BIND9, ISS and AUTHORS.BIND

Mark Andrews Mark_Andrews at isc.org
Tue Feb 14 22:49:41 UTC 2006 

> Hello Bill and all, 
> 
> > -----Original Message-----
> > From: bind-users-bounce at isc.org 
> > [mailto:bind-users-bounce at isc.org] On Behalf Of Bill Larson
> > Sent: Wednesday, February 08, 2006 10:48 PM
> > To: comp-protocols-dns-bind at isc.org
> > Subject: Re: BIND9, ISS and AUTHORS.BIND
> 
> > At
> > http://documents.iss.net/literature/InternetScanner/reports/
> > Line_Mgmt_Host_Vulnerability_Summary_Report.pdf, there is an 
> > example of the report that the ISS scanner produces.  In 
> > particular, the example given identifies "BIND servers can be 
> > remotely queried for their version", and the associated 
> > severity of this discovery is listed as "low" (not medium). 
> 
> Actually, that is a different check than the one I originally posted.
> You are correct, BindVrs is a low. BindHostnameDisclosure is a BIND9
> check that is a Medium. See below...
> 
> Vulnerability Details:
> M BindHostnameDisclosure: BIND hostname disclosure
> BIND (the Berkeley Internet Name Daemon) is the Domain Name Service for
> Unix systems. BIND versions 9.0 and later could allow
> a remote attacker to obtain sensitive information. By sending
> specially-crafted DNS query for the record AUTHORS.BIND a remote
> attacker may learn the BIND software version and the hostname of the DNS
> server. This information could be helpful in launching
> further attacks.
> Remedy:
> No remedy available as of January 2005.

	AUTHORS.BIND does not give the version or the hostname.
	The report above is completely wrong.

	As for HOSTNAME.BIND you can turn this off in named.conf.

	As for VERSION.BIND you can turn this off in named.conf.

	As for AUTHORS.BIND it is disabled if the version is set in
	named.conf.

> L bindvrs: BIND servers can be remotely queried for their version
> numbers
> BIND (Berkeley Internet Name Domain) servers support the ability to be
> remotely queried for their version numbers. An attacker
> could use this feature to query computers for vulnerable versions of
> BIND. This information could be useful to an attacker in
> performing an attack.
> Remedy:
> Disable the BIND version query feature. Refer to the BIND documentation
> for information on this procedure.
>  
> > Then again, maybe this person shouldn't be trying to provide 
> > any network services, including DNS services.  Remember that 
> > the original poster is working for a US Government organization.
> 
> NASA has a public presence to the Internet community and the world.
> Please see http://www.nasa.gov/ 
> 
> Thank you,
> --
> Ralph F. Bischof, Jr.
> Any opinion within this communication is not necessarily that of NASA.
> PGP Key - http://pgpkeys.hq.nasa.gov
> 
> 
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the bind-users mailing list