Blocking version information

[Brad Knowles]

At 12:20 PM -0400 2005-06-19, Vinny Abello wrote:

>>          Do you remember every single thing you've ever done in your
>>  entire life?
>
>  No, but I remember what I'm running on my servers that I'm in charge
>  of. That's my job.

	I've run networks of hundreds of machines.  Even if you work 
very, very hard, it's impossible to keep up with every single thing 
that's running on every single machine.

>>          Have you ever inherited a server that someone else set up?
>
>  Yes, in which case I have access to it because I inherited it and can
>  find out everything I want.

	That's assuming you have the passwords.  I've inherited machines 
where no one has known what is running on that box for years, and no 
one remembers what any of the passwords are.  The last person to 
actually administer the machine was several generations ago.

>  Sure, that would help if they hadn't reported the version they are
>  running already. If they know enough to hide that info and not give
>  the versioning info to people that are trying to help them, then what
>  do they expect?

	You missed my point.  Your servers hide the version.  Your 
customers come to us with their problems.  It is hard for us to help 
them with those problems when you hide the version.

>  Yeah, if you're in charge of a machine and are troubleshooting a BIND
>  problem I would hope you have access to it and BIND. Otherwise that
>  would make it quite difficult. :)

	Yes, if you're trying to troubleshoot a BIND problem and you 
don't have administrative access to it, then hiding the version can 
cause problems.

>  Again, if you're trying to fix anything with BIND, you have command
>  line access to the system and can run "named -v" if you don't already
>  know it.

	How many people asking questions on this list actually have 
direct administrative access and control over the nameservers in 
question?  Not many.

>            If you don't have system access then how are you going to
>  fix anything?

	At the very least, you can get a better idea of what the real 
problem is, so that if you can ever get through to the people who do 
control the system, you are more likely to get the problem fixed 
sooner.

>  That's probably where the difference in opinion is happening here. I
>  think the admins should know the version number. You think the
>  customers should know as well.

	Other admins working at your facility should be able to determine 
that information, and without needing administrative access to the 
server.  For example, at AOL, the e-mail admins will only have 
administrative access to the e-mail servers, but if they need to 
debug a DNS problem, they won't be able to log into the DNS servers 
but yet they should still be able to determine which version is in 
use.

>  If a customer is paying us for service, they have top notch support
>  available to them which can properly diagnose the problem. They don't
>  have to rely on finding out versions of software we're running and
>  troubleshooting problems on their own. Again, we know what we run.

	I'm glad you have the luxury of being able to say that.

	In the Wild West, professional gunfighters would sometimes leave 
one bullet out of their six-shooters, to reduce the probability of 
cook-offs due to excessive heat and mis-fires should the gun be 
dropped.  Sometimes they wouldn't -- trusting that they themselves 
were perfect and they knew that they would never drop their gun, nor 
would they ever allow their gun to get too hot.


	I'm glad you're able to say that you're perfect, and that you 
never have to worry about the kinds of problems that might cause the 
modern day equivalent of cook-offs and mis-fires.

	But that doesn't mean that your policy is an appropriate one to 
encourage others to follow.

>  Doesn't seem that specific to me. It says my version is:
>
>  BIND 9.2.3rc1 -- 9.4.0a0
>
>  The major version of BIND 9 it discovered but nothing else really. Thanks
>  for the tool though. It's interesting.

	That's because the BIND programmers have been careful to keep the 
externally visible differences in behaviour to a minimum between 
those versions, and the programmers who wrote fpdns.pl haven't delved 
deeply into the code to find unintentional changes that might also be 
externally visible.  However, the developers of other fingerprinting 
tools might have gone into more depth.

>  Are you stating that disclosing the version of your DNS server is part
>  of an RFC, either required or simply recommended? I don't believe it is
>  but I don't read every RFC so I could be wrong.

	I am saying that there is a small security benefit to obscuring 
the version you're running.  However, I believe that the benefit 
obtained this way is trivial when compared to the operational 
problems that can result from the same type of obscuration, and that 
I believe the operational issues trump the security benefit in almost 
all cases.

>  Certainly. Do what you feel is correct and I will as well. I honestly
>  don't care if others disclose this information on their servers.

	I do care.  I am continuing this conversation because I am trying 
to help set a Best Current Practice standard in this area.

>                                                                    I just
>  know I probably never will and was explaining why. Others can choose to
>  follow my methodologies or yours (or anyone elses for that matter). It's
>  up to them. I'm not trying to force my opinion on anyone, just explaining
>  my reasoning.

	It's your shop, you can run it any way you want.

	As Randy Bush (and others) on the NANOG mailing list would say, 
"I encourage my competitors to work this way."

-- 
Brad Knowles, <brad at stop.mail-abuse.org>

"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."

     -- Benjamin Franklin (1706-1790), reply of the Pennsylvania
     Assembly to the Governor, November 11, 1755

   SAGE member since 1995.  See <http://www.sage.org/> for more info.