[Dnsmasq-discuss] Hiding/obscuring version.bind

Kevin Darbyshire-Bryant kevin at darbyshire-bryant.me.uk
Tue Sep 6 16:14:10 BST 2016


Hi Simon & all,

There has been a bit of activity on the security front in LEDE and a 
recent change proposed removing version numbers from software to avoid 
it leaking to 'the bad guys'.  I'll say upfront that I'm not a fan of 
this approach feeling that it's more of the 'security through obscurity' 
route but minds cleverer than mine have thought about this so from a 
LEDE point of view 'we're stuck with it'.

LEDE's approach is to simply change the VERSION file to 'UNKNOWN' at 
build time.  I dislike this because it also removes any info from the 
startup logs or even 'dnsmasq --version' and on the basis that 'version 
number' is a somewhat basic requirement when providing advice/support 
here.  A suggestion has been made to introduce a compile time option 
that replaces 'version.bind' with "dnsmasq-UNKNOWN', leaving all the 
usual version strings intact. The suggestion was also made rather than 
having a LEDE specific patch that 'upstream' dnsmasq might like this 
feature.

I'm willing to do what should be a simple patch for that behaviour but 
is it a) a good idea?  b) should it be a run-time option instead?  c) 
should we consider obscuring other info as well?

Cheers,

Kevin




More information about the Dnsmasq-discuss mailing list