BIND Version check
Tony Grace
tony at grace.net.au
Wed Jun 21 00:26:11 UTC 2000
----- Original Message -----
From: "Jim Reid" <jim at rfc1035.com>
To: "Daniel Norton" <danorton at suespammers.org>
Cc: <comp-protocols-dns-bind at moderators.isc.org>
> Eh? If there is a vulnerability against the latest version of
> something, how can hiding that thing's version number protect against
> that vulnerability? If a security weakness exists, the window of
> exposure to that weakness exists until the hole is fixed irrespective
> of whether a version identification string exists or not. Hiding the
> version number doesn't close or even hide that window.
>
>
Once a security hole has been documented then a wide area scan can identify
potential victims
an example
A root vulnerability exists in BIND-1.2
for ip in addressrange
dig @$ip txt chaos version.bind | grep "BIND-1.2" then reverse lookup and
store in a file
This search could be used over any ranges quickly and easily.
The least amount of information that you can give someone the more difficult
you make the hackers task
If someone has singled your site out because of good bandwidth or some other
reason then hiding the version number will have little or no effect. CERT
and in Australia AUSCERT have security papers with recommendations on hiding
BIND version numbers.
Regards
Tony
More information about the bind-users
mailing list