DNS version

Mark_Andrews at isc.org Mark_Andrews at isc.org
Tue Feb 4 22:51:28 UTC 2003 

> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Bill Manning wrote:
> >
> > 	right/wrong?  depends in some degree on who is asking the
> question.
> > 	the presumption that all version requests are from attackers is
> > 	false.
> 
> So I didn't presume it - see the paragraph before the one you
> quoted.
> 
> > 	version identification does help track code diffusion, which can
> > 	be useful in determining the overall health of the system.
> 
> A good point, it also gives you another criteria to assess the
> health of your parent domains.
> 
> However your assessing the health of the overall health of the
> system doesn't necessarily result in my service being more
> secure. The DNS has been a mess for years, one more survey is
> not going to fix it.
> 
> > 	remember, the DNS is a public database. if it can be queried
> > 	it will be.   If your that paranoid, retreating into your
> > 	walled garden might be the best thing.
> 
> The issue is not if it is queried, but the risk and course of a
> compromise of the DNS server. For many Internet based business
> loss of control of their DNS could be very unpleasant.

	Returning the version does not change that risk.

	In practice the attacks are just tried.  They either succeed
	fully, partially (e.g. DoS rather than remote shell) or are
	repelled.

	Also turning off the version does not stop remote sites
	finger printing the server.  This will get to to within one
	or two version of the exact version if not the exact version.

	Caches partially finger print a remote server everytime
	they make a query just to handle the protocol changes.

	Mark
 
> The issue extends well beyond DNS, most mail and web servers
> freely disclose identity and version, most also disclose host
> operating system and other informations that falls into the same
> class, which is why many security policies just say "don't
> disclose such information".
> 
> The point was made it isn't a security measure - well I happen
> to think that it does enhance security in some clearly defined
> ways. Thus for some people they will choose to use it because
> they value those gains over the the other benefits available by
> making the version public.
> 
> In terms of available measures to harden a BIND server I think
> it is pretty insignificant, but it is also easy to do.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.1 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> 
> iD8DBQE+QAK0GFXfHI9FVgYRArBDAJ9L7PB2HdW3qghL4ofl30HDgnNeuACcCffi
> +bgO2swKlwerR9AU0JzZ1Xk=
> =7XTJ
> -----END PGP SIGNATURE-----
> 
> 
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at isc.org

More information about the bind-users mailing list