sorry to ruin several of your evenings...
Christopher L. Morrow
cmorrow at UU.NET
Tue Jan 30 21:37:15 UTC 2001
Ok, so perhaps my initial post was not prefaced correctly: "instead of
disallowing queries, change the version returned to something bogus on
your spankin' new upgraded 'must be secure cause paul said so' version of
BIND'?"
:) of course I'm not advocating leaving old/vulnerable versions of stuff
running... just denying the enemy intelligence they COULD use against you.
--Chris
On Tue, 30 Jan 2001, Jared Mauch wrote:
>
> The problem is that there are those that do not have their
> sysadmin staff at proper levels or will use some configuration options
> to their advantage to save doing work. These people should use caution
> if they go about it this way instead of upgrading.
>
> You would be surprised how many requests i get for favico.ico on my
> web server still...
>
> - Jared
>
> On Tue, Jan 30, 2001 at 04:31:30PM -0500, Christopher L. Morrow wrote:
> >
> > I didn't say I didn't upgrade :) I just said why give out info you don't
> > need to give out.
> >
> > --Chris
> >
> > On Tue, 30 Jan 2001, Jared Mauch wrote:
> >
> > >
> > > The key here is that if you're going to spend time faking the
> > > real response of a query that time may be best spent fixing the
> > > real problem.
> > >
> > > People who will now complain about the number of machines they
> > > need to upgrade, etc.. should now evaluate the costs of running an internet
> > > connected network. If these costs or risks are too high for you perhaps
> > > you need to evaluate your internet connection policies.
> > >
> > > - Jared
> > >
> > > On Tue, Jan 30, 2001 at 09:32:24PM +0000, bmanning at vacation.karoshi.com wrote:
> > > >
> > > > lets see... (from previous discussions on the usefullness of tweeking
> > > > the version)
> > > >
> > > > wearing my blackhat, i have to decide which system is worthty
> > > > of my talents... which one should I pick?
> > > >
> > > > version "bad-ass-bind";
> > > > -or-
> > > > version "9.1.0"
> > > >
> > > > of course I could be running 4.8.1 and simply recompile so it _reports_
> > > > a bogus version but the profile of a 9.1.0 code base is -very- distinct
> > > > from a 4.8.1 code base... esp on replies to queries.
> > > >
> > > > Pick your targets carefully.
> > > >
> > > >
> > > >
> > > > > Why not jus return some 'bogus' version ??? like this option allows:
> > > > >
> > > > > version "bad-ass-bind";
> > > > >
> > > > > :)
> > > > >
> > > > > --Chris
> > > > >
> > > > > #######################################################
> > > > > ## UUNET Technologies, Inc. ##
> > > > > ## Manager ##
> > > > > ## Customer Router Security Engineering Team ##
> > > > > ## (W)703-289-8479 (C)703-283-3734 ##
> > > > > #######################################################
> > > > >
> > > > > On Tue, 30 Jan 2001, Stephen Stuart wrote:
> > > > >
> > > > > >
> > > > > > > While it's not exactly a problem, it does give away that you're running
> > > > > > > bind9 (I do like the new 'version' option where you can set the
> > > > > > > version.bind reply) even if you change the version to appear to be a bind8
> > > > > > > server.
> > > > > >
> > > > > > "allow-query" lets you control who can see that information:
> > > > > >
> > > > > > zone "bind" chaos {
> > > > > > allow-query {
> > > > > > 127.0.0.1 ;
> > > > > > xxx.xxx.xxx.xxx/len ;
> > > > > > } ;
> > > > > > type master;
> > > > > > file "filename";
> > > > > > };
> > > > > >
> > > > > > Stephen
> > > > > >
> > > > >
> > > > >
> > > >
> > >
> > > --
> > > Jared Mauch | pgp key available via finger from jared at puck.nether.net
> > > clue++; | http://puck.nether.net/~jared/ My statements are only mine.
> > > END OF LINE | Manager of IP networks built within my own home
> > >
>
> --
> Jared Mauch | pgp key available via finger from jared at puck.nether.net
> clue++; | http://puck.nether.net/~jared/ My statements are only mine.
> END OF LINE | Manager of IP networks built within my own home
>
More information about the NANOG
mailing list