× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.



Rob,

Check this page out
https://raymii.org/s/tutorials/Get_DNS_server_version_and_hide_it_in_BIND.html

In addition to querying it...it mentions changing it to your own value. I
wonder if that would be of any use to you.

Charles

On Tue, Mar 29, 2016 at 8:54 AM, Rob Berendt <rob@xxxxxxxxx> wrote:

How does one query the level of DNS bind your IBM i currently serves up?

Our external security scans query our DMZ IBM i's serving up DNS and
report their level of bind. Of course, it's always way behind and ruled
so out of date and full of security holes.

I have some other lpars and I am really curious as to how I could query
them and determine their level of bind.

IBM i takes the approach that they will make little to no effort to be
current on the level of bind. Instead, they will listen to you report a
particular CVE that you have an issue with and they will issue a PTF which
will address this CVE. But they will not upgrade the level of bind. Their
opinion is that they'd rather just keep patching the old level of bind and
not download a new level of bind and customize it for IBM i and patch any
newly discovered CVEs. Of course, my security audits look like crap. And,
no, I cannot convince the external scanning people to go through all the
hoops of saying this is the CVE, doing a PTF search for some PTF that
covers that CVE and seeing if we have that applied and stop reporting that
CVE. That's outside the scope of their responsibilities (and they're
wholly owned by IBM). Instead I have to type up an exception to that
ding, store it somewhere, and see if we can customize the audit to say
stop reporting it and this is why... Also, they report the CVE simply by
the bind level, not whether or not they can do what the CVE suggests can
be done.
And, the audit scan reports the OS running on IBM i as "FreeBSD
6.2-RELEASE"

In summary, I just want to know how I can query the bind levels of these
other lpars, before I turn them over to the scanning service.


Rob Berendt
--
IBM Certified System Administrator - IBM i 6.1
Group Dekko
Dept 1600
Mail to: 2505 Dekko Drive
Garrett, IN 46738
Ship to: Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.


As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:
Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.