BIND Version check

Michael Bryan bind at ursine.com
Tue Jun 20 17:43:08 UTC 2000



Daniel Norton wrote:
> 
> By revealing the version number, you also reveal the set of
> vulnerabilities of the server.  If your server is visible to the
> Internet, you should disable this reporting by adding these lines to
> your named.conf file (without the =====):

Using the "version" option in named.conf is much easier than what you
propose.  It doesn't allow local queries of the version number, but
presumably you already know the version of your BIND, or can at least
find it by using "strings named" or checking your logs, if you really
want to hide the version number.

But that being said, hiding the version number does very little to
protect you, as it's another form of Security By Obscurity, and does
not address any real security issues that might exist in BIND.  I
would place much more importance on keeping BIND up to date, running
it as non-root in a chroot environment, and using any appropriate
access controls for queries to your nameserver.  Hiding your version
number might slow down a stupid or lazy hacker, but won't even make
a good one blink --- if they're interested in your system, they'll
just run a suite of exploits against your server no matter what
version it reports.  If you've taken all other precautions while using
BIND, the chance of significant damage from a previously unknown BIND
exploit is greatly minimized.  Hiding the version number is the absolute
least important thing to do when trying to secure a nameserver, IMO.

Also, an unfortunate truth is that a -lot- of admins will gain a false
sense of security by hiding their version number, feeling that they've
somehow protected themselves, and in the worst cases might even delay
applying security fixes because of this.  I don't think they're -good-
admins, but I have heard more than one person say "My sendmail/BIND/FTP
server does not report its version number anymore, so hackers won't be
able to tell I have a version that's vulnerable to this exploit."

Finally, I note that all of the root/gtld nameservers currently report
their version number.  The people running them apparently feel that it's
ok to report the version number, and if doing so caused any of them problems,
it's a pretty fair bet that they'd drop doing so immediately.

If you want to disable it, go ahead, but don't get caught in the trap of
thinking it's buying you much at all.



More information about the bind-users mailing list