[18902] in bugtraq
Re: fingerprinting BIND 9.1.0
daemon@ATHENA.MIT.EDU (William D. Colburn (aka Schlake))
Wed Jan 31 12:48:20 2001
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Message-Id: <20010131081500.A28195@nmt.edu>
Date: Wed, 31 Jan 2001 08:15:01 -0700
Reply-To: "William D. Colburn (aka Schlake)" <wcolburn@NMT.EDU>
From: "William D. Colburn (aka Schlake)" <wcolburn@NMT.EDU>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <E14Nlqm-000LUd-00@tuvela.shikahr.com.inter.net>; from
buglist@SHIKAHR.COM.INTER.NET on Tue, Jan 30,
2001 at 07:14:20PM -0600
The FAQ file that comes with the distribution already covers all this.
While it used to seem like a good idea to obfuscate version numbers,
things like nmap can be written for just about any internet service
which would make version obfuscation just a false sense of security.
Even if your version is obscured, a known exploit will still work
against it if someone tries. I agree with the BIND people that there
isn't much point in hiding that information.
FAQ>Q: How do I restrict people from looking up the server version?
FAQ>
FAQ>A: Put a "version" option containing something other than the real
FAQ>version in the "options" section of named.conf. Note doing this will
FAQ>not prevent attacks and may impede people trying to diagnose problems
FAQ>with your server. Also it is possible to "fingerprint" nameservers to
FAQ>determine their version.
FAQ>
FAQ>Q: How do I restrict only remote users from looking up the server
FAQ>version?
FAQ>
FAQ>A: The following view statement will intercept lookups as the internal
FAQ>view that holds the version information will be matched last. The
FAQ>caveats of the previous answer still apply, of course.
FAQ>
FAQ> view "chaos" chaos {
FAQ> match-clients { <those to be refused>; };
FAQ> allow-query { none; };
FAQ> zone "." {
FAQ> type hint;
FAQ> file "/dev/null"; // or any empty file
FAQ> };
FAQ> };
On Tue, Jan 30, 2001 at 07:14:20PM -0600, buglist@SHIKAHR.COM.INTER.NET wrote:
> Date: Tue, 30 Jan 2001 19:14:20 -0600
> From: buglist@SHIKAHR.COM.INTER.NET
> Subject: Re: fingerprinting BIND 9.1.0
> To: BUGTRAQ@SECURITYFOCUS.COM
>
> In message <5.0.2.1.2.20010129125423.00a7f990@127.0.0.01>
> Max Vision writes:
>
> > The BIND 9.1.0beta releases and now BIND 9.1.0 include another hard coded
> > chaos record called "authors".
>
> [ snip ]
>
> > % dig @ns.example.com authors.bind chaos txt
>
> I've been playing some with BIND 9.1.0, and have found that queries
> like this can be suppressed using the new "view" capability. I now
> have in my named.conf, the following:
>
> view "external-chaos" chaos {
> match-clients { any; };
> recursion no;
> zone "." {
> type hint ;
> file "/dev/null";
> };
> };
>
> and a similar entry for hesiod records. Queries then against either
> chaos or hesiod records will come back as "servfail".
>
> Alternatively, creating your own "bind." domain with CH, rather than
> IN, records for SOA and TXT data will override hardcoded values. I've
> also got a "bind." domain that has this record:
>
> version.bind. 0 ch txt "Who knows"
>
> so that if I don't use a "view" to block chaos records, then at least
> I give out only information that I want to give out.
>
> --
> Randall Raemon
> shikahr.com.inter.net, email to rlr
--
William Colburn, "Sysprog" <wcolburn@nmt.edu>
Computer Center, New Mexico Institute of Mining and Technology
http://www.nmt.edu/tcc/ http://www.nmt.edu/~wcolburn
