Re: Reasons why BIND isn't being upgraded
From: Paul Vixie <vixie@mfnx.net> Simon@wretched.demon.co.uk (Simon Waters) writes:
I remain unconvinced that showing the version string helps much.
hiding it doesn't help at all. people who want to know if you're vulnerable and to what have tools to find out.
No - they or their tools then have to try known exploits sequentially to find out if I'm vulnerable - which is completely different to just asking for a version string. In some cases the failed exploits will be logged, or cause a crash. Thus perhaps allowing DoS but saving someone altering the DNS contents, or perhaps giving the owner time to respond.
hiding it DOES however make it harder for people (including network owners) to do surveys.
Network owners can run "named -v", or get an audit program that does it for them. BIND is not alone most major Internet software (My mail program does for starter... at the moment anyway) is only too keen to tell you who it is in tedious detail, I think they should report what protocols they support (although this could be a give away as well). BTW I'm not saying "lie" about the version string as someone seemed to think, I'm saying just don't give it to anyone who asks. If someone phoned you up out of the blue, and said "Hi, I'm Simon, what version DNS server are you running?" you'd probably hang up or ask why I want to know, you wouldn't just say 8.2.3 and hang up, so why let your most sensitive servers do something you wouldn't.
From: Jim Mercer <jim@reptiles.org>
yeah, i'm pissed with isc and that vixie guy too.
after all, i paid them 0's and 0's of dollars to come up with a timely fix to the security hole, and what do they do?
I'm hoping HP pay them a reasonable amount out of what my clients pay HP, but HP probably squandered it paying Jean to write all that wireless network card code for Linux *8-) -- Business http://www.eighth-layer.com/ Personal http://www.wretched.demon.co.uk/
participants (1)
-
Simon Waters