DNS version
Ron Hall
thorn at cc.mcgill.ca
Tue Feb 4 14:54:19 UTC 2003
==>I can not let this statement go unchallenged. Others have posted
==>previously that there is no reason for this information to remain
==>private; I agree with those persons. This falls into the category of
==>"security by obscurity", which is not security. If I were a hacker
==>looking for a DNS server to attack, what would I do?
==>
==>a) query the server and look at the response:
==> 1) "none of your business"
==> Is the DNS administrator trying to hide the fact that he/she is
==> running a vulnerable version of BIND?
==> Is the DNS administrator running a good version of BIND?
==> 2) "BIND 8.x.x"
==> Is this really 8.x.x, which is vulnerable?
==> Has the DNS administrator given me a fake string, so that I will
==> waste my time trying to hack a non-hackable version?
==> 3) "BIND 9.2.1"
==> Is this really 9.2.1?
==> Is it vulnerable, and the DNS administrator wants me to
==> believe that it is not?
==>
==>b) Try my penetration scripts on the DNS server anyway without wasting
==> time on checking the version. If the scripts succeed, then I have
==> found a vulnerable DNS server. If not, then I can proceed to try
==> attack another DNS server.
I'm forced to agree. It is no different than sendmail
hiding versions does not stop one from having a poorly, badly
or wrongly configured sendmail. If it is vulnerable the
version information is NOT going to be a prophylatic for your
system. Having appropriate layer of saran warp and aluminum
foil (metaphorically speaking) will.
Just my 3 centimes...
HTH
As Always
r
More information about the bind-users
mailing list