Re: "Hiding" version.bind in /etc/bind/named.conf.options doesn't work

[@lbutlr]

On Feb 28, 2018, at 09:57, G.W. Haywood via bind-users 
 wrote:
> On Wed, 28 Feb 2018, (Ing. Pedro Pablo Delgado Martell) wrote:
>> Good morning, I'm trying to make it more difficult for an attacker to
>> get my DNS server version.
> 
> Waste of time.  The attacks are automated, and will be mounted anyway.

And attackers don’t care what the version string is as they do not even look 
for it.

-- 
This is my signature. There are many like it, but this one is mine.


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: "Hiding" version.bind in /etc/bind/named.conf.options doesn't work

[Bob McDonald]

Personally, I leave the version statement alone. I like having my
"internal" servers return the current running version when queried. I
disable chaos queries on my internet facing servers via views thus
effectively not answering any queries for the version or hostname  from
folks I don't know. I agree that today's attackers really don't care, they
just try to exploit everything known.

The other thing I do is code server-id=hostname; on my "internal" servers
and server-id=; on my internet facing servers. This
returns the actual hostname for "internal" servers when queried for the
chaos hostname.bind or id.server or  when repomding to a +nsid request. It
will not return an answer for chaos queries on the internet facing servers
(because of the previously mentioned view restriction) while the response
to a +nsid request will be a meaningful name. This is especially handy on
the "inside" for HA clusters and anycast cloud member servers as it returns
the actual server name the response came from. For internet facing queries
it will simply return the meaningful name you specified when responding to
a +nsid request. Depending on the name chosen, this can be useful for
troubleshooting. Choose wisely.

YMMV,

Bob
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: "Hiding" version.bind in /etc/bind/named.conf.options doesn't work

[sthaug]

> >> Good morning, I'm trying to make it more difficult for an attacker to
> >> get my DNS server version.
> > 
> > Waste of time.  The attacks are automated, and will be mounted anyway.
> > 
> 
> Indeed. At least one of my legacy servers returns "4.9.4-P1-Would you 
> believe Win98SE?", which was an in-joke at the time but I like it well 
> enough that it is still here 10+ years later.

Irrelevant aside: I have an Apache server which returns

Server: Apache/2.4 (Sintran III)

Don't know Sintran III? https://en.wikipedia.org/wiki/Sintran_III :-)

Steinar Haug, Nethelp consulting, sth...@nethelp.no
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: "Hiding" version.bind in /etc/bind/named.conf.options doesn't work

[Warren Kumari]

On Wed, Feb 28, 2018 at 12:57 PM, G.W. Haywood via bind-users
 wrote:
> Hi there,
>
> On Wed, 28 Feb 2018, (Ing. Pedro Pablo Delgado Martell) wrote:
>
>> Good morning, I'm trying to make it more difficult for an attacker to
>> get my DNS server version.
>
>
> Waste of time.  The attacks are automated, and will be mounted anyway.

Thank you - this has long been a position that I've held/espoused.

It is easier / cheaper / faster for an attacker to simply assume that
a machine is running vulnerable software and try all exploits on it,
instead of carefully checking to see what services / versions a server
advertises and restricting to those.
Also, if you are *not* running a vulnerable version of , it
doesn't matter if the attacker knocks on the door, and if you *are*
running a vulnerable version, having the attacker not know that
doesn't provide you any protection.

I realize that this sounds somewhat ranty, but I've recently had to
deal with some checklist-style security audits / certifications which
require things like hiding version information (and pointing at the
"firewall") while completely ignoring actual security issues (like
"are the versions known vulnerable", "are the firewalls / ACLS /
whatever sane", "do your users know not to click on
unpaid_invoice.doc", "do you use 2FA", "are all your credential
'Hunter2'" ?)


W


>
> --
>
> 73,
> Ged.
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users



-- 
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
   ---maf
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: "Hiding" version.bind in /etc/bind/named.conf.options doesn't work

[Dave Warren]

On 2018-02-28 10:57, G.W. Haywood via bind-users wrote:

Hi there,

On Wed, 28 Feb 2018, (Ing. Pedro Pablo Delgado Martell) wrote:


Good morning, I'm trying to make it more difficult for an attacker to
get my DNS server version.


Waste of time.  The attacks are automated, and will be mounted anyway.



Indeed. At least one of my legacy servers returns "4.9.4-P1-Would you 
believe Win98SE?", which was an in-joke at the time but I like it well 
enough that it is still here 10+ years later.


I've still seen modern attacks. As you say, the attacks are automated 
and there is no real advantage in checking versions first, it is easier 
to just throw everything at everyone.


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: "Hiding" version.bind in /etc/bind/named.conf.options doesn't work

[G.W. Haywood via bind-users]

Hi there,

On Wed, 28 Feb 2018, (Ing. Pedro Pablo Delgado Martell) wrote:


Good morning, I'm trying to make it more difficult for an attacker to
get my DNS server version.


Waste of time.  The attacks are automated, and will be mounted anyway.

--

73,
Ged.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: "Hiding" version.bind in /etc/bind/named.conf.options doesn't work

[Alan Clegg]

On 2/28/18 10:57 AM, Bob Harold wrote:

> Those instructions assume that the  /etc/bind/named.conf.options file
> is 'included' in the main named.conf file.
> Just add the "version" line to your named.conf file options section.

[...]

> So my config file is at:
> /replicated/jail/named/etc/named.conf

Beware, however of modifying "base" files that were installed by the
package management system.  If you change /etc/named.conf and it gets
overwritten by your next package based upgrade (or the modified file
causes your automated upgrade system to stop upgrading that package),
you will be badly surprised.

(been there, done that, have the scrapes and bruises)



signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: "Hiding" version.bind in /etc/bind/named.conf.options doesn't work

[Bob Harold]

On Wed, Feb 28, 2018 at 8:55 AM, Ing. Pedro Pablo Delgado Martell <
ppmart...@eleka.co.cu> wrote:

> Good morning, I'm trying to make it more difficult for an attacker to get
> my DNS server version. I have been following several posts about doing this
> and mostrly all of them suggest to modify the
> */etc/bind/named.conf.options* file and add the lines:
>
> options {
>
> version "Not available"; // Or any bogus info or
> just none without quotes
>
> }
>
> Then restart the service (*service bind9 restart*) and the version will
> not be shown, only the defined text, in this case "Not available". However,
> after doing this and restarting the service I'm still getting my server
> version. Am I placing this lines in the wrong file? Thanks in advance!
>
> 
>
> Bind version:   9.10.2-P3
>
> OS:Debian GNU/Linux 8 (jessie)
>
> Those instructions assume that the  */etc/bind/named.conf.options* file
is 'included' in the main named.conf file.
Just add the "version" line to your named.conf file options section.

If you don't know where your named.conf file is, try this command:
ps -ef | grep named

which should get some result, like maybe:
named 1728 1  0 Feb11 ?01:55:51 /usr/local/sbin/named -t
/replicated/jail/named -u named -n 2 -U 2 -S 16384

If there was a "-c" option, it would tell you the name of the config file.
If not, like this example, the default is "/etc/named.conf".

Note the "-t" option, which says we are doing chroot to
/replicated/jail/named
So my config file is at:
/replicated/jail/named/etc/named.conf

-- 
Bob Harold
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

"Hiding" version.bind in /etc/bind/named.conf.options doesn't work

[Ing. Pedro Pablo Delgado Martell]

Good morning, I'm trying to make it more difficult for an attacker to 
get my DNS server version. I have been following several posts about 
doing this and mostrly all of them suggest to modify the 
*/etc/bind/named.conf.options* file and add the lines:


options {

version "Not available";                         // Or any bogus info or 
just none without quotes


}

Then restart the service (*service bind9 restart*) and the version will 
not be shown, only the defined text, in this case "Not available". 
However, after doing this and restarting the service I'm still getting 
my server version. Am I placing this lines in the wrong file? Thanks in 
advance!




Bind version:       9.10.2-P3

OS:                    Debian GNU/Linux 8 (jessie)

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users