Blocking version information

Brad Knowles brad at stop.mail-abuse.org
Sun Jun 19 05:38:52 UTC 2005


At 12:34 AM -0400 2005-06-19, Vinny Abello wrote:

>>          But if you don't know what version you're running, that makes
>>problem solving much more complex.
>
>  Why wouldn't you know the version of BIND you setup?

	Do you remember every single thing you've ever done in your entire life?

	Have you ever inherited a server that someone else set up?

	Have you ever had a problem on another machine that you don't 
normally administer, but the person who does is out of the office so 
it's left up to you to try to fix?


	In many cases, the best kind of system documentation is that 
which the system provides itself, and does not require the admin to 
remember, know, write down, or update.  It just happens automatically.

	Software version information is a good example of that type of 
documentation.

>  If they're reporting this to you, you already know the version running
>  on the server in question.

	Maybe.

	More importantly, when others on this mailing list/newsgroup are 
helping your customers debug their problems while they're on-hold 
waiting for your helpdesk to answer the phone, it is very useful for 
those people to be able to remotely determine this information.

>  What's so hard about "named -v"?

	That's assuming you have command-line access to the server in 
question.  That's assuming that named hasn't been locked off so that 
you have to have privileged access to that server, so that you can 
run named at all.

>  Why should someone without control of the DNS server need to know the
>  version that's running? I just do see the reasoning. If they need to
>  know that bad, they can contact the admin who can choose to disclose
>  it or not.

	I guess you haven't been on this mailing list/newsgroup for long. 
Whenever someone reports problems to this list/group and I respond, 
one of the first questions I ask is "what version are you using?" 
Most other old-timers on this list/group tend to do the same sort of 
thing.

	If you're on the receiving end and in a panic trying to get your 
DNS problems resolved and you can't tell what version you're running, 
then you're unlikely to be able to get any further in debugging the 
problems.


	If your provider doesn't allow you to access this kind of 
information, that's a good reason to consider going somewhere else. 
Maybe not as bad has not doing reverse DNS for you or not doing 
reverse DNS at all, but still pretty bad news.

	On the flip side, if you're a provider and you don't allow your 
customers to access this information, now you know a good reason why 
you may be losing them.

>  Sure, that's different though... They should be reporting this
>  information when asking for help. The server doesn't necessarily need
>  to give this info up on it's own to everyone who is curious.

	Maybe.  If you can know, a priori, precisely who should be 
allowed to ask these questions and get answers to them, then you can 
safely decide to block that information for everyone else.

>  Sure, but if someone is skilled enough to fingerprint the name server,
>  then they deserve to know what it's running.

	So, your customers who pay you for service and are having a 
problem don't deserve to know this information, but any black hat who 
might want to try to break into your machines does?  Can you explain 
that to me?

>                                                A casual utility or user
>  won't be able to do that too easily. Apart from major version, I doubt
>  you can finger print a release down to a point release. Feel free to
>  prove me wrong. I'd be interested in how it works.

	Try out fpdns.pl.  In many cases, it can get you down to a 
specific point release.  It takes knowledge of the source code in 
question, and how specific versions react differently to different 
types of queries, but it does work.

>  Again, this is just my opinion and you are entitled to yours which I
>  respect.

	In this case, I'm stating a policy that I believe would be good 
for others to follow, even if they don't necessarily know why.  The 
kind of Best Current Practice that you might find in an IETF RFC or 
other type of standards document, etc....

	If people choose to ignore that recommendation, there's not much 
I can do to help them.  But I can help to set that standard.

-- 
Brad Knowles, <brad at stop.mail-abuse.org>

"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."

     -- Benjamin Franklin (1706-1790), reply of the Pennsylvania
     Assembly to the Governor, November 11, 1755

   SAGE member since 1995.  See <http://www.sage.org/> for more info.



More information about the bind-users mailing list