On Wed, Feb 28, 2018 at 12:57 PM, G.W. Haywood via bind-users <bind-users@lists.isc.org> wrote: > Hi there, > > On Wed, 28 Feb 2018, (Ing. Pedro Pablo Delgado Martell) wrote: > >> Good morning, I'm trying to make it more difficult for an attacker to >> get my DNS server version. > > > Waste of time. The attacks are automated, and will be mounted anyway.
Thank you - this has long been a position that I've held/espoused. It is easier / cheaper / faster for an attacker to simply assume that a machine is running vulnerable software and try all exploits on it, instead of carefully checking to see what services / versions a server advertises and restricting to those. Also, if you are *not* running a vulnerable version of <software>, it doesn't matter if the attacker knocks on the door, and if you *are* running a vulnerable version, having the attacker not know that doesn't provide you any protection. I realize that this sounds somewhat ranty, but I've recently had to deal with some checklist-style security audits / certifications which require things like hiding version information (and pointing at the "firewall") while completely ignoring actual security issues (like "are the versions known vulnerable", "are the firewalls / ACLS / whatever sane", "do your users know not to click on unpaid_invoice.doc", "do you use 2FA", "are all your credential 'Hunter2'" ?) W > > -- > > 73, > Ged. > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
