Home page logo

bugtraq logo Bugtraq mailing list archives

Re: fingerprinting BIND 9.1.0
From: "William D. Colburn (aka Schlake)" <wcolburn () NMT EDU>
Date: Wed, 31 Jan 2001 08:15:01 -0700

The FAQ file that comes with the distribution already covers all this.
While it used to seem like a good idea to obfuscate version numbers,
things like nmap can be written for just about any internet service
which would make version obfuscation just a false sense of security.
Even if your version is obscured, a known exploit will still work
against it if someone tries.  I agree with the BIND people that there
isn't much point in hiding that information.

FAQ>Q: How do I restrict people from looking up the server version?
FAQ>A: Put a "version" option containing something other than the real
FAQ>version in the "options" section of named.conf.  Note doing this will
FAQ>not prevent attacks and may impede people trying to diagnose problems
FAQ>with your server.  Also it is possible to "fingerprint" nameservers to
FAQ>determine their version.
FAQ>Q: How do I restrict only remote users from looking up the server
FAQ>A: The following view statement will intercept lookups as the internal
FAQ>view that holds the version information will be matched last.  The
FAQ>caveats of the previous answer still apply, of course.
FAQ>  view "chaos" chaos {
FAQ>          match-clients { <those to be refused>; };
FAQ>          allow-query { none; };
FAQ>          zone "." {
FAQ>                  type hint;
FAQ>                  file "/dev/null";  // or any empty file
FAQ>          };
FAQ>  };

On Tue, Jan 30, 2001 at 07:14:20PM -0600, buglist () SHIKAHR COM INTER NET wrote:
Date:         Tue, 30 Jan 2001 19:14:20 -0600
From: buglist () SHIKAHR COM INTER NET
Subject:      Re: fingerprinting BIND 9.1.0

In message < () 127 0 0 01>
Max Vision writes:

The BIND 9.1.0beta releases and now BIND 9.1.0 include another hard coded
chaos record called "authors".

   [ snip ]

% dig @ns.example.com authors.bind chaos txt

I've been playing some with BIND 9.1.0, and have found that queries
like this can be suppressed using the new "view" capability. I now
have in my named.conf, the following:

   view "external-chaos" chaos {
        match-clients { any; };
        recursion no;
        zone "." {
                type hint ;
                file "/dev/null";

and a similar entry for hesiod records. Queries then against either
chaos or hesiod records will come back as "servfail".

Alternatively, creating your own "bind." domain with CH, rather than
IN, records for SOA and TXT data will override hardcoded values. I've
also got a "bind." domain that has this record:

   version.bind.    0    ch   txt     "Who knows"

so that if I don't use a "view" to block chaos records, then at least
I give out only information that I want to give out.

Randall Raemon
shikahr.com.inter.net, email to rlr

William Colburn, "Sysprog" <wcolburn () nmt edu>
Computer Center, New Mexico Institute of Mining and Technology
http://www.nmt.edu/tcc/     http://www.nmt.edu/~wcolburn

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]