Blocking version information
vinny at tellurian.com
Sun Jun 19 16:20:27 UTC 2005
At 01:38 AM 6/19/2005, Brad Knowles wrote:
>At 12:34 AM -0400 2005-06-19, Vinny Abello wrote:
Hi Brad. :)
>>> But if you don't know what version you're running, that makes
>>>problem solving much more complex.
>> Why wouldn't you know the version of BIND you setup?
> Do you remember every single thing you've ever done in your
> entire life?
No, but I remember what I'm running on my servers that I'm in charge
of. That's my job.
> Have you ever inherited a server that someone else set up?
Yes, in which case I have access to it because I inherited it and can
find out everything I want.
> Have you ever had a problem on another machine that you
> don't normally administer, but the person who does is out of the
> office so it's left up to you to try to fix?
Can't say that I have. If they left it up to me I would assume I
would have the ability to log into it in which case it's trivial to
find out what is running on it.
> In many cases, the best kind of system documentation is
> that which the system provides itself, and does not require the
> admin to remember, know, write down, or update. It just happens automatically.
> Software version information is a good example of that type
> of documentation.
>> If they're reporting this to you, you already know the version running
>> on the server in question.
> More importantly, when others on this mailing
> list/newsgroup are helping your customers debug their problems
> while they're on-hold waiting for your helpdesk to answer the
> phone, it is very useful for those people to be able to remotely
> determine this information.
Sure, that would help if they hadn't reported the version they are
running already. If they know enough to hide that info and not give
the versioning info to people that are trying to help them, then what
do they expect?
>> What's so hard about "named -v"?
> That's assuming you have command-line access to the server
> in question. That's assuming that named hasn't been locked off so
> that you have to have privileged access to that server, so that you
> can run named at all.
Yeah, if you're in charge of a machine and are troubleshooting a BIND
problem I would hope you have access to it and BIND. Otherwise that
would make it quite difficult. :)
>> Why should someone without control of the DNS server need to know the
>> version that's running? I just do see the reasoning. If they need to
>> know that bad, they can contact the admin who can choose to disclose
>> it or not.
> I guess you haven't been on this mailing list/newsgroup for
> long. Whenever someone reports problems to this list/group and I
> respond, one of the first questions I ask is "what version are you
> using?" Most other old-timers on this list/group tend to do the
> same sort of thing.
Yes, I am aware of that which is why people are encouraged to tell
what version they are running. Standard practice in asking for help
here. I've been on this list for over 3 years now.
> If you're on the receiving end and in a panic trying to get
> your DNS problems resolved and you can't tell what version you're
> running, then you're unlikely to be able to get any further in
> debugging the problems.
Again, if you're trying to fix anything with BIND, you have command
line access to the system and can run "named -v" if you don't already
know it. If you don't have system access then how are you going to
fix anything? The only thing I can think of is if you have limited
access through some sort of NFS mount or file share... but if you're
not supposed to have full access to the system, and the answer to
your problem is upgrade, then you can't do anything anyway. This
probably stems back to the issue of always having a staff member with
full access to your servers available. Sure, not everyone can afford
this but then again not everyone HAS to change the version number in
BIND. I'm just saying that I like to and in our environment we've
never had a problem with it.
> If your provider doesn't allow you to access this kind of
> information, that's a good reason to consider going somewhere else.
> Maybe not as bad has not doing reverse DNS for you or not doing
> reverse DNS at all, but still pretty bad news.
It is? If you want to know it that badly, ask them. If they're
running BIND 4 and won't upgrade, THEN go somewhere else... you can
always run BIND yourself as well.
> On the flip side, if you're a provider and you don't allow
> your customers to access this information, now you know a good
> reason why you may be losing them.
These are the oddest statements I've heard. I've can't remember a
customer even being interested in what version of BIND we are
running. If they were, it probably would have been because they're
setting up their own DNS server and wanted us to help them make
decisions on what to use and how to configure it.
>> Sure, that's different though... They should be reporting this
>> information when asking for help. The server doesn't necessarily need
>> to give this info up on it's own to everyone who is curious.
> Maybe. If you can know, a priori, precisely who should be
> allowed to ask these questions and get answers to them, then you
> can safely decide to block that information for everyone else.
That's probably where the difference in opinion is happening here. I
think the admins should know the version number. You think the
customers should know as well.
>> Sure, but if someone is skilled enough to fingerprint the name server,
>> then they deserve to know what it's running.
> So, your customers who pay you for service and are having a
> problem don't deserve to know this information, but any black hat
> who might want to try to break into your machines does? Can you
> explain that to me?
If a customer is paying us for service, they have top notch support
available to them which can properly diagnose the problem. They don't
have to rely on finding out versions of software we're running and
troubleshooting problems on their own. Again, we know what we run.
>> A casual utility or user
>> won't be able to do that too easily. Apart from major version, I doubt
>> you can finger print a release down to a point release. Feel free to
>> prove me wrong. I'd be interested in how it works.
> Try out fpdns.pl. In many cases, it can get you down to a
> specific point release. It takes knowledge of the source code in
> question, and how specific versions react differently to different
> types of queries, but it does work.
Doesn't seem that specific to me. It says my version is:
BIND 9.2.3rc1 -- 9.4.0a0
The major version of BIND 9 it discovered but nothing else really.
Thanks for the tool though. It's interesting.
>> Again, this is just my opinion and you are entitled to yours which I
> In this case, I'm stating a policy that I believe would be
> good for others to follow, even if they don't necessarily know
> why. The kind of Best Current Practice that you might find in an
> IETF RFC or other type of standards document, etc....
Are you stating that disclosing the version of your DNS server is
part of an RFC, either required or simply recommended? I don't
believe it is but I don't read every RFC so I could be wrong.
> If people choose to ignore that recommendation, there's not
> much I can do to help them. But I can help to set that standard.
Certainly. Do what you feel is correct and I will as well. I honestly
don't care if others disclose this information on their servers. I
just know I probably never will and was explaining why. Others can
choose to follow my methodologies or yours (or anyone elses for that
matter). It's up to them. I'm not trying to force my opinion on
anyone, just explaining my reasoning.
vinny at tellurian.com
(973)300-9211 x 125
PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0 E935 5325 FBCB 0100 977A
Tellurian Networks - The Ultimate Internet Connection
"Courage is resistance to fear, mastery of fear - not absence of
fear" -- Mark Twain
More information about the bind-users