DNS version
Bill Manning
bmanning at ISI.EDU
Tue Feb 4 17:27:38 UTC 2003
% Non-disclosure of the version number may make it harder to craft
% a vulnerability or otherwise slow an attacker down. Sure he can
% try all attacks against all possible versions - but unless each
% such attack has a zero cost to the attacker you have moved the
% barrier up - no matter how imperceptably.
%
% The mistake is to muddle "secret" (i.e. something which if
% disclosed compromises the integrity of the system) with
% information that is not voluntarily given.
%
% Then again I could be wrong.
% -----BEGIN PGP SIGNATURE-----
right/wrong? depends in some degree on who is asking the question.
the presumption that all version requests are from attackers is
false.
version identification does help track code diffusion, which can
be useful in determining the overall health of the system.
I've been running version checks on the system since 1997 as a
means to guage the difficulties of deployment of new DNS features.
Hiding the version makes the audits run slower, but doesn't stop
them. In your parlance, this raises the barrier, in practice, you
can't raise the barrier high enough, unless you disconnect the
server from the net.
remember, the DNS is a public database. if it can be queried
it will be. If your that paranoid, retreating into your
walled garden might be the best thing.
--bill
Opinions expressed may not even be mine by the time you read them, and
certainly don't reflect those of any other entity (legal or otherwise).
More information about the bind-users
mailing list