Hide dnsmasq version

I would like hide dnsmasq version visible under the dig version.bind query. Is it possible? Thanks!

admin@SERVER:~$ dig @localhost version.bind txt chaos

version.bind.           0       CH      TXT     "dnsmasq-pi-hole-v2.89"

Try adding a custom config file in /etc/dnsmasq.d/ with no-ident set.


1 Like

That works. Thank you!

Does this also turn off the custom domain version.FTL as another route to get this info?

$ dig @localhost txt chaos version.FTL
version.FTL.		0	CH	TXT	"v5.21"

Cross-referencing from the FTL 5.21 announcement – "Update embedded dnsmasq to v2.89"

No - see below. This is a good point, it should be also hidden. Any idea how to do it?

admin@SERVER:~$ dig @localhost txt chaos version.FTL

; <<>> DiG 9.18.1-1ubuntu1.3-Ubuntu <<>> @localhost txt chaos version.FTL
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15124
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

; EDNS: version: 0, flags:; udp: 1232
;version.FTL.                   CH      TXT

version.FTL.            0       CH      TXT     "v5.21"

Pinging @DL6ER

Pi-hole values privacy as high-value goal. We provided the patch implementing the new config option no-ident only recently to the dnsmasq project to allow removal/suppression of these strings (before this was only possible through recompilation from source).
However, the patch - submitted to dnsmasq also only affected said dnsmasq code and the extra version.ftl was forgotten to be added when importing out patch from the upstream project into ours.

1 Like

Nice one, thanks, appreciate the flexibility in adding that. It's a handy diagnostic though.

Interestingly I do get the version from version.ftl but I get nothing from version.bind, but I also don't appear to have no-ident set, so I'm not sure why it is suppressed here. For example authors.bind returns "Simon Kelley".

Not sure if it's worth raising as a new topic (can do if there's a rabbit hole to go down) but I am curious.

EDIT – turned out version.bind was blocked in an adlist. Not the default adlist but another one I had added. This means

  • blacklisting these special domains is another way to prevent them from revealing their info
  • be mindful of them being blocked by an adlist and mistakenly interpreting the result as DNS interception if using them to test for this