From 0884c57e7aba981ee5cfcd3cd6c28927329e92d2 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Wed, 20 Dec 2000 04:30:39 +0000
Subject: [PATCH] Q: How do I restrict / prevent lookups of the version string
 remotely.

---
 FAQ | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/FAQ b/FAQ
index bea4f7eb7f..c802f2adfe 100644
--- a/FAQ
+++ b/FAQ
@@ -70,3 +70,21 @@ Q: How do I produce a useful core file on Linux?
 A: Apply the kernel patch found in bind9/linux/coredump-patch and rebuild
 the kernel.  This patch causes multithreaded programs to dump the correct
 thread.
+
+Q: How do I restrict / prevent lookups of the version string remotely.
+
+A: The following view statement will intercept lookups as the internal
+view that holds the information will be matched last.  Note doing this
+will not prevent attacks and may impeed people trying to diagnose problems
+with your server.  Also it is possible to "fingerprint" nameservers to
+determine there version.
+
+view "chaos" chaos {
+	match-clients { <those to be refused>; };
+	allow-query { none; };
+
+	zone "." {
+		type hint;
+		file "/dev/null";  // or any empty file
+	};
+};