Hide dnsmasq version

I would like hide dnsmasq version visible under the dig version.bind query. Is it possible? Thanks!

admin@SERVER:~$ dig @localhost version.bind txt chaos

version.bind.           0       CH      TXT     "dnsmasq-pi-hole-v2.89"

Try adding a custom config file in /etc/dnsmasq.d/ with no-ident set.


1 Like

That works. Thank you!

Does this also turn off the custom domain version.FTL as another route to get this info?

$ dig @localhost txt chaos version.FTL
version.FTL.		0	CH	TXT	"v5.21"

Cross-referencing from the FTL 5.21 announcement – "Update embedded dnsmasq to v2.89"

No - see below. This is a good point, it should be also hidden. Any idea how to do it?

admin@SERVER:~$ dig @localhost txt chaos version.FTL

; <<>> DiG 9.18.1-1ubuntu1.3-Ubuntu <<>> @localhost txt chaos version.FTL
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15124
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

; EDNS: version: 0, flags:; udp: 1232
;version.FTL.                   CH      TXT

version.FTL.            0       CH      TXT     "v5.21"

Pinging @DL6ER

Pi-hole values privacy as high-value goal. We provided the patch implementing the new config option no-ident only recently to the dnsmasq project to allow removal/suppression of these strings (before this was only possible through recompilation from source).
However, the patch - submitted to dnsmasq also only affected said dnsmasq code and the extra version.ftl was forgotten to be added when importing out patch from the upstream project into ours.

1 Like

Nice one, thanks, appreciate the flexibility in adding that. It's a handy diagnostic though.

Interestingly I do get the version from version.ftl but I get nothing from version.bind, but I also don't appear to have no-ident set, so I'm not sure why it is suppressed here. For example authors.bind returns "Simon Kelley".

Not sure if it's worth raising as a new topic (can do if there's a rabbit hole to go down) but I am curious.

EDIT – turned out version.bind was blocked in an adlist. Not the default adlist but another one I had added. This means

  • blacklisting these special domains is another way to prevent them from revealing their info
  • be mindful of them being blocked by an adlist and mistakenly interpreting the result as DNS interception if using them to test for this

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.