[Dnsmasq-discuss] Hiding/obscuring version.bind

Simon Kelley simon at thekelleys.org.uk
Tue Sep 6 21:23:53 BST 2016


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

a) I tend to agree that it's pointless.
b) Not a run-time option, there are too many of those already.
c) Maybe the simplest solution is something like a NO_ID compile time
option that suppresses the whole .bind domain thing?

Certainly happy to take the patch.


Cheers,

Simon.


On 06/09/16 16:14, Kevin Darbyshire-Bryant wrote:
> Hi Simon & all,
> 
> There has been a bit of activity on the security front in LEDE and
> a recent change proposed removing version numbers from software to
> avoid it leaking to 'the bad guys'.  I'll say upfront that I'm not
> a fan of this approach feeling that it's more of the 'security
> through obscurity' route but minds cleverer than mine have thought
> about this so from a LEDE point of view 'we're stuck with it'.
> 
> LEDE's approach is to simply change the VERSION file to 'UNKNOWN'
> at build time.  I dislike this because it also removes any info
> from the startup logs or even 'dnsmasq --version' and on the basis
> that 'version number' is a somewhat basic requirement when
> providing advice/support here.  A suggestion has been made to
> introduce a compile time option that replaces 'version.bind' with
> "dnsmasq-UNKNOWN', leaving all the usual version strings intact.
> The suggestion was also made rather than having a LEDE specific
> patch that 'upstream' dnsmasq might like this feature.
> 
> I'm willing to do what should be a simple patch for that behaviour
> but is it a) a good idea?  b) should it be a run-time option
> instead?  c) should we consider obscuring other info as well?
> 
> Cheers,
> 
> Kevin
> 
> 
> _______________________________________________ Dnsmasq-discuss
> mailing list Dnsmasq-discuss at lists.thekelleys.org.uk 
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iQIcBAEBCAAGBQJXzyXYAAoJEBXN2mrhkTWiE90P/1KewRyDq9rcbrddiKQhP2WT
V364psZy9rWQPZbzJLXQ3QvD1CwQChynIzqzUywh2dT7dPSe/XSdTRXab+Fxy0gr
0aITJPNyxIv6i8402YP1JDT6eoAk4JQAdJChQi+UpBDHy6WXe7q4sJKWMIZYDV9/
9meqSZ6OAGtX8kYGA+gpFqPlI/1Y/LAucxInvtvB1ZMXSRk5nNeyEpy7OEsCTqr9
PBK6LRtnQU6Iq7emIWKz0FQZpNZ6xNubZD96OGHrWnfdpT3ONgDO1k0S8/v8S6gw
m1Rwexe0skVnNcGxL9lv5h8lC3w20iUi2OiuT5ebV+IuUkGXMcrW9yW/MKspsxcu
19Bo5VfvYCuNYlW0OCypON455iRf7cXBwzHOqgaVOYc/zBIdDAuBm+n2JAsw7suz
n7pRB8m3G8WPLs5ZKNIgZgasum81uIRD6XaKjOE9cGgO6XVD3u/2mcIQqbg/9QTf
FVlAttRw9T0N2ebKOgJuMX+/Z2OiK7NYP6kebmcdFNhp/xih3xLvpoS4OK9Wyr1q
7LCN5ebjmC/1tSNhhLSK+L/YUtkqFwGu5CL1IJRy6AQS98LxIOL3hRj2A5MRsgXb
fjYlNXqStlX1czPU7eK1zfSCGy6gUNThSvv8peJPtmdVC9IoVyUxCm4nGKzW7syO
vDAjvBAkXGbnbUkcVcfg
=MIfU
-----END PGP SIGNATURE-----



More information about the Dnsmasq-discuss mailing list