Bind9 : masquage du numéro de version

To: debian-user-french@lists.debian.org
Subject: Bind9 : masquage du numéro de version
From: Alain Vaugham <alain@vaugham.com>
Date: Wed, 11 Apr 2012 01:30:49 +0200
Message-id: <[🔎] 20120411013049.21393b3d@mach07.localdomain>
Reply-to: debian-user-french@lists.debian.org
Bonsoir la liste,

Où est mon erreur?
C'est mon premier Bind. Soyez indulgents SVP...

Pour masquer la version j'ai compris qu'il suffit d'ajouter une ligne
dans le bloc options.

Selon les auteurs il faut modifier l'un de ces fichiers :
/etc/bind/named.conf
/etc/bind/named.conf.options
/etc/bind/named.options

Les syntaxes varient :
version "pipo";
version "<pipo>";
Selon le man named.conf la syntaxe est :
version ( quoted_string | none );
Pourtant cette syntaxe interdit un redémarrage de Bind9.

Sur une Squeeze toute fraîche, j'ai essayé plusieurs possibilités relevées 
sur le net mais sans succès :
# apt-get install bind9 bind9-doc

Avant modif :
# named-checkconf -v                                                                     
9.7.3

Après que le fichier de config ait été modifié :
# cat /etc/bind/named.conf.options

options {
        directory "/var/cache/bind";

        // If there is a firewall between you and nameservers you want
        // to talk to, you may need to fix the firewall to allow multiple
        // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

        // If your ISP provided one or more IP addresses for stable 
        // nameservers, you probably want to use them as forwarders.  
        // Uncomment the following block, and insert the addresses replacing 
        // the all-0's placeholder.

        // forwarders {
        //      0.0.0.0;
        // };

        // Masquage de la version Bind9
        version "pipo_none";

        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { any; };
};

Redémarré le service ( *** ) :
# /etc/init.d/bind9 stop
Stopping domain name service...: bind9 waiting for pid 32285 to die.
# /etc/init.d/bind9 start
Starting domain name service...: bind9.

Résultat : la version est inchangée :
# named-checkconf -v                                                                     
9.7.3
# dig @127.0.0.1
; <<>> DiG 9.7.3 <<>> @127.0.0.1
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41388
;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 14
[...]




( *** )
- Le named.conf inclu bien le named.conf.options :
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";


- Dans le syslog la seule erreur qui subsiste sur les clefs non trouvées
ne me semble pas liée :
Apr 11 00:49:58 mach01-mail named[32285]: received control channel command 'stop -p'
Apr 11 00:49:58 mach01-mail named[32285]: shutting down: flushing changes
Apr 11 00:49:58 mach01-mail named[32285]: stopping command channel on 127.0.0.1#953
Apr 11 00:49:58 mach01-mail named[32285]: stopping command channel on ::1#953
Apr 11 00:49:58 mach01-mail named[32285]: no longer listening on ::#53
Apr 11 00:49:58 mach01-mail named[32285]: no longer listening on 127.0.0.1#53
Apr 11 00:49:58 mach01-mail named[32285]: no longer listening on 192.168.1.101#53
Apr 11 00:49:58 mach01-mail named[32285]: exiting
Apr 11 00:50:13 mach01-mail named[32318]: starting BIND 9.7.3 -u bind
Apr 11 00:50:13 mach01-mail named[32318]: built with '--prefix=/usr' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc/bind' '--localstatedir=/var' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared'
'--enable-static' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld' '--with-dlz-postgres=no' '--with-dlz-mysql=no' '--with-dlz-bdb=yes' '--with-dlz-filesystem=yes' '--with-dlz-ldap=yes' '--with-dlz-stub=yes' '--with-geoip=/usr'
'--enable-ipv6' 'CFLAGS=-fno-strict-aliasing -DDIG_SIGCHASE -O2' 'LDFLAGS=' 'CPPFLAGS='
Apr 11 00:50:13 mach01-mail named[32318]: adjusted limit on open files from 1024 to 1048576
Apr 11 00:50:13 mach01-mail named[32318]: found 2 CPUs, using 2 worker threads
Apr 11 00:50:13 mach01-mail named[32318]: using up to 4096 sockets
Apr 11 00:50:13 mach01-mail named[32318]: loading configuration from '/etc/bind/named.conf'
Apr 11 00:50:13 mach01-mail named[32318]: reading built-in trusted keys from file '/etc/bind/bind.keys'
Apr 11 00:50:13 mach01-mail named[32318]: using default UDP/IPv4 port range: [1024, 65535]
Apr 11 00:50:13 mach01-mail named[32318]: using default UDP/IPv6 port range: [1024, 65535]
Apr 11 00:50:13 mach01-mail named[32318]: listening on IPv6 interfaces, port 53
Apr 11 00:50:13 mach01-mail named[32318]: listening on IPv4 interface lo, 127.0.0.1#53
Apr 11 00:50:13 mach01-mail named[32318]: listening on IPv4 interface eth0, 192.168.1.101#53
Apr 11 00:50:13 mach01-mail named[32318]: generating session key for dynamic DNS
Apr 11 00:50:13 mach01-mail named[32318]: set up managed keys zone for view _default, file 'managed-keys.bind'
Apr 11 00:50:13 mach01-mail named[32318]: automatic empty zone: 254.169.IN-ADDR.ARPA
Apr 11 00:50:13 mach01-mail named[32318]: automatic empty zone: 2.0.192.IN-ADDR.ARPA
Apr 11 00:50:13 mach01-mail named[32318]: automatic empty zone: 100.51.198.IN-ADDR.ARPA
Apr 11 00:50:13 mach01-mail named[32318]: automatic empty zone: 113.0.203.IN-ADDR.ARPA
Apr 11 00:50:13 mach01-mail named[32318]: automatic empty zone: 255.255.255.255.IN-ADDR.ARPA
Apr 11 00:50:13 mach01-mail named[32318]: automatic empty zone: 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Apr 11 00:50:13 mach01-mail named[32318]: automatic empty zone: 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Apr 11 00:50:13 mach01-mail named[32318]: automatic empty zone: D.F.IP6.ARPA
Apr 11 00:50:13 mach01-mail named[32318]: automatic empty zone: 8.E.F.IP6.ARPA
Apr 11 00:50:13 mach01-mail named[32318]: automatic empty zone: 9.E.F.IP6.ARPA
Apr 11 00:50:13 mach01-mail named[32318]: automatic empty zone: A.E.F.IP6.ARPA
Apr 11 00:50:13 mach01-mail named[32318]: automatic empty zone: B.E.F.IP6.ARPA
Apr 11 00:50:13 mach01-mail named[32318]: automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA
Apr 11 00:50:13 mach01-mail named[32318]: command channel listening on 127.0.0.1#953
Apr 11 00:50:13 mach01-mail named[32318]: command channel listening on ::1#953
Apr 11 00:50:13 mach01-mail named[32318]: zone 0.in-addr.arpa/IN: loaded serial 1
Apr 11 00:50:13 mach01-mail named[32318]: zone 127.in-addr.arpa/IN: loaded serial 1
Apr 11 00:50:13 mach01-mail named[32318]: zone 255.in-addr.arpa/IN: loaded serial 1
Apr 11 00:50:13 mach01-mail named[32318]: zone localhost/IN: loaded serial 2
Apr 11 00:50:13 mach01-mail named[32318]: managed-keys-zone ./IN: loading from master file managed-keys.bind failed: file not found
Apr 11 00:50:13 mach01-mail named[32318]: managed-keys-zone ./IN: loaded serial 0
Apr 11 00:50:13 mach01-mail named[32318]: running


Où est mon erreur?


-- 
Alain Vaugham
Clef GPG : 0xD26D18BC
Reply to:
Follow-Ups:
- Re: Bind9 : masquage du numéro de version
  - From: Pierre-Arnaud <debian-user-french@lemurien.org>
- Re: Bind9 : masquage du numéro de version
  - From: Stephane Bortzmeyer <stephane@sources.org>
Prev by Date: Re: rygel
Next by Date: utilisation server
Previous by thread: Re: Cinelerra en franÃ§ais sur Testing
Next by thread: Re: Bind9 : masquage du numéro de version
Index(es):
- Date
- Thread