Blocking version information
brad at stop.mail-abuse.org
Sun Jun 19 05:38:52 UTC 2005
At 12:34 AM -0400 2005-06-19, Vinny Abello wrote:
>> But if you don't know what version you're running, that makes
>>problem solving much more complex.
> Why wouldn't you know the version of BIND you setup?
Do you remember every single thing you've ever done in your entire life?
Have you ever inherited a server that someone else set up?
Have you ever had a problem on another machine that you don't
normally administer, but the person who does is out of the office so
it's left up to you to try to fix?
In many cases, the best kind of system documentation is that
which the system provides itself, and does not require the admin to
remember, know, write down, or update. It just happens automatically.
Software version information is a good example of that type of
> If they're reporting this to you, you already know the version running
> on the server in question.
More importantly, when others on this mailing list/newsgroup are
helping your customers debug their problems while they're on-hold
waiting for your helpdesk to answer the phone, it is very useful for
those people to be able to remotely determine this information.
> What's so hard about "named -v"?
That's assuming you have command-line access to the server in
question. That's assuming that named hasn't been locked off so that
you have to have privileged access to that server, so that you can
run named at all.
> Why should someone without control of the DNS server need to know the
> version that's running? I just do see the reasoning. If they need to
> know that bad, they can contact the admin who can choose to disclose
> it or not.
I guess you haven't been on this mailing list/newsgroup for long.
Whenever someone reports problems to this list/group and I respond,
one of the first questions I ask is "what version are you using?"
Most other old-timers on this list/group tend to do the same sort of
If you're on the receiving end and in a panic trying to get your
DNS problems resolved and you can't tell what version you're running,
then you're unlikely to be able to get any further in debugging the
If your provider doesn't allow you to access this kind of
information, that's a good reason to consider going somewhere else.
Maybe not as bad has not doing reverse DNS for you or not doing
reverse DNS at all, but still pretty bad news.
On the flip side, if you're a provider and you don't allow your
customers to access this information, now you know a good reason why
you may be losing them.
> Sure, that's different though... They should be reporting this
> information when asking for help. The server doesn't necessarily need
> to give this info up on it's own to everyone who is curious.
Maybe. If you can know, a priori, precisely who should be
allowed to ask these questions and get answers to them, then you can
safely decide to block that information for everyone else.
> Sure, but if someone is skilled enough to fingerprint the name server,
> then they deserve to know what it's running.
So, your customers who pay you for service and are having a
problem don't deserve to know this information, but any black hat who
might want to try to break into your machines does? Can you explain
that to me?
> A casual utility or user
> won't be able to do that too easily. Apart from major version, I doubt
> you can finger print a release down to a point release. Feel free to
> prove me wrong. I'd be interested in how it works.
Try out fpdns.pl. In many cases, it can get you down to a
specific point release. It takes knowledge of the source code in
question, and how specific versions react differently to different
types of queries, but it does work.
> Again, this is just my opinion and you are entitled to yours which I
In this case, I'm stating a policy that I believe would be good
for others to follow, even if they don't necessarily know why. The
kind of Best Current Practice that you might find in an IETF RFC or
other type of standards document, etc....
If people choose to ignore that recommendation, there's not much
I can do to help them. But I can help to set that standard.
Brad Knowles, <brad at stop.mail-abuse.org>
"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."
-- Benjamin Franklin (1706-1790), reply of the Pennsylvania
Assembly to the Governor, November 11, 1755
SAGE member since 1995. See <http://www.sage.org/> for more info.
More information about the bind-users