sorry to ruin several of your evenings...

lets see... (from previous discussions on the usefullness of tweeking
the version)
  
  wearing my blackhat, i have to decide which system is worthty
  of my talents... which one should I pick?

  version "bad-ass-bind";
  -or-
  version "9.1.0"

of course I could be running 4.8.1 and simply recompile so it _reports_
a bogus version but the profile of a 9.1.0 code base is -very- distinct
from a 4.8.1 code base... esp on replies to queries.

Pick your targets carefully.

attack away... it's a bit harder to figure out what it is... and bind's
not exploitable (at least not yet...) so as long as all other things are
'ok' I'm just denying intel to the 'enemy'... besides, tcp queries are
verboten anyway :slight_smile:

--Chris

The key here is that if you're going to spend time faking the
real response of a query that time may be best spent fixing the
real problem.

  People who will now complain about the number of machines they
need to upgrade, etc.. should now evaluate the costs of running an internet
connected network. If these costs or risks are too high for you perhaps
you need to evaluate your internet connection policies.

  - Jared

However if I run a safe version of bind _and_ pay attention to my logfiles
I may actually catch a couple of nosy crackerjacks in the attempt and keep
an eye out before they find something which _is_ vulnerable.

Whether it's operationally sane to use such honeypot functionality on a
production server remains to be seen.

Pi

I didn't say I didn't upgrade :slight_smile: I just said why give out info you don't
need to give out.

--Chris

The problem is that there are those that do not have their
sysadmin staff at proper levels or will use some configuration options
to their advantage to save doing work. These people should use caution
if they go about it this way instead of upgrading.

  You would be surprised how many requests i get for favico.ico on my
web server still...

  - Jared

Ok, so perhaps my initial post was not prefaced correctly: "instead of
disallowing queries, change the version returned to something bogus on
your spankin' new upgraded 'must be secure cause paul said so' version of
BIND'?"

:slight_smile: of course I'm not advocating leaving old/vulnerable versions of stuff
running... just denying the enemy intelligence they COULD use against you.

--Chris

Jared Mauch wrote:

        The problem is that there are those that do not have their
sysadmin staff at proper levels or will use some configuration options
to their advantage to save doing work. These people should use caution
if they go about it this way instead of upgrading.

Such people will always exist, and warnings such as yours generally won't
be heeded by those people.