DNS version

Simon Waters Simon at wretched.demon.co.uk
Tue Feb 4 18:13:11 UTC 2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Bill Manning wrote:
>
> 	right/wrong?  depends in some degree on who is asking the
question.
> 	the presumption that all version requests are from attackers is
> 	false.

So I didn't presume it - see the paragraph before the one you
quoted.

> 	version identification does help track code diffusion, which can
> 	be useful in determining the overall health of the system.

A good point, it also gives you another criteria to assess the
health of your parent domains.

However your assessing the health of the overall health of the
system doesn't necessarily result in my service being more
secure. The DNS has been a mess for years, one more survey is
not going to fix it.

> 	remember, the DNS is a public database. if it can be queried
> 	it will be.   If your that paranoid, retreating into your
> 	walled garden might be the best thing.

The issue is not if it is queried, but the risk and course of a
compromise of the DNS server. For many Internet based business
loss of control of their DNS could be very unpleasant.

The issue extends well beyond DNS, most mail and web servers
freely disclose identity and version, most also disclose host
operating system and other informations that falls into the same
class, which is why many security policies just say "don't
disclose such information".

The point was made it isn't a security measure - well I happen
to think that it does enhance security in some clearly defined
ways. Thus for some people they will choose to use it because
they value those gains over the the other benefits available by
making the version public.

In terms of available measures to harden a BIND server I think
it is pretty insignificant, but it is also easy to do.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE+QAK0GFXfHI9FVgYRArBDAJ9L7PB2HdW3qghL4ofl30HDgnNeuACcCffi
+bgO2swKlwerR9AU0JzZ1Xk=
=7XTJ
-----END PGP SIGNATURE-----



More information about the bind-users mailing list