Bugtraq mailing list archives
Re: fingerprinting BIND 9.1.0
From: "William D. Colburn (aka Schlake)" <wcolburn () NMT EDU>
Date: Wed, 31 Jan 2001 08:15:01 -0700
The FAQ file that comes with the distribution already covers all this. While it used to seem like a good idea to obfuscate version numbers, things like nmap can be written for just about any internet service which would make version obfuscation just a false sense of security. Even if your version is obscured, a known exploit will still work against it if someone tries. I agree with the BIND people that there isn't much point in hiding that information. FAQ>Q: How do I restrict people from looking up the server version? FAQ> FAQ>A: Put a "version" option containing something other than the real FAQ>version in the "options" section of named.conf. Note doing this will FAQ>not prevent attacks and may impede people trying to diagnose problems FAQ>with your server. Also it is possible to "fingerprint" nameservers to FAQ>determine their version. FAQ> FAQ>Q: How do I restrict only remote users from looking up the server FAQ>version? FAQ> FAQ>A: The following view statement will intercept lookups as the internal FAQ>view that holds the version information will be matched last. The FAQ>caveats of the previous answer still apply, of course. FAQ> FAQ> view "chaos" chaos { FAQ> match-clients { <those to be refused>; }; FAQ> allow-query { none; }; FAQ> zone "." { FAQ> type hint; FAQ> file "/dev/null"; // or any empty file FAQ> }; FAQ> }; On Tue, Jan 30, 2001 at 07:14:20PM -0600, buglist () SHIKAHR COM INTER NET wrote:
Date: Tue, 30 Jan 2001 19:14:20 -0600 From: buglist () SHIKAHR COM INTER NET Subject: Re: fingerprinting BIND 9.1.0 To: BUGTRAQ () SECURITYFOCUS COM In message <5.0.2.1.2.20010129125423.00a7f990@127.0.0.01> Max Vision writes:The BIND 9.1.0beta releases and now BIND 9.1.0 include another hard coded chaos record called "authors".[ snip ]% dig @ns.example.com authors.bind chaos txtI've been playing some with BIND 9.1.0, and have found that queries like this can be suppressed using the new "view" capability. I now have in my named.conf, the following: view "external-chaos" chaos { match-clients { any; }; recursion no; zone "." { type hint ; file "/dev/null"; }; }; and a similar entry for hesiod records. Queries then against either chaos or hesiod records will come back as "servfail". Alternatively, creating your own "bind." domain with CH, rather than IN, records for SOA and TXT data will override hardcoded values. I've also got a "bind." domain that has this record: version.bind. 0 ch txt "Who knows" so that if I don't use a "view" to block chaos records, then at least I give out only information that I want to give out. -- Randall Raemon shikahr.com.inter.net, email to rlr
-- William Colburn, "Sysprog" <wcolburn () nmt edu> Computer Center, New Mexico Institute of Mining and Technology http://www.nmt.edu/tcc/ http://www.nmt.edu/~wcolburn
Current thread:
- fingerprinting BIND 9.1.0 Max Vision (Jan 30)
- Re: fingerprinting BIND 9.1.0 Eric Limpens (Jan 30)
- <Possible follow-ups>
- Re: fingerprinting BIND 9.1.0 buglist (Jan 30)
- Re: fingerprinting BIND 9.1.0 William D. Colburn (aka Schlake) (Jan 31)
- Re: fingerprinting BIND 9.1.0 Lucas Holt (Jan 31)
- Re: fingerprinting BIND 9.1.0 William D. Colburn (aka Schlake) (Jan 31)