BIND Version check
Barry Margolin
barmar at genuity.net
Tue Jun 20 18:46:49 UTC 2000
In article <3.0.3.32.20000620112242.020588f0 at pop3.hank.org>,
Bill Moseley <moseley at hank.org> wrote:
>At 05:42 PM 06/20/00 -0700, Bill Manning wrote:
>>
>> Actually, revealing the version is a good thing. Hiding the
>> version encourages additional probing.
>
>I only allow queries by external hosts to a few zones, so (I assume because
>of this) version.bind queries are rejected.
>
>Hiding the version vs. rejecting the version info may be a different issue,
>but I'm not sure I follow the logic that it would encourage more probing.
>To me, rejecting the query would indicate that the DNS admin was thinking
>about security since, in a default setup, the version should be returned.
I think his theory is that if you give out your version, and the hacker
detects that it's one with no known vulnerabilities, he'll leave you
alone. But if you don't give out your version, he'll just try all the
named attacks he knows, in case you're vulnerable to any of them.
--
Barry Margolin, barmar at genuity.net
Genuity, Burlington, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.
More information about the bind-users
mailing list