Blocking version information
brad at stop.mail-abuse.org
Sun Jun 19 20:38:18 UTC 2005
At 12:20 PM -0400 2005-06-19, Vinny Abello wrote:
>> Do you remember every single thing you've ever done in your
>> entire life?
> No, but I remember what I'm running on my servers that I'm in charge
> of. That's my job.
I've run networks of hundreds of machines. Even if you work
very, very hard, it's impossible to keep up with every single thing
that's running on every single machine.
>> Have you ever inherited a server that someone else set up?
> Yes, in which case I have access to it because I inherited it and can
> find out everything I want.
That's assuming you have the passwords. I've inherited machines
where no one has known what is running on that box for years, and no
one remembers what any of the passwords are. The last person to
actually administer the machine was several generations ago.
> Sure, that would help if they hadn't reported the version they are
> running already. If they know enough to hide that info and not give
> the versioning info to people that are trying to help them, then what
> do they expect?
You missed my point. Your servers hide the version. Your
customers come to us with their problems. It is hard for us to help
them with those problems when you hide the version.
> Yeah, if you're in charge of a machine and are troubleshooting a BIND
> problem I would hope you have access to it and BIND. Otherwise that
> would make it quite difficult. :)
Yes, if you're trying to troubleshoot a BIND problem and you
don't have administrative access to it, then hiding the version can
> Again, if you're trying to fix anything with BIND, you have command
> line access to the system and can run "named -v" if you don't already
> know it.
How many people asking questions on this list actually have
direct administrative access and control over the nameservers in
question? Not many.
> If you don't have system access then how are you going to
> fix anything?
At the very least, you can get a better idea of what the real
problem is, so that if you can ever get through to the people who do
control the system, you are more likely to get the problem fixed
> That's probably where the difference in opinion is happening here. I
> think the admins should know the version number. You think the
> customers should know as well.
Other admins working at your facility should be able to determine
that information, and without needing administrative access to the
server. For example, at AOL, the e-mail admins will only have
administrative access to the e-mail servers, but if they need to
debug a DNS problem, they won't be able to log into the DNS servers
but yet they should still be able to determine which version is in
> If a customer is paying us for service, they have top notch support
> available to them which can properly diagnose the problem. They don't
> have to rely on finding out versions of software we're running and
> troubleshooting problems on their own. Again, we know what we run.
I'm glad you have the luxury of being able to say that.
In the Wild West, professional gunfighters would sometimes leave
one bullet out of their six-shooters, to reduce the probability of
cook-offs due to excessive heat and mis-fires should the gun be
dropped. Sometimes they wouldn't -- trusting that they themselves
were perfect and they knew that they would never drop their gun, nor
would they ever allow their gun to get too hot.
I'm glad you're able to say that you're perfect, and that you
never have to worry about the kinds of problems that might cause the
modern day equivalent of cook-offs and mis-fires.
But that doesn't mean that your policy is an appropriate one to
encourage others to follow.
> Doesn't seem that specific to me. It says my version is:
> BIND 9.2.3rc1 -- 9.4.0a0
> The major version of BIND 9 it discovered but nothing else really. Thanks
> for the tool though. It's interesting.
That's because the BIND programmers have been careful to keep the
externally visible differences in behaviour to a minimum between
those versions, and the programmers who wrote fpdns.pl haven't delved
deeply into the code to find unintentional changes that might also be
externally visible. However, the developers of other fingerprinting
tools might have gone into more depth.
> Are you stating that disclosing the version of your DNS server is part
> of an RFC, either required or simply recommended? I don't believe it is
> but I don't read every RFC so I could be wrong.
I am saying that there is a small security benefit to obscuring
the version you're running. However, I believe that the benefit
obtained this way is trivial when compared to the operational
problems that can result from the same type of obscuration, and that
I believe the operational issues trump the security benefit in almost
> Certainly. Do what you feel is correct and I will as well. I honestly
> don't care if others disclose this information on their servers.
I do care. I am continuing this conversation because I am trying
to help set a Best Current Practice standard in this area.
> I just
> know I probably never will and was explaining why. Others can choose to
> follow my methodologies or yours (or anyone elses for that matter). It's
> up to them. I'm not trying to force my opinion on anyone, just explaining
> my reasoning.
It's your shop, you can run it any way you want.
As Randy Bush (and others) on the NANOG mailing list would say,
"I encourage my competitors to work this way."
Brad Knowles, <brad at stop.mail-abuse.org>
"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."
-- Benjamin Franklin (1706-1790), reply of the Pennsylvania
Assembly to the Governor, November 11, 1755
SAGE member since 1995. See <http://www.sage.org/> for more info.
More information about the bind-users