BIND Version check

Kevin Darcy kcd at daimlerchrysler.com
Fri Jun 23 21:31:54 UTC 2000


Barry Finkel wrote:

> Daniel Norton wrote:
>
> >On 20 Jun 2000 17:29:04 -0700, "Tony Grace" <tony at grace.net.au> wrote:
> >>CERT
> >>and in Australia AUSCERT have security papers with recommendations on hiding
> >>BIND version numbers.
> >
> >Here's another bennie: I just now caught a hacker, thanks to
> >"allow-query { localhost ;}" on "version.named".  Of course, he was
> >coming in from a freshly hacked system, so I don't know originally
> >whence he came, but he stopped using that system to hack others, anyway.
> >He was doing precisely what I expected a hacker might do, by looking at
> >version.named.
>
> I am not sure I understand this posting.  Daniel, are you stating that
> you caught the hacker because you changed/hid the BIND version, or are
> you saying that you caught the hacker because the BIND version was
> accessible?  I can read your posting either way.

Hmmm... allow-query { localhost; }; is not what I'd call "accessible". I think
the posting can be reasonably read only one way in that regard.

I will point out, however, that hiding the version number didn't really keep the
hacker out in this instance. All it did was cause the version-probing attempt to
be logged in a more conspicuous way. Running a continuous "grep" on your query
log could accomplish essentially the same thing...


- Kevin





More information about the bind-users mailing list