Blocking version information

Brad Knowles brad at stop.mail-abuse.org
Sun Jun 19 02:31:45 UTC 2005 

At 10:51 AM -0700 2005-06-18, James Philpott wrote:

>  Pete is absolutely correct, there are many ways to discover what version
>  of DNS you are running. I think Pete is pointing out that it is not good
>  security to rely on this as a form of security.

	Relying on security-through-obscurity is a bad thing, agreed.

>  I still would not purposefully publish my BIND version so a casual user
>  can grok it at will. I choose to obfuscate it where I can.

	This is something that people need to carefully think about and 
not just automatically do.  The issue is that knowing the real 
version being used can help greatly reduce the size of the problem 
set when you're trying to do debugging.  If you're running an old 
version and you run into problems, many people will tell you to 
upgrade and come back if you still have them.  Many times there are 
known issues with the older code and you may be experiencing an old 
bug.

	But if you don't know what version you're running, that makes 
problem solving much more complex.


	Certainly, you probably don't want to try to hide the version 
information from your co-workers who may need to report DNS problems 
to you, or who may need to try to fix DNS problems on their own.  You 
probably don't want to try to hide this version information from your 
legitimate customers, in case they have a DNS problem or have some 
other problem whose underlying cause is a DNS problem.

	Then there is the issue of your knowing full well what you're 
currently running, but you get hit by a bus and your co-workers 
don't, and they don't know how to find out.  Or you decide to leave 
(for whatever reason), and the people who take over don't know what 
you're running.

	Not knowing the version number, and not having a quick and easy 
way to find out what the version number is, ends up creating a real 
support nightmare.


	How many times have people asked questions on this 
list/newsgroup, only to be told that we need to know the real 
host/domain names in question, and the real version information, 
before we can help them do debugging?


	I think the only issue is how can you hide this information from 
miscreants who might try to abuse it, without causing undue 
difficulties elsewhere.  Given how easy it is to "fingerprint" a 
server and find out what version they're really running (as opposed 
to what they claim to run), and the prevalence of these types of 
tools amongst the "black hat" community, I strongly believe that it 
is almost always a mistake to do this kind of obfuscation.

>  Better than publish a potential (very slight potential) vulnerabilities
>  I choose to "obfuscate" them as much as I can.

	IME, obfuscation of this sort almost always causes more problems 
than it solves, and doesn't really help you against the bad guys 
anyway.  It's better to have this information be accurate and keep 
up-to-date on the software that you're running.

	Anything else is just asking for trouble.

-- 
Brad Knowles, <brad at stop.mail-abuse.org>

"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."

     -- Benjamin Franklin (1706-1790), reply of the Pennsylvania
     Assembly to the Governor, November 11, 1755

   SAGE member since 1995.  See <http://www.sage.org/> for more info.

More information about the bind-users mailing list