Blocking version information

Vinny Abello vinny at tellurian.com
Mon Jun 20 02:58:37 UTC 2005


OK, you win. You're completely right. :)

As much as I'd like to go back and forth with this as I'm laughing 
reading some of your responses, I simply don't have the time on or 
off list so as it stands, Brad is correct. I withdraw all my 
statements. Listen to him and everyone that agrees with him.

;)

On with a possibly more relevant topic... I hope. I have nothing more 
to say on this thread to anyone.

At 04:38 PM 6/19/2005, Brad Knowles wrote:
>At 12:20 PM -0400 2005-06-19, Vinny Abello wrote:
>
> >>          Do you remember every single thing you've ever done in your
> >>  entire life?
> >
> >  No, but I remember what I'm running on my servers that I'm in charge
> >  of. That's my job.
>
>         I've run networks of hundreds of machines.  Even if you work
>very, very hard, it's impossible to keep up with every single thing
>that's running on every single machine.
>
> >>          Have you ever inherited a server that someone else set up?
> >
> >  Yes, in which case I have access to it because I inherited it and can
> >  find out everything I want.
>
>         That's assuming you have the passwords.  I've inherited machines
>where no one has known what is running on that box for years, and no
>one remembers what any of the passwords are.  The last person to
>actually administer the machine was several generations ago.
>
> >  Sure, that would help if they hadn't reported the version they are
> >  running already. If they know enough to hide that info and not give
> >  the versioning info to people that are trying to help them, then what
> >  do they expect?
>
>         You missed my point.  Your servers hide the version.  Your
>customers come to us with their problems.  It is hard for us to help
>them with those problems when you hide the version.
>
> >  Yeah, if you're in charge of a machine and are troubleshooting a BIND
> >  problem I would hope you have access to it and BIND. Otherwise that
> >  would make it quite difficult. :)
>
>         Yes, if you're trying to troubleshoot a BIND problem and you
>don't have administrative access to it, then hiding the version can
>cause problems.
>
> >  Again, if you're trying to fix anything with BIND, you have command
> >  line access to the system and can run "named -v" if you don't already
> >  know it.
>
>         How many people asking questions on this list actually have
>direct administrative access and control over the nameservers in
>question?  Not many.
>
> >            If you don't have system access then how are you going to
> >  fix anything?
>
>         At the very least, you can get a better idea of what the real
>problem is, so that if you can ever get through to the people who do
>control the system, you are more likely to get the problem fixed
>sooner.
>
> >  That's probably where the difference in opinion is happening here. I
> >  think the admins should know the version number. You think the
> >  customers should know as well.
>
>         Other admins working at your facility should be able to determine
>that information, and without needing administrative access to the
>server.  For example, at AOL, the e-mail admins will only have
>administrative access to the e-mail servers, but if they need to
>debug a DNS problem, they won't be able to log into the DNS servers
>but yet they should still be able to determine which version is in
>use.
>
> >  If a customer is paying us for service, they have top notch support
> >  available to them which can properly diagnose the problem. They don't
> >  have to rely on finding out versions of software we're running and
> >  troubleshooting problems on their own. Again, we know what we run.
>
>         I'm glad you have the luxury of being able to say that.
>
>         In the Wild West, professional gunfighters would sometimes leave
>one bullet out of their six-shooters, to reduce the probability of
>cook-offs due to excessive heat and mis-fires should the gun be
>dropped.  Sometimes they wouldn't -- trusting that they themselves
>were perfect and they knew that they would never drop their gun, nor
>would they ever allow their gun to get too hot.
>
>
>         I'm glad you're able to say that you're perfect, and that you
>never have to worry about the kinds of problems that might cause the
>modern day equivalent of cook-offs and mis-fires.
>
>         But that doesn't mean that your policy is an appropriate one to
>encourage others to follow.
>
> >  Doesn't seem that specific to me. It says my version is:
> >
> >  BIND 9.2.3rc1 -- 9.4.0a0
> >
> >  The major version of BIND 9 it discovered but nothing else really. Thanks
> >  for the tool though. It's interesting.
>
>         That's because the BIND programmers have been careful to keep the
>externally visible differences in behaviour to a minimum between
>those versions, and the programmers who wrote fpdns.pl haven't delved
>deeply into the code to find unintentional changes that might also be
>externally visible.  However, the developers of other fingerprinting
>tools might have gone into more depth.
>
> >  Are you stating that disclosing the version of your DNS server is part
> >  of an RFC, either required or simply recommended? I don't believe it is
> >  but I don't read every RFC so I could be wrong.
>
>         I am saying that there is a small security benefit to obscuring
>the version you're running.  However, I believe that the benefit
>obtained this way is trivial when compared to the operational
>problems that can result from the same type of obscuration, and that
>I believe the operational issues trump the security benefit in almost
>all cases.
>
> >  Certainly. Do what you feel is correct and I will as well. I honestly
> >  don't care if others disclose this information on their servers.
>
>         I do care.  I am continuing this conversation because I am trying
>to help set a Best Current Practice standard in this area.
>
> >                                                                    I just
> >  know I probably never will and was explaining why. Others can choose to
> >  follow my methodologies or yours (or anyone elses for that matter). It's
> >  up to them. I'm not trying to force my opinion on anyone, just explaining
> >  my reasoning.
>
>         It's your shop, you can run it any way you want.
>
>         As Randy Bush (and others) on the NANOG mailing list would say,
>"I encourage my competitors to work this way."
>
>--
>Brad Knowles, <brad at stop.mail-abuse.org>
>
>"Those who would give up essential Liberty, to purchase a little
>temporary Safety, deserve neither Liberty nor Safety."
>
>      -- Benjamin Franklin (1706-1790), reply of the Pennsylvania
>      Assembly to the Governor, November 11, 1755
>
>    SAGE member since 1995.  See <http://www.sage.org/> for more info.


Vinny Abello
Network Engineer
Server Management
vinny at tellurian.com
(973)300-9211 x 125
(973)940-6125 (Direct)
PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0  E935 5325 FBCB 0100 977A

Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com (888)TELLURIAN

"Courage is resistance to fear, mastery of fear - not absence of 
fear" -- Mark Twain



More information about the bind-users mailing list