Re: "Hiding" version.bind in /etc/bind/named.conf.options doesn't work
On Feb 28, 2018, at 09:57, G.W. Haywood via bind-users wrote: > On Wed, 28 Feb 2018, (Ing. Pedro Pablo Delgado Martell) wrote: >> Good morning, I'm trying to make it more difficult for an attacker to >> get my DNS server version. > > Waste of time. The attacks are automated, and will be mounted anyway. And attackers don’t care what the version string is as they do not even look for it. -- This is my signature. There are many like it, but this one is mine. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: "Hiding" version.bind in /etc/bind/named.conf.options doesn't work
Personally, I leave the version statement alone. I like having my "internal" servers return the current running version when queried. I disable chaos queries on my internet facing servers via views thus effectively not answering any queries for the version or hostname from folks I don't know. I agree that today's attackers really don't care, they just try to exploit everything known. The other thing I do is code server-id=hostname; on my "internal" servers and server-id=; on my internet facing servers. This returns the actual hostname for "internal" servers when queried for the chaos hostname.bind or id.server or when repomding to a +nsid request. It will not return an answer for chaos queries on the internet facing servers (because of the previously mentioned view restriction) while the response to a +nsid request will be a meaningful name. This is especially handy on the "inside" for HA clusters and anycast cloud member servers as it returns the actual server name the response came from. For internet facing queries it will simply return the meaningful name you specified when responding to a +nsid request. Depending on the name chosen, this can be useful for troubleshooting. Choose wisely. YMMV, Bob ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: "Hiding" version.bind in /etc/bind/named.conf.options doesn't work
> >> Good morning, I'm trying to make it more difficult for an attacker to > >> get my DNS server version. > > > > Waste of time. The attacks are automated, and will be mounted anyway. > > > > Indeed. At least one of my legacy servers returns "4.9.4-P1-Would you > believe Win98SE?", which was an in-joke at the time but I like it well > enough that it is still here 10+ years later. Irrelevant aside: I have an Apache server which returns Server: Apache/2.4 (Sintran III) Don't know Sintran III? https://en.wikipedia.org/wiki/Sintran_III :-) Steinar Haug, Nethelp consulting, sth...@nethelp.no ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: "Hiding" version.bind in /etc/bind/named.conf.options doesn't work
On Wed, Feb 28, 2018 at 12:57 PM, G.W. Haywood via bind-users wrote: > Hi there, > > On Wed, 28 Feb 2018, (Ing. Pedro Pablo Delgado Martell) wrote: > >> Good morning, I'm trying to make it more difficult for an attacker to >> get my DNS server version. > > > Waste of time. The attacks are automated, and will be mounted anyway. Thank you - this has long been a position that I've held/espoused. It is easier / cheaper / faster for an attacker to simply assume that a machine is running vulnerable software and try all exploits on it, instead of carefully checking to see what services / versions a server advertises and restricting to those. Also, if you are *not* running a vulnerable version of , it doesn't matter if the attacker knocks on the door, and if you *are* running a vulnerable version, having the attacker not know that doesn't provide you any protection. I realize that this sounds somewhat ranty, but I've recently had to deal with some checklist-style security audits / certifications which require things like hiding version information (and pointing at the "firewall") while completely ignoring actual security issues (like "are the versions known vulnerable", "are the firewalls / ACLS / whatever sane", "do your users know not to click on unpaid_invoice.doc", "do you use 2FA", "are all your credential 'Hunter2'" ?) W > > -- > > 73, > Ged. > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: "Hiding" version.bind in /etc/bind/named.conf.options doesn't work
On 2018-02-28 10:57, G.W. Haywood via bind-users wrote: Hi there, On Wed, 28 Feb 2018, (Ing. Pedro Pablo Delgado Martell) wrote: Good morning, I'm trying to make it more difficult for an attacker to get my DNS server version. Waste of time. The attacks are automated, and will be mounted anyway. Indeed. At least one of my legacy servers returns "4.9.4-P1-Would you believe Win98SE?", which was an in-joke at the time but I like it well enough that it is still here 10+ years later. I've still seen modern attacks. As you say, the attacks are automated and there is no real advantage in checking versions first, it is easier to just throw everything at everyone. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: "Hiding" version.bind in /etc/bind/named.conf.options doesn't work
Hi there, On Wed, 28 Feb 2018, (Ing. Pedro Pablo Delgado Martell) wrote: Good morning, I'm trying to make it more difficult for an attacker to get my DNS server version. Waste of time. The attacks are automated, and will be mounted anyway. -- 73, Ged. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: "Hiding" version.bind in /etc/bind/named.conf.options doesn't work
On 2/28/18 10:57 AM, Bob Harold wrote: > Those instructions assume that the /etc/bind/named.conf.options file > is 'included' in the main named.conf file. > Just add the "version" line to your named.conf file options section. [...] > So my config file is at: > /replicated/jail/named/etc/named.conf Beware, however of modifying "base" files that were installed by the package management system. If you change /etc/named.conf and it gets overwritten by your next package based upgrade (or the modified file causes your automated upgrade system to stop upgrading that package), you will be badly surprised. (been there, done that, have the scrapes and bruises) signature.asc Description: OpenPGP digital signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: "Hiding" version.bind in /etc/bind/named.conf.options doesn't work
On Wed, Feb 28, 2018 at 8:55 AM, Ing. Pedro Pablo Delgado Martell < ppmart...@eleka.co.cu> wrote: > Good morning, I'm trying to make it more difficult for an attacker to get > my DNS server version. I have been following several posts about doing this > and mostrly all of them suggest to modify the > */etc/bind/named.conf.options* file and add the lines: > > options { > > version "Not available"; // Or any bogus info or > just none without quotes > > } > > Then restart the service (*service bind9 restart*) and the version will > not be shown, only the defined text, in this case "Not available". However, > after doing this and restarting the service I'm still getting my server > version. Am I placing this lines in the wrong file? Thanks in advance! > > > > Bind version: 9.10.2-P3 > > OS:Debian GNU/Linux 8 (jessie) > > Those instructions assume that the */etc/bind/named.conf.options* file is 'included' in the main named.conf file. Just add the "version" line to your named.conf file options section. If you don't know where your named.conf file is, try this command: ps -ef | grep named which should get some result, like maybe: named 1728 1 0 Feb11 ?01:55:51 /usr/local/sbin/named -t /replicated/jail/named -u named -n 2 -U 2 -S 16384 If there was a "-c" option, it would tell you the name of the config file. If not, like this example, the default is "/etc/named.conf". Note the "-t" option, which says we are doing chroot to /replicated/jail/named So my config file is at: /replicated/jail/named/etc/named.conf -- Bob Harold ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
"Hiding" version.bind in /etc/bind/named.conf.options doesn't work
Good morning, I'm trying to make it more difficult for an attacker to get my DNS server version. I have been following several posts about doing this and mostrly all of them suggest to modify the */etc/bind/named.conf.options* file and add the lines: options { version "Not available"; // Or any bogus info or just none without quotes } Then restart the service (*service bind9 restart*) and the version will not be shown, only the defined text, in this case "Not available". However, after doing this and restarting the service I'm still getting my server version. Am I placing this lines in the wrong file? Thanks in advance! Bind version: 9.10.2-P3 OS: Debian GNU/Linux 8 (jessie) ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users