Blocking version information

James Philpott jamesp at metainfo.com
Fri Jun 17 23:51:04 UTC 2005


Peter Dambier wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Pax Dickinson wrote:
> | Hi all,
> |
> | I'm working on a script to update BIND 8 named.conf files to BIND 9, and
> | I'm wondering if using a
> |
> | version "None of your business.";
> 
> This is done often.
> 
> |
> | option in our named.conf would violate any DNS RFCs?  A quick skim makes
> | it appear to me that it wouldn't, but I need to be sure.
> 
> It does not directly break anything.
> 
> Indirectly it breaks debugging. As long as nobody complains about your servers
> in his lame-server-log I dont see a problem.
> 
> If I was running a public DNS-resolver as ISPs do and if I was annoyed with
> your servers appearing in my log, then I would use dig to debug.
> 
> Seeing your version I might be tempted to add a zone file to my resolver:
> 
> lame-servers.com.    SOA   here.my-server.com. me.my-server.com. ...
> lame-servers.com.    NS    here.my-server.com.
> lame-servers.com.    A     127.0.0.1
> *.lame-servers.com.  A     127.0.0.1
> 
> It would definitly solve my problem.
> 
> I am analysing log files on nameservers. I did not see any problems with DNS.
> But I did see problems with other services and I did solve them.
> 
> What does your server do? Publish DNS information about your company to the
> outside or resolve and cache for the inside?
> 
> If it is a resolver for the inside then dont worry you will not harm anybody
> keeping your bind version a secret.
> 
> If it delivers information to the outside I would not hide this information
> nor would I disable axfr queries.
> 
> If it does both then you do have a security problem. Get another server for
> the inside. Hide it behind a firewall. Hide its version if you like. Let
> nobody see it from the outside.
> 
> Dont let your nameserver for the outside cache any information. Then you
> should be ok.
> 
> |
> | Thanks,
> | Pax Dickinson
> |
> 
> Regards,
> Peter and Karin Dambier
> 
> - --
> Peter and Karin Dambier
> Public-Root
> Graeffstrasse 14
> D-64646 Heppenheim
> +49-6252-671788 (Telekom)
> +49-6252-599091 (O2 Genion)
> +1-360-226-6583-9738 (INAIC)
> mail: peter at peter-dambier.de
> http://iason.site.voila.fr
> http://www.kokoom.com/iason
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.7 (GNU/Linux)
> 
> iD8DBQFCsy1/PGG/Vycj6zYRAgv7AJ4z3QFeVtRj7f5CAzoKxDPdMPWqjQCcDFAs
> Efdk1OKF8gtLHU9LdTI/ah8=
> =wmr5
> -----END PGP SIGNATURE-----
> 
> 

The RDATA character-string can be up to 255 characters (one additional 
character, you don't set yourself, for length bringing it to the 256 
character RDATA limit) and can contain numbers, letters and hyphens; and 
when placed in quotes any character can be used other than " which must 
be preceded by a \ (escape character).

As of RFC 1035:
<character-string> is a single length octet followed by that number of 
characters.  <character-string> is treated as binary information, and 
can be up to 256 characters in length (including the length octet).

Also from RFC 1035:
<character-string> is expressed in one or two ways: as a contiguous set
of characters without interior spaces, or as a string beginning with a "
and ending with a ".  Inside a " delimited string any character can
occur, except for a " itself, which must be quoted using \ (back slash).

There should be no problems associated with hiding the version 
information on your DNS server in BIND 9 or BIND 8 by the use of the 
global options statement "version". Version is a widely obfuscated by 
the use of the this option when an administrator does not want the world 
or their internal users to be able to see the version of BIND is being 
used.

Most DNS server administrators would prefer to not give a network user 
with malicious intentions any extra information they might use as an 
opportunity to cause your DNS server harm. There are no current security 
issues with BIND. However, if the particular version of BIND you are 
running is determined to have vulnerabilities in the future you would 
rather not give a malicious network user a leg up in their desire to 
exploit that vulnerability.

-- 

Take Care,
James Philpott



More information about the bind-users mailing list