Slashdot Mirror
W2K and MAC OS9 Flood Root Nameservers?
wizzy writes "Irelands toplevel domain registry has a notice on Microsoft and Apple DHCP clients sending dynamic DNS updates per RFC2136. The problem is they are not sufficiently careful about where they send it if they are in RFC1918 space - usually used for behind-firewall addressing, which is where they usually are.. This is resulting in bogus updates being sent at the rate of nearly one million an hour to root nameservers, only to be rejected - as reported on the NANOG mailing list."
With Photoshop 7 out and this, now Mac OS9 users have an even better reason to upgrade to OS X - "to save the Internet." :)
"The objective of securing the safety of Americans from crime and terror has been achieved." -- John Ashcroft
Yet another reason to use firewalls to filter _OUTGOING_ connections and not only incoming ones (the other reason : to avoid backdoors) .
{{.sig}}
This reeks of something that should've been caught in user testing. Unless, of course, Microsoft and Apple decided that they didn't care about the operators of the root nameservers.
just another reason to start using mac os X... or lets start educating people, i wonder how much resources those bad-changes make anyways....
Kaoslord [quote goes here] define("slashdot purity","67.5");
Their name servers are under the "IE" domain...
Christ! Which link is the real story?
Prevent email address forgery. Publish SPF records for y
Before everyone jumps down MS's throat (or Apple's) does anyone know how to reconfigure a system to fix this issue?
3000 dead over past 2 years, still no free Palestinians, still
I know these problems. In my small ISP company, we ar running our own nameserver.
The logs are flooded from rejected name server updates (several hundreds a day).
They are mostly coming from misconfigured W2K servers from our customers, running their intranet with DHCP and using the same domain as in the real net.
Sadly, we contacted the administrator, but he didn't have a clue what I was talking about (they're justig running windows on their server because they know windows...)
Usually I would suggest to use an internal domain name that doesn't exist in the internet and just "masquerade" the mail domains. So resolving internal addresses from extern fails if some information slips out and the internal servers won't resolve some external name server to contact when an internal server should be.
They only solve a SYMPTOM of the issue. These people need to set their systems up correctly! Either a) install MS-DNS and point your boxen at that, or b) use BIND, but ENABLE dyn-dns and stop this traffic at the local level. ;)
And if you use a RFC1918 address space, your DNS server should have reverse lookups enabled for that address space - even a split zone so the world won't see them - and that will a) help management of the network easier, and b) prevent problems like this from happening
The root nameserver's initially thought that they'd been linked to by /. daily, but then realized that nobody cared about them :)
Another problem is that people are naming their boxes after popular domains
that they don't own, and the dynamic updates are pounding the hell out of the
domain owners nameservers. If anyone here is doing this, owl.com and jove.com
were two of the domains named.
Sealbeater
-- Its survival of the fittest...and we got the fucking guns!!!
I thought this sounds more like a case of misconfiguration than a bad server itself.
Also, assuming that people are DHCP'ing on a local 192.168.* address space, shouldn't upstream routers (especially those on cable companies and the like) automatically filter out any packets with local addressing as opposed to forwarding them?
Infact you'd think they'd filter out ANY DHCP information coming from their subscribers as opposed to sending it out publically?
"Nothing strengthens authority so much as silence." - Charles de Gaulle
>This reeks of something that should've been caught in user testing.
How many users have Clue One what a root nameserver is? Of those, how many would be able to tell whether their NS queries are going to their local nameservers or to a root server?
How many developers would be able to tell?
This is the kind of problem that's not apparent until it's too late. User testing and QA won't find stuff on such low levels.
How big of a problem is this really going to be?
Will any ISP's decide to firewall these (like when @home firewalled port 80)? Or will Micros0ft Update fix this quick enough (it is automatic, is it not)?
There are a couple thousand Windows machines of various flavors inside my network and they are constantly generating crap lookups. I see my poor machines forwarding them to the outside, no doubt pissing someone off.
Where 'FOO' is one of our servers:
FOO.k12.co.us
FOO.co.us
FOO.us
FOO (this is what hits the root servers)
These things are trying to do DNS even when WINS would have a perfectly good answer. Multiply this by thousands of lemming systems and you have a bunch of load that should never be there.
I wonder if adding NS records for the bogous in-addr.arpa domains would help, i.e.:
168.192.in-addr.arpa NS 192.168.1.1
10.in-addr.arpa NS 10.0.0.1
...
Claus
A Microsoft spokesman said, "Thing is, is that those root nameservers would all be fine if they were running Win2K DNS services. " :)
Get your own free personal location tracker
Specifically, if your WinXP advanced DNS settings look like this, then just uncheck that box.
I wonder who copied whose code?
my basic question is, though, mac os 9 and w2k have both been out a LONG time. why is this the first time that anyone's noticed this? you'd think the root servers would be constantly doing a heads-up looking for DDOS's, even accidental ones.
also, i'm trying to pore through the links trying to find an answer, but if anyone works it out before me, could you please post a reply and let me know ? is this JUST windows 2000 and mac os 9, or does it also effect other versions of windows/macos? basically, what spread of mac os versions (9.0 to 9.1.2 or what?) and what spread of windows versions (all windows 2000 service packs?) are affected by this bug?
Why bother with firewalls at all? Private internets do the same thing more effectively with less hassle. Plus users get to use services that just don't work with firewalls. The only purpose of firewalls seems to be to accomodate people who can't be bothered switching to DHCP.
Gee, thanks a lot.
So you get what you pay for. You drive down the perceived value of a Microsoft sys admin and you fill these positions with poorly trained or MCSE certified test takers with no real grasp of the larger issues involving administer *any* IT site.
Any competent sys admin would ensure crap like this doesn't happen, no matter what the OS is.
And if the gap in pay and value between Unix and Windows sys admins is widened, who in their right mind coming out of a CS degree in college (not some fly-by-night certification course) is going to want to use their training to specialize in the market that pays the least?
Hasn't MS had this around for a while now?
They even called it MS-DOS...oh wait, that was Disk Operating System...nevermind.
putting this under the microsoft headline, i mean, i know you don't like them, but it's hardly fair to them, apple is doing it too! hatred is only successful if you annihalate them without being partisan.....
--fetch daddy's blue fright wig, i must be handsome when i release my rage
Here's the solution:
1. Upgrade to Mac OS X. It's so cool.
2. People use W2k on the internet? Is that safe???
If the problem is the private IP's attempting to update DNS records then they have to have been nat'd or masqueraded in someway, so short of parsing EVERY DNS packet there is no way to tell since the source address will the user's public IP
This should be the first case of liability as stated before! Someones network was slower than it should be.
As someone who's just about to come out of college, let me tell you that the market for unix admins doesn't look any better. Yes, unix admins might get paid more, but there are far fewer positions available. And while practically every company with a computer is hiring MCSEs with a year or two of experience, good luck finding a unix admin position requiring less than 10 years experience, or familiarity with less than 3 totally different flavors of unix.
Microsoft may be undermining the value of Microsoft certification, but companies aren't paying any attention, they're begging for MCSEs. But the unix jobs are all "Senior Unix Admin, Must Know Solaris, BSD and Irix" or "Senior to Lead Unix Developer 10+ Years Heavy C++ on Unix" or "Senior Network Engineer, Exp. with SCO, HP, AIX" or "Senior This" or "Senior That."
There are no entry-level unix jobs right now. There are plenty of entry-level MS jobs.
At least your Microsoft certifications will land you a job. It may not pay $80K/year, but it'll pay the bills, while I'm busy looking for any company anywhere who's looking for a junior admin. And failing.
Upgrade to Linux or FreeBSD and leave all that closed source secrecy behind you. Stop being beholden to corporations who could care less what you, the customer, thinks.
Actually this does not sound at all like an issue that should've been caught in user testing. There is no magic to software testing, and it's a thoughtless misconception to think that "good" software testers will catch every conceivable issue. Software testing catches what the software testers are looking for. Any other issues have to be fairly obvious to be caught, in most cases.
You know, I never understood why they did this as default. And I am also surprised it took this long for anyone to loudly complain. First thing I have always done when installing 2k/xp machines that don't need it is uncheck that option.
MS clients should not attempt this unless they are on a 2k AD domain. This is also as someone pointed out a good reason to filter your outgoing traffic.
It reminds me of when they had that check for "logon" enabled by default for ppp connections, when 90% of ISP's didn't support this.
If you wanna get rich, you know that payback is a bitch
It's AMC - Apple Macintosh Computer... not MAC, even though Acronymfinder.com says something else...
Look out, I think this is an MS plot
First flood the root servers (running bind), cause them to fail, and then claim that if they ran MS-DNS, this wouldn't be happening.
I remember back in the day when Win2k was in beta and I worked at a Dot com. Some of our customers had setup Win2k boxes from their house. They were attempting bogus updates with our DNS and were filling our bind logs and, therefore, my email box with errors.
The funniest thing was that when I notified one of the users ( a MCSE/MCSD ) he asked me to come to his house and configure his Win2k box to stop the bogus updates, because he did not understand DNS. I laughed.
I guess the Root Servers aren't laughing now!
Instead of upgrading every stupid OS in the world to a smart one which is obviously not viable in the short term, simply install a local-only name server that resolves all of your rfc1918 machines locally. This can be "anyname.anydomain.anytoplevel" for each machine. This satisfies the hunger of those stupid OS's. This should be SOP on any local network using NAT.
The Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of the IP address space for private internets:
10.0.0.0 - 10.255.255.255 (10/8 prefix)
172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
Are you saying that someone using any of the addresses above is safe from script kiddies?
HA HA HA HA HA HA
Still need a firewall for these addresses moron. To connect to internet you need a valid IP address provided by your ISP (dhcp or static IP) and that is how script kiddies get in to your supposedly safe private internet.
Sounds like you need a bandaid for that big oozing ball of puss you use for a head.
To quote from RFC1918:
It is strongly recommended that routers which connect enterprises to external networks are set up with appropriate packet and routing filters at both ends of the link in order to prevent packet and routing information leakage. An enterprise should also filter any private networks from inbound routing information in order to protect itself from ambiguous routing situations which can occur if routes to the private address space point outside the enterprise.
If you are connecting your internal LAN using a private address space (10/8, 172.16/12, or 192.168/16) you are obviously using a firewall or router configured with NAT.
These need to be configured correctly for many different reasons, including the prevention of the effect mentioned in this article... Add null routes, or packet filter rules for any outgoing packets containing a destination falling in the RFC1918 address space. Also do the same for the incoming packets. By not doing this, you are flooding your upstream provider (in this case the root DNSs) with tons of bogus *(^@.
A few years ago I was lead engineer for a wireless internet company. Our clients were provided with a raw connection, just as if they had gotten a T1. After doing a week long network audit shortly after starting there, I was amazed to find that over 80% of our customer base had internal configuration problems with their NAT setups. Sniffing on the network, I got to see everything from MS Browse messages, DHCP requests, Netware "burbs", and tons of other stuff that should have never left their LANs.
I finally ended up installing firewalls at each POP site, just to dump out the extra junk... Our network speed increased by over 20% just blocking this nonsense at the POP (tower site) and keeping it from coming over our wireless backbone connections... On a typical 16MB/s link that's over 3MB/s of bandwidth we saved.
It appears Ockham lost his razor and grew a beard.
Since I'm running Win2K, and am behind a proxy box, I started wondering how I'd go about preventing my systems from sending those packets. Then I realized that, since all my systems are configured with static IPs, they wouldn't be sending out those update packets anyway.
So my recommendation is, if you aren't using static IPs on your intranet, do so. Not only will it lower the load on the root servers, but it'll also make port routing more reliable. Don't be lazy and depend on DHCP.
Well, from what I understand, if requests coming from 192.168.* computers are being NATed, then upstream routers will think that these spurious DNS updates are coming from proper routable addresses.
-Tez
Haskell, the static-typed, lazy, polymorphic, programming language.
You have to take the machine out of the domain then re add it to the domain, with the interstitial reboots, and regeneration of domain SIDs. A piece of shit.
Who do you want to flood today?
This problem, among with many, many others, was described in a CAIDA paper, "DNS Measurements at a Root Server." They basically ran TCPDump on root server F, and analyzed the traffic. An amazing number of invalid requests are sent all the time. It really shows how important it is for network admins to correctly set up their name services, but it also identifies problems caused by bugs in software. Very interesting read: http://www.caida.org/outreach/papers/2001/DNSMeasR oot/
CmdrTaco, this news article has six links, but
only of them actually relates directly to this
particular piece of news. Please make it
more obvious which one is correct -- I'm tired
of having to move the mouse over each one and
see what the address is in order to try to figure
out which link actually gives me the news.
(please mod this up so people see it! this is
becoming a big problem on slashdot. and this is
anonymous, so it's not karma whoring)
ugh.. maybe you should pay more attention before blaming this one on "stupid sys admins"..
the problem is that this box is checked by default on every Win2k/WinXP install, not that stupid sys admins are turning it on. It has to explicity be shut off, and how many home users do you think go into their connection settings to shut off some option that they've never heard of when they set up their network connection? i know i didn't, and had to go in and shut it off on my one Windows box this morning.
I don't write PERL... I write Perl or perl as its users and programmers prefer.
I also don't write MAC. I write Mac or Macintosh as its users and programmers prefer.
Just a nitpick, but it's annoying nonetheless and something that I see done more frequently on Slashdot than anywhere else. Besides, it's technically inaccurate as MAC is, I believe, something entirely different.
--Rick
--Rick "If it isn't broken, take it apart and find out why."
hmm... I think you're a little harsh. While I agree the coloring books are a good idea I think that the bulk of the blame should go to the vendors for using irresponsible default settings. I don't blame the Mom and Pop operations who get's their brothers son to come in on the weekends to configure their "server". This kid couldn't care less about internet citizenship or traffic on routers in other states or countries.(what's a router?) He wants some beer money and to get that he just has to make sure that his uncles secretary can get her email.
lunky> c++; lunky> do{;}
Is there any way to filter this at the firewall?
If those are default settings in win2k/xp, then stupid are the people who buy or pirate those OSes. There have been so many reports of security weaknesses in micro$oft products that any half-intelligent worm should think twice before installing that crap in his/her/its computer.
Why was this a Gates-related story? As far as I can tell, there were two operating systems in this article - one of which wasn't made by Microsoft. I realize that Microsoft is the Great Satan to many at Slashdot and since Apple has such little market share, they're not seen as a threat, but a bit of unbiased journalism once in awhile couldn't hurt. Oh, and fire Jon Katz already. He's old, stupid and I've heard a rather dirty rumor about him and some canines.
- The people whose servers this is coming from are MORONS
... They should be taken out back and shot...
Fine. And the very instant you make even the slightest mistake or oversite, someone will be there to collect your head. The problem is not large corporations (places with a sysadmin); it's the millions of mindless sheep with a PC (places that will never have a sysadmin.)There are a lot of "Best Practices" that people should be doing. However, very few do simply because there isn't enough time in a day to setup and maintain everything the way things should. Everyone is overworked, under paid, and unappreciated -- most places have fired (layoff, downside, whatever) a significant portion of their staff thus significantly increasing the work load on those still there. Basically, if you could be fired tomorrow as a "cost saving measure", then why should you give a rats ass about doing anything beyond "it works"?
How often does Win2K register these ip addresses? Is it once an hour or so, or is there really a million win2k boxes being rebooted every hour?
Good grief, if you're pointing to 68k.org, you should remember the OS9 operating system from ?Microware? that ran on 68ks and 6809s. The domainregistry.ie page and 68k.org pages you point at do correctly refer to Mac OS 9.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
No, the problem lies in stupid sysadmins NOT explicitly shutting it off. As for the connection settings, it is set up by default that way because if you are querying a Windows 2000 DNS/DHCP server, it supports DDNS (as per RFC 2136). It only causes problems with UNIX servers. Read this article for some detailed info about the issue. I assume it's a similar deal with the Macs.
Of course, ISPs should be filtering out packets in RFC1918 space, and their DNSs should be managing the requests rather than bugging the root servers with them.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
I get these allll the time from people who are using WIndows2000 and my domain name on their intranet sites. It is quite annoying, I block them off, of course, but it seems like a DOS attack sometimes.
Up till a few months ago I ran Winroute Pro, a firewall, and everytime I booted the win2k server it was installed on (I boot the machine every morning, it's my development box also and I don't need a server running at night, so why burn the electricity?) I saw in the log of Winroute Pro the Win2k server wanted to send out DNS records to the root servers. This is only done at boottime though afaik, since I didn't find this activities again in the logs, until the next boot.
Never underestimate the relief of true separation of Religion and State.
Not to be making ms look better, but to give some people a way to fix it. http://support.microsoft.com/default.aspx?scid=kb; en-us;Q259922
The spirit of resistance to government is so valuable on certain occasions that I wish it to be always kept alive
We got the Big Mic. Oh wait isn't that supposed to be the Big MAC?
>it causes the worth of Microsoft Sys Admins everywhere to be cheapened.
Actually, the worth of all sysadmins is being cheapened. More often than not, small to medium enterprises will find the most 'tech-literate' person on staff and they become the defacto IT person. So the poor sod muddles his/her way through the setup, often with the help of a temp contractor who will setup and install the systems and the network. The contractor leaves, and then said poor sod is left to maintain a system without documentation and a thorough lack of knowledge about what the hell they are using or doing.
The marketplace is trying to replace costly human labour (sysadmins) with plug n' play firewalls, routers and fileservers. When shit breaks, they call the ISP *first* because they get free support and can bitch and whine their way to have someone try and fix it. They will only call the contracting company as a last resort, because then they have to pay for the time. So little Johnny-mail-room calls up and says 'my internet is down' when what they really need is someone familiar with the setup and knows what the hell is what.
Raise your hand ( techsupport phone-monkeys) how many times you've had to deal with some idiot who says he is the IT/sysadmin/netadmin and doesn't know anything beyond tracert and ping? These people aren't even certified in *anything*. Hell sometimes it's even a real sysadmin calling up, and you quickly realize that the clown on the other end is milking the shit out of the smallbiz owner, using your knowledge to troubleshoot *his* problem.
This industry is going to shit. Tech support is being outsourced by enormous franchise-style support agencies, full of mindless CDI/DeVry grads, admins are being cut in favour of standalone systems, and no one seems to appreciate the value of a knowledgable person anymore.
I've read the MSCE material, and I can honestly say that it's nothing more than a preliminary intro to computers followed by numerous pages of point-and-click tutorials. Vey little of the material focuses on the underlying tech, why it works, what can break, and how to fix it. It's utter crap. An MSCE will not learn about DNS, DHCP, ethernet, routing or anything else in any meaningful way using that garbage as a teaching tool. Yes, yes there are shit unix admins just as there are great MS admins. The point is that this is a situation that demands qualified people, and no one wants to pay for it.
If you have a network, you need an admin. If you have a server, you need an admin. If you have more than one end-station with net access 56k or higher, you need an admin. They can be on-call, or on-staff, but you need an admin. Because the simple fact is that the time and money saved by not having one at your disposal is wasted when Sally-secretary has to call and spend 45 minutes fucking around with tech support.
If you don't have someone on staff who understands what the fuck it is they're doing, get out your damn wallet already and enlist the help of a real sysadmin.
The probelm is not stupid sys admnins. It's home users that don't have a sys admin, but happily connect to the internet anyway.
Normal people worry me!
The canned meat is "SPAM".
The theft of resources is "spam".
18-Apr-2002 16:16:05.491 security: notice: denied update from [63.198.141.30].2323 for "168.192.in-addr.arpa" IN
by "a whole lot" i mean we've logged 3.3M of these in the last four hours..."
t_t_b
I'm on PJ's "enemies" list! Are you?
Part of the reason for being so restrictive (or so we were told): every service they allowed to pass over the firewire added to the cost of maintaining the thing.
Come to think of it, they probably shouldn't allow TELNET.
Perhaps my rant against them reflects my relative ignorance of routing issues. My current employer employs a proxyless system that allows me to see out of the network, but not others to see in. Is that a firewall? Given the vagueness of the concept ("Some of the best firewall professionals I know don't even bother with firewalls" -- Chapter 12 of Secrets and Lies), it probably depends on who you ask.
What is it with people and writing MAC instead of Mac?
Mac is short for Macintosh, it's not a bleeding acronym! I can put up with it when it comes to ignorant posters, but seriously, shouldn't the Slashdot editors know better?
is here.
/not/ funny seeing a ten megabyte logfile produced every seven minutes. I wonder what they use for logfile analyses, I think it's getting more information than it's able to process.
It's funny to see a ten megabyte logfile produced every seven minutes *SLAP* woops. It's
Edwin
bash$
Blockpoth the quoster:
No. (Although using ".localdomain" doesn't suck as badly as naming your private network "slashdot.org" and assuming that your NATbox will prevent anyone from seeing this posturing..) In practice, using ".localdomain" probably won't break anything as a pseudo-TLD for an RFC 1918-conformant private IP space, presuming you're talking about a home network that's not going to have anything complex depending on absolutely strict, standards-compliant DNS behavior, but it's actually defined as a domain "having an A record pointing to the loop back IP address and is reserved for such use. Any other use would conflict with widely deployed code which assumes this use." I.e. for DNS purposes, the only .in-addr.arpa domain that should map into localdomain is 127.in-addr.arpa -- this is the class-A netblock for your loopback interface(s), which all have the form 127.#.#.#.
RFC 2606, "Reserved Top Level DNS Names", says that the TLD for a private network space should be one of the following:
- .example
- .test
- .invalid
(Note: there's no (technical) reason the TLD has to have three letters or less.)Need a UNIX/Linux/network guru in the Boulde
"With enough eyes, all bugs are shallow" or something to that effect.
It's the find and identify. A lot of bugs stay very well hidden until you look at them in just the right way.
I am an administrator for some IP space assigned but not ever routed. Several years ago, I was wondering where the hell all my bandwidth was going and found a lot of it was for DNS traffic trying to resolve IPs in that space. This was very odd, considering that it wasn't routed. These were at the rate of about 10 per second per IP address, and there were about 80 addresses two servers were querying for, for a total of 1600 requests per second. Now, there was no DNS server running on the host that these requests were going to so they were send port unreachable messages.
:)
Evidently what was going on was this large corporation was using MY IP space internally, but they weren't making their DNS servers authoritative for it, so the DNS servers went to the Internet (and to me) for resolution. Something somewhere was configured wrong and so they retried constantly.
I firewalled these DNS servers out, but not before I composed email to the whois contact at the big corporation telling them to fix this stuff. They ignored me (yes I made sure their SMTP sending host was not blocked). Firewalling didn't fix the problem, only kept my server from sending port unreachable messages. The queries from the big stupid corporation's network were only getting worse. I was getting really pissed off.
So I put up a DNS server up on that host, and made entries for every single IP (I was using bind, which is too stupid to have default responses). And I had fun, with obscene and abusive DNS names for every host, and forward resolution to match (in a silly domain also routed to the same dns server) -- and the highest possible TTL! Problem solved!
The funny thing is that this staid corporation was now seeing all sorts of nasty names on their internal servers...BAH HA HA.
The abuse stopped. Hopefully, someone was fired. Now we know that they will never attack me again in this way: you see, that abusive network belonged to Enron
I actually let them off the hook easily. I had, at this point, control over data being returned to servers well firewalled away. Servers that probably had ancient resolvers that had buffer overflows in their DNS resolvers. High level servers that could have been r00ted straight through the firewall.
moral of the story: don't leave dns work to weenies. You may be surprised at the results.
We (uconn.edu) detected this either last year or the year before with misconfigured windows clients (typically win2k AS where someone left the DNS service running with a default configuration).
Go do what you do best..throw on your penguin spandex and run around burning Microsoft flags.....I mean..that is what Linux is about right?
I pwn you.
Bah... No one checks the RFCs anymore.
...]
Another example of something where a company dows not follow the RFCs is HP using 192.0.0.192 [do an nslookup on that address for an interesting reverse name] as the default IP address for their devices instead of going through a formal rfc process... [or something to get ball rolling for "newly" unconfigured devices to allow config on an ip only network. without a bootp/dhcp server..]
The list of addresses to control at border routers is growing... [hint many firewall admins block the RFC1918 addresses, but forget the Autoconfig address space 169.254.0.0, or 192.0.0.192, or 192.0.2.0/255.255.255.0
--
Time is on my side
DHCP first uses 255.255.255.255 and then 0.0.0.0 before trying anything else.
R I D I C U L O U S L Y
Uhhh, it doesn't cause problems with Unix servers. Many Unix DNS servers support DDNS. And many of us disable it because we prefer for random, unauthenticated machines on our networks not to be messing with our DNS databases. Therefore we get lines in our syslog files saying that certain machines tried and failed to push a DNS update to our server. If we get too many such lines and become annoyed, we hunt down the Win2k machine in question and untick the box under advanced TCP/IP settings.
It only becomes a problem when too many of these machines try to hammer the same few servers, to no purpose. Believe me, if the root servers were running Win2k, the root server admins still wouldn't have enabled DDNS. It's not about platforms, except for the arguably stupid default in the client.
"How can you claim that you are anti-crack, while still writing a window manager?" — Metacity README
A)if you're not set up to use only DYNDNS capable name servers, you should disable the "register this whatever" tab, or however you do it in MacOS.
B)Whose bright idea was it to have that a default?
I didn't know about the issue myself, because I'm a unix geek, and it never occurred to me that an OS would make such a ridiculous assumption. I found out when corporate IT busted me for upgrading my laptop to Win2K. At first, I thought it was because I was not getting my mandated 11 reboots/day, and snidely said so. The guy was much nicer than me, and just asked me to tell it to stop beating up the DNS server with invalid requests, and don't even think of trying to use it as a bdc (it would take over the domain, apparently... another bit of genius on the part of MS).
... flood microsoft's dns servers with failed dynamic updates and maybe they will issue a patch.
This has been going on since day 1 of win2k server and it's about time it ended.
I wondered if you have any thoughts on what I could do to the isp's that are doing simular things to me, that is if they continue to ignore me as they tend to do.
/var/log/messages
:)
I'm getting thousands of these an hour from a couple different ip's. I think it's time I do something about it. In the past I've had no luck getting the admins to do anything about it. My buddy (who's an attorny) wrote up a cease and desist which was pretty funny to send, since you can track registered mail online and get the time it was signed for, the dynamic updates were usually stopped within an hour.
Right now my firewall is blocking out the updates, but I really don't need them filling up my log files. here is a line from
aaa.aaa.aaa.aaa = Their IP
bbb.bbb.bbb.bbb = My IP
Apr 22 12:18:17 ns kernel: Packet log: input DENY eth0 PROTO=17 aaa.aaa.aaa.aaa:3008 bbb.bbb.bbb.bbb:53 L=107 S=0x00 I=48660 F=0x0000 T=117 (#17)
What can I do in the zone files to 'encourage' isp
s to fix this?
Re: Denial of Service. Packet Flooding
Dear Web Service Provider,
Confirming our telephone conversation of July 17, 2001 (Ticket # 1157176), please be informed that our company can no longer tolerate the abuse caused by systems on your network. Our investigation has determined that your company is in the position to monitor the system that is responsible for this unauthorized and unlawful conduct.
Please note that federal and state statutes have been broadly interpreted to include causes of action for the recovery of damages caused by denial of service and packet flooding attacks. Accordingly, we hereby demand that you immediately cease and desist (or cause to cease and desist) the unauthorized and unlawful activity responsible for the abuse of our systems.
Our company is in the process of evaluating the scope and extent of the injuries that have been suffered as a direct result of this improper conduct. In the event that such conduct does not immediately cease and desist, legal action may be commenced to compel you to conform to this demand.
Thank you for your prompt attention to this matter. Should you have any questions, or wish to discuss anything set forth herein, please feel free to contact me.
Very truly yours,
me
Just got finished setting my 2K box straight. Yeah, I think that ICANN should think quite strongly of setting aside .LAN as a non-routable TLD. Simple, looks like a real TLD, but can't get out on the Internet. Just like non-routable IP addresses: 10.x.x.x, 192.168.x.x and those Class B's that nobody uses but are there anyway.
.LINK as a non-routable TLD, but .LOCAL was once proposed and is often used as an example in books about TCP/IP networking. .LAN, however, has the advantage of looking like a "proper" TLD. (at least Stateside, anyway...)
I didn't know about the attempt to codify
Knowledge is power. Knowledge shared is power multiplied.
I decided to check my OS X system and a little tcpdump'ing showed that I was hitting my cable modem ISP's DNS servers with my 192.168.0.* reverse lookups. Hmmm...
/etc/lookupd/hosts file with:
A little poking around shows that the order that lookupd checks is DNS, then NI, which is backwards. So create
LookupOrder CachAgent NIAgent DNSAgent
and it's all fixed. (Of course, I do have my machine names and addresses in Netinfo already.)
Don't know if this is caused by not having any domain name for my machines or not. Or any other mis-settings. But that's the way it worked here.