Blocking version information
Peter Dambier
peter at peter-dambier.de
Fri Jun 17 20:07:30 UTC 2005
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Pax Dickinson wrote:
| Hi all,
|
| I'm working on a script to update BIND 8 named.conf files to BIND 9, and
| I'm wondering if using a
|
| version "None of your business.";
This is done often.
|
| option in our named.conf would violate any DNS RFCs? A quick skim makes
| it appear to me that it wouldn't, but I need to be sure.
It does not directly break anything.
Indirectly it breaks debugging. As long as nobody complains about your servers
in his lame-server-log I dont see a problem.
If I was running a public DNS-resolver as ISPs do and if I was annoyed with
your servers appearing in my log, then I would use dig to debug.
Seeing your version I might be tempted to add a zone file to my resolver:
lame-servers.com. SOA here.my-server.com. me.my-server.com. ...
lame-servers.com. NS here.my-server.com.
lame-servers.com. A 127.0.0.1
*.lame-servers.com. A 127.0.0.1
It would definitly solve my problem.
I am analysing log files on nameservers. I did not see any problems with DNS.
But I did see problems with other services and I did solve them.
What does your server do? Publish DNS information about your company to the
outside or resolve and cache for the inside?
If it is a resolver for the inside then dont worry you will not harm anybody
keeping your bind version a secret.
If it delivers information to the outside I would not hide this information
nor would I disable axfr queries.
If it does both then you do have a security problem. Get another server for
the inside. Hide it behind a firewall. Hide its version if you like. Let
nobody see it from the outside.
Dont let your nameserver for the outside cache any information. Then you
should be ok.
|
| Thanks,
| Pax Dickinson
|
Regards,
Peter and Karin Dambier
- --
Peter and Karin Dambier
Public-Root
Graeffstrasse 14
D-64646 Heppenheim
+49-6252-671788 (Telekom)
+49-6252-599091 (O2 Genion)
+1-360-226-6583-9738 (INAIC)
mail: peter at peter-dambier.de
http://iason.site.voila.fr
http://www.kokoom.com/iason
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iD8DBQFCsy1/PGG/Vycj6zYRAgv7AJ4z3QFeVtRj7f5CAzoKxDPdMPWqjQCcDFAs
Efdk1OKF8gtLHU9LdTI/ah8=
=wmr5
-----END PGP SIGNATURE-----
More information about the bind-users
mailing list