DNS version

Barry Finkel b19141 at achilles.ctd.anl.gov
Tue Feb 4 14:45:46 UTC 2003


"David Botham" <dns at botham.net> replied to a posting:

>It is important to note that if this query works, you should probably
>change what bind reports via this query with the "version" option in
>named.conf.  As a general rule, you don't want to leak this type of
>information to the general public.

I can not let this statement go unchallenged.  Others have posted
previously that there is no reason for this information to remain 
private; I agree with those persons.  This falls into the category of
"security by obscurity", which is not security.  If I were a hacker
looking for a DNS server to attack, what would I do?

a) query the server and look at the response:
   1) "none of your business"
      Is the DNS administrator trying to hide the fact that he/she is
           running a vulnerable version of BIND?
      Is the DNS administrator running a good version of BIND?
   2) "BIND 8.x.x"
      Is this really 8.x.x, which is vulnerable?
      Has the DNS administrator given me a fake string, so that I will
           waste my time trying to hack a non-hackable version?
   3) "BIND 9.2.1"
      Is this really 9.2.1? 
      Is it vulnerable, and the DNS administrator wants me to
           believe that it is not?

b) Try my penetration scripts on the DNS server anyway without wasting
   time on checking the version.  If the scripts succeed, then I have
   found a vulnerable DNS server.  If not, then I can proceed to try
   attack another DNS server.

I think a hacker would choose option b), as it is the quickest.
----------------------------------------------------------------------
Barry S. Finkel
Electronics and Computing Technologies Division
Argonne National Laboratory          Phone:    +1 (630) 252-7277
9700 South Cass Avenue               Facsimile:+1 (630) 252-4601
Building 222, Room D209              Internet: BSFinkel at anl.gov
Argonne, IL   60439-4828             IBMMAIL:  I1004994



More information about the bind-users mailing list