1. Home
  2. Network Vulnerabilities
  3. How to remediate – Unbound DNS Resolver Remote Version Detection
Searching...

How to remediate – Unbound DNS Resolver Remote Version Detection

Contents

1. Introduction

The Unbound DNS Resolver Remote Version Detection vulnerability means someone can find out which version of the Unbound software is running on a server. This isn’t usually a direct threat, but knowing the version helps attackers look for known weaknesses in that specific release. Systems running Unbound DNS resolvers are affected, typically those providing internal or external DNS services. A successful information disclosure could aid further attacks against the system.

2. Technical Explanation

The Unbound resolver responds to queries asking for its version number. This is a standard feature but can reveal sensitive details about the server’s configuration. An attacker doesn’t need any special access to get this information; they simply send a request. The reported version may not be accurate, as it depends on how the DNS server is configured.

  • Root cause: Unbound resolver responds to version queries by default.
  • Exploit mechanism: An attacker sends a DNS query requesting the version information. For example, using dig +version against the target DNS server.
  • Scope: All systems running Unbound DNS resolver software are potentially affected.

3. Detection and Assessment

You can check if your system is vulnerable by finding out what version of Unbound it’s running. A quick check will show the reported version, while a thorough method involves reviewing the configuration files.

  • Quick checks: Use the command dig +version against the DNS server’s IP address or hostname to see the version information returned.
  • Scanning: Nessus vulnerability ID 16829 can detect this issue as an example.
  • Logs and evidence: Check Unbound logs for queries requesting version information, though these are not usually logged by default.
dig +version your.dns.server.ip

4. Solution / Remediation Steps

To fix this issue, you should disable the ability for Unbound to respond to version queries. This is a simple change with minimal risk.

4.1 Preparation

  • This change requires a short maintenance window, as the DNS service will be briefly unavailable during restart. Approval from the network team may be needed.

4.2 Implementation

  1. Step 1: Edit the Unbound configuration file (usually located at /etc/unbound/unbound.conf or similar).
  2. Step 2: Add the line hide-version: yes to the configuration file.
  3. Step 3: Save the changes to the configuration file.
  4. Step 4: Restart the Unbound service using a command like systemctl restart unbound or service unbound restart.

4.3 Config or Code Example

Before

# No hide-version option present in configuration file

After

hide-version: yes

4.4 Security Practices Relevant to This Vulnerability

Least privilege can reduce the impact if an attacker gains information about your system. Regularly reviewing configurations helps identify unnecessary features that could be exploited.

  • Practice 1: Least privilege – limit access to DNS server configuration files and control plane.
  • Practice 2: Configuration review – regularly check Unbound settings for unnecessary or insecure options.

4.5 Automation (Optional)

If you use a configuration management tool, you can automate the addition of the hide-version: yes line to your Unbound configuration file.

# Example Ansible task
- name: Hide Unbound version information
  lineinfile:
    path: /etc/unbound/unbound.conf
    regexp: '^hide-version:'
    line: 'hide-version: yes'
    state: present
  notify: Restart Unbound

5. Verification / Validation

To confirm the fix worked, check that Unbound no longer responds to version queries. Run the same command you used for detection and verify it doesn’t return a version number.

  • Post-fix check: Run dig +version your.dns.server.ip. The output should not include a version string, or show an error.
  • Re-test: Re-run the initial dig +version command to confirm no version information is returned.
  • Monitoring: Check Unbound logs for errors related to configuration changes, as an example.
dig +version your.dns.server.ip

6. Preventive Measures and Monitoring

For example, update security baselines to include the hide-version: yes setting. Add checks in CI/CD pipelines to ensure configurations are secure before deployment.

  • Baselines: Update your DNS server baseline or policy to require disabling version information disclosure.
  • Pipelines: Include a configuration check in your CI/CD pipeline to verify the hide-version: yes setting is present in Unbound configurations.
  • Asset and patch process: Review Unbound configurations regularly as part of your asset management or patch review cycle.

7. Risks, Side Effects, and Roll Back

Disabling version information shouldn’t cause any service disruption. However, it might make troubleshooting slightly harder in some cases. To roll back, remove the hide-version: yes line from the configuration file and restart Unbound.

  • Risk or side effect 1: May complicate debugging if version information is needed for support requests.
  • Risk or side effect 2: None expected.
  • Roll back: Step 1: Remove the line hide-version: yes from /etc/unbound/unbound.conf. Step 2: Restart the Unbound service using systemctl restart unbound or service unbound restart.

8. References and Resources

Updated on December 27, 2025

Was this article helpful?

Yes No

Related Articles