attempt is made to query version.bind on your DNS server.
|
Impact | Reconnaissance. This may indicate which version of BIND the server is running.
|
Detailed Information | An attacker can query a DNS server for the version of BIND running. Some versions of BIND, by default, respond to these queries while BIND version 9; by default, does not. A response to this query can assist an attacker in discovering servers that are potentially vulnerable to exploits associated with specific versions of BIND.
|
Affected Systems | All versions of BIND.
|
Attack Scenarios | An attacker can execute this query to find DNS servers running specific versions of BIND.
|
Ease of Attack | Simple. Use the Unix command 'dig @ns.com version.bind txt chaos'
|
Corrective Action | Remove the ability to retrieve the version.bind chaos record via configuration options.
|
Additional References | Nessus: http://cgi.nessus.org/plugins/dump.php3?id=10028
Arachnids:: http://www.whitehats.com/info/IDS278
|
Rule References | arachnids: 278
nessus: 10028
|