"Hiding" version.bind in /etc/bind/named.conf.options doesn't work

[Warren Kumari]

On Wed, Feb 28, 2018 at 12:57 PM, G.W. Haywood via bind-users
<bind-users at lists.isc.org> wrote:
> Hi there,
>
> On Wed, 28 Feb 2018, (Ing. Pedro Pablo Delgado Martell) wrote:
>
>> Good morning, I'm trying to make it more difficult for an attacker to
>> get my DNS server version.
>
>
> Waste of time.  The attacks are automated, and will be mounted anyway.

Thank you - this has long been a position that I've held/espoused.

It is easier / cheaper / faster for an attacker to simply assume that
a machine is running vulnerable software and try all exploits on it,
instead of carefully checking to see what services / versions a server
advertises and restricting to those.
Also, if you are *not* running a vulnerable version of <software>, it
doesn't matter if the attacker knocks on the door, and if you *are*
running a vulnerable version, having the attacker not know that
doesn't provide you any protection.

I realize that this sounds somewhat ranty, but I've recently had to
deal with some checklist-style security audits / certifications which
require things like hiding version information (and pointing at the
"firewall") while completely ignoring actual security issues (like
"are the versions known vulnerable", "are the firewalls / ACLS /
whatever sane", "do your users know not to click on
unpaid_invoice.doc", "do you use 2FA", "are all your credential
'Hunter2'" ?)


W


>
> --
>
> 73,
> Ged.
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users



-- 
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
   ---maf