Re: bindvrs Vulnerability
On Jan 11, 2010, at 11:26 PM, Balanagaraju Munukutla wrote: > Hi > > How to Disable the BIND version query feature in BIND 9.2.1. > > This is a bindvrs Vulnerability. This is not a vulnerability, it's a feature. The vulnerability relates to running BIND 9.2.1 - there are several very serious security issues with BIND 9.2.x. Update to something current. Chris Buxton___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bindvrs Vulnerability
Hiding your version accomplishes little. a) attackers can using "fingerprinting" technology to determine your BIND version even if you obscure it b) attackers can just brute force all of the known attacks in the hopes that you're vulnerable to at least one of them The real solution is to upgrade to a version that's not vulnerable. - Kevin Balanagaraju Munukutla wrote: Hi How to Disable the BIND version query feature in BIND 9.2.1. This is a bindvrs Vulnerability. Thanks & Regards Nagaraj ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: bindvrs Vulnerability
Sometimes you have to do things like hiding your version just because it came up on the security audit. It's a lot easier to make them shut up by doing what they want than by explaining to them that what they want is meaningless. -Original Message- From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Kevin Darcy Sent: Tuesday, January 12, 2010 10:52 AM To: bind-users@lists.isc.org Subject: Re: bindvrs Vulnerability Hiding your version accomplishes little. a) attackers can using "fingerprinting" technology to determine your BIND version even if you obscure it b) attackers can just brute force all of the known attacks in the hopes that you're vulnerable to at least one of them The real solution is to upgrade to a version that's not vulnerable. - Kevin Balanagaraju Munukutla wrote: > > Hi > > How to Disable the BIND version query feature in BIND 9.2.1. > > This is a bindvrs Vulnerability. > > Thanks & Regards > Nagaraj > > > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Proud partner. Susan G. Komen for the Cure. Please consider our environment before printing this e-mail or attachments. -- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bindvrs Vulnerability
Lightner, Jeff wrote: > Sometimes you have to do things like hiding your version just because it > came up on the security audit. It's a lot easier to make them shut up > by doing what they want than by explaining to them that what they want > is meaningless. That said, if your "security audit" allows you to run BIND 9.2 then it's a complete waste of time anyway and that fact should be brought to someone's attention. AlanC ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: bindvrs Vulnerability
Well maybe... As has been noted before folks like RedHat use a base BIND version then backport security and bug fixes into it. The OP didn't say what he was running on. I don't know that there are any supported RHEL versions that use 9.2 but also don't know that there aren't. In fact our security audits routinely flag some RedHat things because they look only at the base package version and not the extended versioning RedHat uses for such backported packages. For BIND blocking the version keeps the auditors from asking the question since they don't know base version let alone extended version. -Original Message- From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Alan Clegg Sent: Tuesday, January 12, 2010 11:09 AM To: bind-users@lists.isc.org Subject: Re: bindvrs Vulnerability Lightner, Jeff wrote: > Sometimes you have to do things like hiding your version just because it > came up on the security audit. It's a lot easier to make them shut up > by doing what they want than by explaining to them that what they want > is meaningless. That said, if your "security audit" allows you to run BIND 9.2 then it's a complete waste of time anyway and that fact should be brought to someone's attention. AlanC ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Proud partner. Susan G. Komen for the Cure. Please consider our environment before printing this e-mail or attachments. -- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bindvrs Vulnerability
Nagaraj
One way to is to make a change in the named.conf. see below. This will
output what you supply instead of the version number.
change in named.conf
options {
version "Confidential";
};
Hope this is what you were looking for.
On Tue, Jan 12, 2010 at 9:51 AM, Kevin Darcy wrote:
> Hiding your version accomplishes little.
>
> a) attackers can using "fingerprinting" technology to determine your BIND
> version even if you obscure it
> b) attackers can just brute force all of the known attacks in the hopes
> that you're vulnerable to at least one of them
>
> The real solution is to upgrade to a version that's not vulnerable.
>
>
> - Kevin
> Balanagaraju Munukutla wrote:
>
>>
>> Hi
>>
>> How to Disable the BIND version query feature in BIND 9.2.1.
>>
>> This is a bindvrs Vulnerability.
>>
>> Thanks & Regards
>> Nagaraj
>>
>>
>> ___
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>>
>
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
file descriptor limits eating my lunch
I've been running BIND 9.4.2-P2 since shortly after it came out. I'm on Solaris 10, and two of my 6 machines are complaining about too many open file descriptors. I've searched here, and around and here is what I know: running 'pfiles' on named on the two complaining show 1023 files the happy ones are showing less than that. This tells me there's a limit of 1024 somewhere. Looking at my system's ulimits, (and experimenting) it appears the default is 65536, but just confirm that, I put set rlim_fd_cur=2048 into /etc/system, rebooted, and ulimit reflected the change. But alas, pfiles still only shows 1023. Doublechecking named.conf, I have had this forever: files unlimited; I see mentions of 'FD_SETSIZE' in the source, but I can't figure out how to see what it is set for in my build, nor really how to change it. Where else could named be limited to 1024 that I'm missing? Thanks! P.S. I built it on a generic build machine, and run it on dedicated DNS caching resolver machines, if that makes a diff. -- Patrick Larkin Jr - Dallas Texas USA Earthlink Core Services Engineering plar...@corp.earthlink.net ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: file descriptor limits eating my lunch
On Jan 12 2010, Patrick Larkin Jr wrote: I've been running BIND 9.4.2-P2 since shortly after it came out. I'm on Solaris 10, With that combination, you would be much better off running 9.4.3 or later (at least 9.4.3-P3 for security reasons if you have to stick to 9.4.x). This will use poll(2) rather than select(3c) and get you away from the whole ghastly FD_SETSIZE mess, which is almost certainly the cause of your problems: and two of my 6 machines are complaining about too many open file descriptors. I've searched here, and around and here is what I know: running 'pfiles' on named on the two complaining show 1023 files the happy ones are showing less than that. This tells me there's a limit of 1024 somewhere. [... rest snipped ...] -- Chris Thompson Email: c...@cam.ac.uk ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bindvrs Vulnerability
On 12 Jan 2010, at 17:15, Lightner, Jeff wrote: For BIND blocking the version keeps the auditors from asking the question since they don't know base version let alone extended version. Which tells more about the auditors than about the feature to do so ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
