Reasons why BIND isn't being upgraded

Fri Feb 2 23:27:35 UTC 2001

> From: Paul Vixie <vixie at mfnx.net>
> Simon at wretched.demon.co.uk (Simon Waters) writes:
>
> > I remain unconvinced that showing the version string helps much.

> hiding it doesn't help at all.  people who want to know if you're vulnerable
> and to what have tools to find out.

No - they or their tools then have to try known exploits sequentially to
find out if I'm vulnerable - which is completely different to just
asking for a version string.

In some cases the failed exploits will be logged, or cause a crash. Thus
perhaps allowing DoS but saving someone altering the DNS contents, or
perhaps giving the owner time to respond.

> hiding it DOES however make it harder for people (including network owners)
> to do surveys.

Network owners can run "named -v", or get an audit program that does it
for them.

BIND is not alone most major Internet software (My mail program does for
starter... at the moment anyway) is only too keen to tell you who it is
in tedious detail, I think they should report what protocols they
support (although this could be a give away as well).

BTW I'm not saying "lie" about the version string as someone seemed to
think, I'm saying just don't give it to anyone who asks. If someone
phoned you up out of the blue, and said "Hi, I'm Simon, what version DNS
server are you running?" you'd probably hang up or ask why I want to
know, you wouldn't just say 8.2.3 and hang up, so why let your most
sensitive servers do something you wouldn't.

> From: Jim Mercer <jim at reptiles.org>
> 
> yeah, i'm pissed with isc and that vixie guy too.
> 
> after all, i paid them 0's and 0's of dollars to come up with a timely
> fix to the security hole, and what do they do?

I'm hoping HP pay them a reasonable amount out of what my clients pay
HP, but HP probably squandered it paying Jean to write all that wireless
network card code for Linux *8-)

-- 
Business http://www.eighth-layer.com/
Personal http://www.wretched.demon.co.uk/