Re: Fingerprinting DNS implementations.

[Dean Anderson <dean@av8.com>]

On Thu, 11 Dec 2003, Mathias Samuelson wrote:

> I've heard some people argue that they shouldn't run 
> anything else than whatever version of BIND Sun bundles with Solaris, no 
> matter how many vulnerabilities there's in that software. 

Sun (like most vendors)  won't provide software support if you aren't
running what they bundled.  But they do provide their own updates. You 
have to take those updates.

But I don't run Bind at all for security reasons.  

> Obscuring the fact that one is running such software doesn't seem to be
> a good security measure anyway.

Certainly, in the more mature area of OS fingerprinting, quite a lot of
people disagree.  Hiding this kind of information is the first thing
security consultants recommend.  Security by obscurity is a valid and
effective form of security.  Call a bank, and ask them what kind of alarm
system they have.  Even the manuals for Airport security systems are
restricted.  This is security by obsurity.

Everything has weaknesses. Every software has an exploit.  Thinking
otherwise is unrealistic.

		--Dean


--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>