North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: sorry to ruin several of your evenings...
Ok, so perhaps my initial post was not prefaced correctly: "instead of disallowing queries, change the version returned to something bogus on your spankin' new upgraded 'must be secure cause paul said so' version of BIND'?" :) of course I'm not advocating leaving old/vulnerable versions of stuff running... just denying the enemy intelligence they COULD use against you. --Chris On Tue, 30 Jan 2001, Jared Mauch wrote: > > The problem is that there are those that do not have their > sysadmin staff at proper levels or will use some configuration options > to their advantage to save doing work. These people should use caution > if they go about it this way instead of upgrading. > > You would be surprised how many requests i get for favico.ico on my > web server still... > > - Jared > > On Tue, Jan 30, 2001 at 04:31:30PM -0500, Christopher L. Morrow wrote: > > > > I didn't say I didn't upgrade :) I just said why give out info you don't > > need to give out. > > > > --Chris > > > > On Tue, 30 Jan 2001, Jared Mauch wrote: > > > > > > > > The key here is that if you're going to spend time faking the > > > real response of a query that time may be best spent fixing the > > > real problem. > > > > > > People who will now complain about the number of machines they > > > need to upgrade, etc.. should now evaluate the costs of running an internet > > > connected network. If these costs or risks are too high for you perhaps > > > you need to evaluate your internet connection policies. > > > > > > - Jared > > > > > > On Tue, Jan 30, 2001 at 09:32:24PM +0000, [email protected] wrote: > > > > > > > > lets see... (from previous discussions on the usefullness of tweeking > > > > the version) > > > > > > > > wearing my blackhat, i have to decide which system is worthty > > > > of my talents... which one should I pick? > > > > > > > > version "bad-ass-bind"; > > > > -or- > > > > version "9.1.0" > > > > > > > > of course I could be running 4.8.1 and simply recompile so it _reports_ > > > > a bogus version but the profile of a 9.1.0 code base is -very- distinct > > > > from a 4.8.1 code base... esp on replies to queries. > > > > > > > > Pick your targets carefully. > > > > > > > > > > > > > > > > > Why not jus return some 'bogus' version ??? like this option allows: > > > > > > > > > > version "bad-ass-bind"; > > > > > > > > > > :) > > > > > > > > > > --Chris > > > > > > > > > > ####################################################### > > > > > ## UUNET Technologies, Inc. ## > > > > > ## Manager ## > > > > > ## Customer Router Security Engineering Team ## > > > > > ## (W)703-289-8479 (C)703-283-3734 ## > > > > > ####################################################### > > > > > > > > > > On Tue, 30 Jan 2001, Stephen Stuart wrote: > > > > > > > > > > > > > > > > > > While it's not exactly a problem, it does give away that you're running > > > > > > > bind9 (I do like the new 'version' option where you can set the > > > > > > > version.bind reply) even if you change the version to appear to be a bind8 > > > > > > > server. > > > > > > > > > > > > "allow-query" lets you control who can see that information: > > > > > > > > > > > > zone "bind" chaos { > > > > > > allow-query { > > > > > > 127.0.0.1 ; > > > > > > xxx.xxx.xxx.xxx/len ; > > > > > > } ; > > > > > > type master; > > > > > > file "filename"; > > > > > > }; > > > > > > > > > > > > Stephen > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > Jared Mauch | pgp key available via finger from [email protected] > > > clue++; | http://puck.nether.net/~jared/ My statements are only mine. > > > END OF LINE | Manager of IP networks built within my own home > > > > > -- > Jared Mauch | pgp key available via finger from [email protected] > clue++; | http://puck.nether.net/~jared/ My statements are only mine. > END OF LINE | Manager of IP networks built within my own home >
|