Re: fingerprinting BIND 9.1.0

["William D. Colburn (aka Schlake)" <wcolburn () NMT EDU>]

The FAQ file that comes with the distribution already covers all this.
While it used to seem like a good idea to obfuscate version numbers,
things like nmap can be written for just about any internet service
which would make version obfuscation just a false sense of security.
Even if your version is obscured, a known exploit will still work
against it if someone tries.  I agree with the BIND people that there
isn't much point in hiding that information.

FAQ>Q: How do I restrict people from looking up the server version?
FAQ>
FAQ>A: Put a "version" option containing something other than the real
FAQ>version in the "options" section of named.conf.  Note doing this will
FAQ>not prevent attacks and may impede people trying to diagnose problems
FAQ>with your server.  Also it is possible to "fingerprint" nameservers to
FAQ>determine their version.
FAQ>
FAQ>Q: How do I restrict only remote users from looking up the server
FAQ>version?
FAQ>
FAQ>A: The following view statement will intercept lookups as the internal
FAQ>view that holds the version information will be matched last.  The
FAQ>caveats of the previous answer still apply, of course.
FAQ>
FAQ>  view "chaos" chaos {
FAQ>          match-clients { <those to be refused>; };
FAQ>          allow-query { none; };
FAQ>          zone "." {
FAQ>                  type hint;
FAQ>                  file "/dev/null";  // or any empty file
FAQ>          };
FAQ>  };

On Tue, Jan 30, 2001 at 07:14:20PM -0600, buglist () SHIKAHR COM INTER NET wrote:
> Date:         Tue, 30 Jan 2001 19:14:20 -0600
> From: buglist () SHIKAHR COM INTER NET
> Subject:      Re: fingerprinting BIND 9.1.0
> To: BUGTRAQ () SECURITYFOCUS COM
>
> In message <5.0.2.1.2.20010129125423.00a7f990@127.0.0.01>
> Max Vision writes:
>
> > The BIND 9.1.0beta releases and now BIND 9.1.0 include another hard coded
> > chaos record called "authors".
>
>    [ snip ]
>
> > % dig @ns.example.com authors.bind chaos txt
>
> I've been playing some with BIND 9.1.0, and have found that queries
> like this can be suppressed using the new "view" capability. I now
> have in my named.conf, the following:
>
>    view "external-chaos" chaos {
>         match-clients { any; };
>         recursion no;
>         zone "." {
>                 type hint ;
>                 file "/dev/null";
>                 };
>         };
>
> and a similar entry for hesiod records. Queries then against either
> chaos or hesiod records will come back as "servfail".
>
> Alternatively, creating your own "bind." domain with CH, rather than
> IN, records for SOA and TXT data will override hardcoded values. I've
> also got a "bind." domain that has this record:
>
>    version.bind.    0    ch   txt     "Who knows"
>
> so that if I don't use a "view" to block chaos records, then at least
> I give out only information that I want to give out.
>
> --
> Randall Raemon
> shikahr.com.inter.net, email to rlr

--
William Colburn, "Sysprog" <wcolburn () nmt edu>
Computer Center, New Mexico Institute of Mining and Technology
http://www.nmt.edu/tcc/     http://www.nmt.edu/~wcolburn