BIND version / vulnerabilty report

Hello all,

One of my customers did a vulnerability test on my server and he’s sent me a report containing several BIND issues, like:

  • “Obsolete ISC BIND installation: ISC BIND Versions 9.4-ESV-R5 or earlier are considered obsolete and will not receive any update from the supplier, even the most critical.”

My box is a Centos 5.7, the reported BIND version is BIND version 9.3.6, under chroot /var/named/chroot

I’ve updated every single package that was available last week, and on the System Information Page I don’t have any package available to update. So I’m pretty sure my system is up to date.

So, is it possible that BIND is not up to date? Or is it not showing the correct version? Either way, how do I show to my customer that the system is up to date?

Thank you



While the folks who produce BIND may not offer additional updates for that version – RedHat and CentOS will backport security fixes into any of the software versions included in their distribution.

So, as long as you’re fully up to date with all the packages on your system (which you can do by running “yum update”, you should be in good shape!


Thanks Eric,

Is there a way to tell BIND not to show the version number, like we can do in Apache?


  • Rogerio


I haven’t tried this before, but I did find this after a little Googling, it may do the trick for you:

Hi Eric,

I’ve done some searching as well, and I found out that what seems to be the best way is:

options {
    version none;

Thank you

  • Rogerio