Blocking version information

Vinny Abello vinny at tellurian.com
Sun Jun 19 04:34:03 UTC 2005


At 10:31 PM 6/18/2005, Brad Knowles wrote:
>At 10:51 AM -0700 2005-06-18, James Philpott wrote:
>
> >  Pete is absolutely correct, there are many ways to discover what version
> >  of DNS you are running. I think Pete is pointing out that it is not good
> >  security to rely on this as a form of security.
>
>         Relying on security-through-obscurity is a bad thing, agreed.
>
> >  I still would not purposefully publish my BIND version so a casual user
> >  can grok it at will. I choose to obfuscate it where I can.
>
>         This is something that people need to carefully think about and
>not just automatically do.  The issue is that knowing the real
>version being used can help greatly reduce the size of the problem
>set when you're trying to do debugging.  If you're running an old
>version and you run into problems, many people will tell you to
>upgrade and come back if you still have them.  Many times there are
>known issues with the older code and you may be experiencing an old
>bug.
>
>         But if you don't know what version you're running, that makes
>problem solving much more complex.

Why wouldn't you know the version of BIND you setup?

>         Certainly, you probably don't want to try to hide the version
>information from your co-workers who may need to report DNS problems
>to you, or who may need to try to fix DNS problems on their own.  You
>probably don't want to try to hide this version information from your
>legitimate customers, in case they have a DNS problem or have some
>other problem whose underlying cause is a DNS problem.

If they're reporting this to you, you already know the version 
running on the server in question.

>         Then there is the issue of your knowing full well what you're
>currently running, but you get hit by a bus and your co-workers
>don't, and they don't know how to find out.  Or you decide to leave
>(for whatever reason), and the people who take over don't know what
>you're running.

What's so hard about "named -v"?

>         Not knowing the version number, and not having a quick and easy
>way to find out what the version number is, ends up creating a real
>support nightmare.

Why should someone without control of the DNS server need to know the 
version that's running? I just do see the reasoning. If they need to 
know that bad, they can contact the admin who can choose to disclose it or not.

>         How many times have people asked questions on this
>list/newsgroup, only to be told that we need to know the real
>host/domain names in question, and the real version information,
>before we can help them do debugging?

Sure, that's different though... They should be reporting this 
information when asking for help. The server doesn't necessarily need 
to give this info up on it's own to everyone who is curious.

>         I think the only issue is how can you hide this information from
>miscreants who might try to abuse it, without causing undue
>difficulties elsewhere.  Given how easy it is to "fingerprint" a
>server and find out what version they're really running (as opposed
>to what they claim to run), and the prevalence of these types of
>tools amongst the "black hat" community, I strongly believe that it
>is almost always a mistake to do this kind of obfuscation.

Sure, but if someone is skilled enough to fingerprint the name 
server, then they deserve to know what it's running. A casual utility 
or user won't be able to do that too easily. Apart from major 
version, I doubt you can finger print a release down to a point 
release. Feel free to prove me wrong. I'd be interested in how it works.

> >  Better than publish a potential (very slight potential) vulnerabilities
> >  I choose to "obfuscate" them as much as I can.
>
>         IME, obfuscation of this sort almost always causes more problems
>than it solves, and doesn't really help you against the bad guys
>anyway.  It's better to have this information be accurate and keep
>up-to-date on the software that you're running.
>
>         Anything else is just asking for trouble.

I tend to disagree, but that's my opinion. Likewise in Apache I tend 
to turn off all identifying headers of the version number or included 
modules on a production server. There is no need for the public to 
know that. It's there to serve web pages, or in the case of BIND, DNS 
records. It doesn't need to serve up it's own software versioning.

Again, this is just my opinion and you are entitled to yours which I 
respect. I'm not saying you're wrong. I'm just saying this because 
these types of simple differences in points of view always seem to 
escalate far beyond what anyone intended in public forums so everyone 
is welcomed to do what they wish. I'm just sharing my own opinions 
which suite me fine. :)



Vinny Abello
Network Engineer
Server Management
vinny at tellurian.com
(973)300-9211 x 125
(973)940-6125 (Direct)
PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0  E935 5325 FBCB 0100 977A

Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com (888)TELLURIAN

"Courage is resistance to fear, mastery of fear - not absence of 
fear" -- Mark Twain



More information about the bind-users mailing list