Blocking version information
Brad Knowles
brad at stop.mail-abuse.org
Sun Jun 19 02:31:45 UTC 2005
At 10:51 AM -0700 2005-06-18, James Philpott wrote:
> Pete is absolutely correct, there are many ways to discover what version
> of DNS you are running. I think Pete is pointing out that it is not good
> security to rely on this as a form of security.
Relying on security-through-obscurity is a bad thing, agreed.
> I still would not purposefully publish my BIND version so a casual user
> can grok it at will. I choose to obfuscate it where I can.
This is something that people need to carefully think about and
not just automatically do. The issue is that knowing the real
version being used can help greatly reduce the size of the problem
set when you're trying to do debugging. If you're running an old
version and you run into problems, many people will tell you to
upgrade and come back if you still have them. Many times there are
known issues with the older code and you may be experiencing an old
bug.
But if you don't know what version you're running, that makes
problem solving much more complex.
Certainly, you probably don't want to try to hide the version
information from your co-workers who may need to report DNS problems
to you, or who may need to try to fix DNS problems on their own. You
probably don't want to try to hide this version information from your
legitimate customers, in case they have a DNS problem or have some
other problem whose underlying cause is a DNS problem.
Then there is the issue of your knowing full well what you're
currently running, but you get hit by a bus and your co-workers
don't, and they don't know how to find out. Or you decide to leave
(for whatever reason), and the people who take over don't know what
you're running.
Not knowing the version number, and not having a quick and easy
way to find out what the version number is, ends up creating a real
support nightmare.
How many times have people asked questions on this
list/newsgroup, only to be told that we need to know the real
host/domain names in question, and the real version information,
before we can help them do debugging?
I think the only issue is how can you hide this information from
miscreants who might try to abuse it, without causing undue
difficulties elsewhere. Given how easy it is to "fingerprint" a
server and find out what version they're really running (as opposed
to what they claim to run), and the prevalence of these types of
tools amongst the "black hat" community, I strongly believe that it
is almost always a mistake to do this kind of obfuscation.
> Better than publish a potential (very slight potential) vulnerabilities
> I choose to "obfuscate" them as much as I can.
IME, obfuscation of this sort almost always causes more problems
than it solves, and doesn't really help you against the bad guys
anyway. It's better to have this information be accurate and keep
up-to-date on the software that you're running.
Anything else is just asking for trouble.
--
Brad Knowles, <brad at stop.mail-abuse.org>
"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."
-- Benjamin Franklin (1706-1790), reply of the Pennsylvania
Assembly to the Governor, November 11, 1755
SAGE member since 1995. See <http://www.sage.org/> for more info.
More information about the bind-users
mailing list