BIND Version check

Michael Bryan bind at ursine.com
Tue Jun 20 20:23:57 UTC 2000



Daniel Norton wrote:
> 
> Upgrading to the latest works fine until vulnerabilities for that
> version are known.  Once the vulnerabilities are known, there is a open
> window until you fix them.

True.  Which is why security-based lists must be monitored, and accessible
servers need to be hardened so as to minimize the damage that can be done if
somebody does break in through a new exploit.

> Don't allow the window by not allowing the version of your server to be known.

Which is exactly the fallacious (and dangerous) line of reasoning I was talking
about earlier.  Obscuring the version does -not- prevent the window of 
vulnerability from occuring.  Anybody who assumes it does is asking to wake up
some morning with a rude surprise waiting for them.



More information about the bind-users mailing list