[Dnsmasq-discuss] Hiding/obscuring version.bind

Simon Kelley simon at thekelleys.org.uk
Fri Sep 9 20:56:51 BST 2016


Applied.

Something to think about: with this in effect, queries to *.bind get
treated like all others, ie they get forwarded upstream, so the
requestor may get an answer from an upstream nameserver. I've added a
comment to this effect to the definition of NO_ID.

Cheers,

Simon.



On 07/09/16 11:34, Kevin Darbyshire-Bryant wrote:
> Attached (in case the git send-email didn't work)
> 
> Kevin :-)
> 
> On 06/09/16 21:23, Simon Kelley wrote:
> a) I tend to agree that it's pointless.
> b) Not a run-time option, there are too many of those already.
> c) Maybe the simplest solution is something like a NO_ID compile time
> option that suppresses the whole .bind domain thing?
> 
> Certainly happy to take the patch.
> 
> 
> Cheers,
> 
> Simon.
> 
> 
> On 06/09/16 16:14, Kevin Darbyshire-Bryant wrote:
>>>> Hi Simon & all,
>>>>
>>>> There has been a bit of activity on the security front in LEDE and
>>>> a recent change proposed removing version numbers from software to
>>>> avoid it leaking to 'the bad guys'.  I'll say upfront that I'm not
>>>> a fan of this approach feeling that it's more of the 'security
>>>> through obscurity' route but minds cleverer than mine have thought
>>>> about this so from a LEDE point of view 'we're stuck with it'.
>>>>
>>>> LEDE's approach is to simply change the VERSION file to 'UNKNOWN'
>>>> at build time.  I dislike this because it also removes any info
>>>> from the startup logs or even 'dnsmasq --version' and on the basis
>>>> that 'version number' is a somewhat basic requirement when
>>>> providing advice/support here.  A suggestion has been made to
>>>> introduce a compile time option that replaces 'version.bind' with
>>>> "dnsmasq-UNKNOWN', leaving all the usual version strings intact.
>>>> The suggestion was also made rather than having a LEDE specific
>>>> patch that 'upstream' dnsmasq might like this feature.
>>>>
>>>> I'm willing to do what should be a simple patch for that behaviour
>>>> but is it a) a good idea?  b) should it be a run-time option
>>>> instead?  c) should we consider obscuring other info as well?
>>>>
>>>> Cheers,
>>>>
>>>> Kevin
>>>>
>>>>
>>>> _______________________________________________ Dnsmasq-discuss
>>>> mailing list Dnsmasq-discuss at lists.thekelleys.org.uk
>>>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>>>>
>>
>> _______________________________________________
>> Dnsmasq-discuss mailing list
>> Dnsmasq-discuss at lists.thekelleys.org.uk
>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> 
> 
> 
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> 




More information about the Dnsmasq-discuss mailing list