BIND9, ISS and AUTHORS.BIND

Tue Feb 7 17:12:03 UTC 2006

On Feb 7, 2006, at 8:25 AM, Bischof, Ralph wrote:

> Hello,
>
> 	I have a 9.3.1 build of BIND running on a Red Hat Enterprise
> Linux ES4 system. I *must* use the ISS scanner (http://www.iss.net/) to
> discover and mitigate any vulnerabilities on the system before I can
> connect it to the network. When I ran a scan of my box, I found the
> below Medium vulnerability that I need to do something about.
>
> Vulnerability Details:
> M BindHostnameDisclosure: BIND hostname disclosure BIND (the Berkeley
> Internet Name Daemon) is the Domain Name Service for Unix systems. BIND
> versions 9.0 and later could allow a remote attacker to obtain 
> sensitive
> information. By sending specially-crafted DNS query for the record
> AUTHORS.BIND a remote attacker may learn the BIND software version and
> the hostname of the DNS server. This information could be helpful in
> launching further attacks.
> Remedy:
> No remedy available as of January 2005.

Well, you can always create a "bind" zone of type CH and populate this 
with information that will satisfy the ISS scanner.  A very good 
example of this can be found in the "Secure BIND Template" at 
http://www.cymru.com/Documents/secure-bind-template.html.  This can 
hide both the "version.bind" and "authors.bind" information.

> 	I know I use the "version" named.conf statement with BIND8 to
> hide the version. Would it also help to put this statement in with my
> BIND9 build? Something like...
>
> options {
> 	version "unknown";
> };

But this won't hide the "authors.bind" information and ISS was 
complaining about "authors.bind" information too.

> 	I appreciate any help! If it's not possible to mitigate this
> through the configuration, I am thinking that I can make a definitive
> argument that I *already* advertise the hostname of the server to the
> Internet public, therefore it's a non-issue.

Now, two points to make.  Does hiding the version of BIND that is 
running make any difference in the security of the system?  I would say 
no, if there are security problems with BIND then simply hiding the 
version information will not make the security problems go away.  
Second, there are other ways to determine the version of BIND that is 
run besides looking at the "version.bind" information that the server 
supplies.  Even on a system that hides the "version.bind" information, 
the type and version of DNS server software can be identified.  This 
includes non-BIND DNS servers such as Microsoft, UltraDNS, etc.

These are arguments that you must take up with your security people, 
and don't expect to get them to change their opinion.  My opinion is 
that many (not all) computer security "professionals" simply follow a 
set of check lists without understanding the underlying reasons why the 
check lists were created.

Wouldn't it be interesting to run a BIND 4.x version that doesn't 
provide any "version.bind" response.  Would that be good enough to 
convince the security "professionals" that you system was "secure"?  
This would provide ISS with an appropriate response and so the 
appropriate check mark could be put down on paper.

I would also like to know if anyone is aware of a security attack 
against the BIND software that makes use of this version information.  
All of the attacks that I am aware of were simply attacking name 
servers irrespective of what "version.bind" information was provided.  
I would love to hear that some attack could be thwarted simply by 
advertising that "version.bind" returned "this version is good", or 
something similar.

Bill Larson