[Dnsmasq-discuss] Hiding/obscuring version.bind

Kevin Darbyshire-Bryant kevin at darbyshire-bryant.me.uk
Wed Sep 7 11:34:32 BST 2016


Attached (in case the git send-email didn't work)

Kevin :-)

On 06/09/16 21:23, Simon Kelley wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> a) I tend to agree that it's pointless.
> b) Not a run-time option, there are too many of those already.
> c) Maybe the simplest solution is something like a NO_ID compile time
> option that suppresses the whole .bind domain thing?
>
> Certainly happy to take the patch.
>
>
> Cheers,
>
> Simon.
>
>
> On 06/09/16 16:14, Kevin Darbyshire-Bryant wrote:
>> Hi Simon & all,
>>
>> There has been a bit of activity on the security front in LEDE and
>> a recent change proposed removing version numbers from software to
>> avoid it leaking to 'the bad guys'.  I'll say upfront that I'm not
>> a fan of this approach feeling that it's more of the 'security
>> through obscurity' route but minds cleverer than mine have thought
>> about this so from a LEDE point of view 'we're stuck with it'.
>>
>> LEDE's approach is to simply change the VERSION file to 'UNKNOWN'
>> at build time.  I dislike this because it also removes any info
>> from the startup logs or even 'dnsmasq --version' and on the basis
>> that 'version number' is a somewhat basic requirement when
>> providing advice/support here.  A suggestion has been made to
>> introduce a compile time option that replaces 'version.bind' with
>> "dnsmasq-UNKNOWN', leaving all the usual version strings intact.
>> The suggestion was also made rather than having a LEDE specific
>> patch that 'upstream' dnsmasq might like this feature.
>>
>> I'm willing to do what should be a simple patch for that behaviour
>> but is it a) a good idea?  b) should it be a run-time option
>> instead?  c) should we consider obscuring other info as well?
>>
>> Cheers,
>>
>> Kevin
>>
>>
>> _______________________________________________ Dnsmasq-discuss
>> mailing list Dnsmasq-discuss at lists.thekelleys.org.uk
>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.22 (GNU/Linux)
>
> iQIcBAEBCAAGBQJXzyXYAAoJEBXN2mrhkTWiE90P/1KewRyDq9rcbrddiKQhP2WT
> V364psZy9rWQPZbzJLXQ3QvD1CwQChynIzqzUywh2dT7dPSe/XSdTRXab+Fxy0gr
> 0aITJPNyxIv6i8402YP1JDT6eoAk4JQAdJChQi+UpBDHy6WXe7q4sJKWMIZYDV9/
> 9meqSZ6OAGtX8kYGA+gpFqPlI/1Y/LAucxInvtvB1ZMXSRk5nNeyEpy7OEsCTqr9
> PBK6LRtnQU6Iq7emIWKz0FQZpNZ6xNubZD96OGHrWnfdpT3ONgDO1k0S8/v8S6gw
> m1Rwexe0skVnNcGxL9lv5h8lC3w20iUi2OiuT5ebV+IuUkGXMcrW9yW/MKspsxcu
> 19Bo5VfvYCuNYlW0OCypON455iRf7cXBwzHOqgaVOYc/zBIdDAuBm+n2JAsw7suz
> n7pRB8m3G8WPLs5ZKNIgZgasum81uIRD6XaKjOE9cGgO6XVD3u/2mcIQqbg/9QTf
> FVlAttRw9T0N2ebKOgJuMX+/Z2OiK7NYP6kebmcdFNhp/xih3xLvpoS4OK9Wyr1q
> 7LCN5ebjmC/1tSNhhLSK+L/YUtkqFwGu5CL1IJRy6AQS98LxIOL3hRj2A5MRsgXb
> fjYlNXqStlX1czPU7eK1zfSCGy6gUNThSvv8peJPtmdVC9IoVyUxCm4nGKzW7syO
> vDAjvBAkXGbnbUkcVcfg
> =MIfU
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-dnsmasq-compile-time-option-NO_ID.patch
Type: text/x-patch
Size: 4541 bytes
Desc: not available
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20160907/eb9f89d0/attachment.bin>


More information about the Dnsmasq-discuss mailing list