BIND Version check

[Barry Margolin]

In article <25698.961533079 at gromit.rfc1035.com>,
Jim Reid  <jim at rfc1035.com> wrote:
>>>>>> "Daniel" == Daniel Norton <danorton at suespammers.org> writes:
>
>    Daniel> Upgrading to the latest works fine until vulnerabilities
>    Daniel> for that version are known.  Once the vulnerabilities are
>    Daniel> known, there is a open window until you fix them.  Don't
>    Daniel> allow the window by not allowing the version of your
>    Daniel> server to be known.
>
>Eh? If there is a vulnerability against the latest version of
>something, how can hiding that thing's version number protect against
>that vulnerability? If a security weakness exists, the window of
>exposure to that weakness exists until the hole is fixed irrespective
>of whether a version identification string exists or not. Hiding the
>version number doesn't close or even hide that window.

The hiders' theory is that if the hackers don't know you're running the
vulnerable version, they may be less likely to try using that exploit
against you.  Rather than waste their time trying every exploit against
every machine, they'll concentrate their efforts on targets with known
vulnerabilities.  That's presumably why they're sending out version.bind
queries in the first place, isn't it?

Security isn't an absolute.  While security through obscurity isn't much,
it's better than nothing.  During the window between hackers learning of a
vulnerability and developers closing it, what other defense do you have?

-- 
Barry Margolin, barmar at genuity.net
Genuity, Burlington, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.