Blocking version information
James Philpott
jamesp at metainfo.com
Sat Jun 18 17:51:20 UTC 2005
Pete Ehlke wrote:
> On Fri Jun 17, 2005 at 16:51:04 -0700, James Philpott wrote:
>
>>There should be no problems associated with hiding the version
>>information on your DNS server in BIND 9 or BIND 8 by the use of the
>>global options statement "version". Version is a widely obfuscated by
>>the use of the this option when an administrator does not want the world
>>or their internal users to be able to see the version of BIND is being
>>used.
>>
>
> Changing the string reported via the version statement- or changing it
> in the source- does little to nothing to keep world+dog from discovering
> what name server you are running. People do this, thinking they are
> 'hiding' their version. They are wrong.
>
> -Pete
>
>
Pete is absolutely correct, there are many ways to discover what version
of DNS you are running. I think Pete is pointing out that it is not good
security to rely on this as a form of security.
I still would not purposefully publish my BIND version so a casual user
can grok it at will. I choose to obfuscate it where I can.
And I'm using the verb "to obfuscate" in the following sense - "2. To
render indistinct or dim; darken: The fog obfuscated the shore."
Better than publish a potential (very slight potential) vulnerabilities
I choose to "obfuscate" them as much as I can.
- James Philpott
More information about the bind-users
mailing list