Default IPA installation exposes exact BIND version to anyone who can query the server. That is considered as information leakage and creates good target for automated bot exploits.
Example:
$ dig -t ANY @127.0.0.1 -c CH version.bind ; <<>> DiG 9.9.2-RedHat-9.9.2-2.fc17 <<>> @127.0.0.1 -t ANY -c CH version.bind ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2934 ;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;version.bind. CH ANY ;; ANSWER SECTION: version.bind. 0 CH TXT "9.9.2-RedHat-9.9.2-2.fc17" version.bind. 86400 CH SOA version.bind. hostmaster.version.bind. 0 28800 7200 604800 86400 version.bind. 0 CH NS version.bind. ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Mon Dec 3 16:29:27 2012 ;; MSG SIZE rcvd: 140
Solution: Add following three lines to /etc/named.conf during the IPA install/upgrade:
/etc/named.conf
options { version none; server-id none; hostname none; };
Metadata Update from @pspacek: - Issue assigned to rcritten - Issue set to the milestone: Future Releases
Login to comment on this ticket.