W2K and MAC OS9 Flood Root Nameservers?

wizzy writes "Irelands toplevel domain registry has a notice on Microsoft and Apple DHCP clients sending dynamic DNS updates per RFC2136. The problem is they are not sufficiently careful about where they send it if they are in RFC1918 space - usually used for behind-firewall addressing, which is where they usually are.. This is resulting in bogus updates being sent at the rate of nearly one million an hour to root nameservers, only to be rejected - as reported on the NANOG mailing list."

Upgrade time!

[JHromadka]

With Photoshop 7 out and this, now Mac OS9 users have an even better reason to upgrade to OS X - "to save the Internet." :)

Re:Upgrade time!

[0x0d0a]

Frankly, I'd rather see the OS9 boxes fixed.

Apple, at least, is generally pretty good about putting out bugfixes for old products -- they make most of their money on hardware, and don't have a huge incentive to force people to buy a new OS to get their computer to work properly. OTOH, I don't think they ever fixed all the TCP/IP exploits in the latest version of Open Transport that the System 7.5.5 line could run. :-(

Microsoft has been even less good about putting out free fixes for their old products. There are too many known problems that aren't going to get fixed in Win 95 and NT. They also don't usually backport libraries -- I fondly remember someone hacking up the binaries of Win2k's DirectX 5 implementation to work on WinNT. It let me run several DX 5 games that wouldn't otherwise work on NT 4. MS, however, never released DirectX 5 for WinNT. Why would they? It was a big incentive to get peopel to buy Win2k.

MS uses compatibility issues and a lack of bugfixes, not features alone, to drive upgrades of their software. :-(

Firewalls

[chrysalis]

Yet another reason to use firewalls to filter _OUTGOING_ connections and not only incoming ones (the other reason : to avoid backdoors) .

Re:Firewalls

[JordanH]

• Yet another reason to use firewalls to filter _OUTGOING_ connections and not only incoming ones (the other reason : to avoid backdoors) .

Do many firewalls have the capability to inspect outgoing DNS updates to deterimine if they are valid or not? I'm no expert in firewalls, but I've not seen this capability.

Now, granted, you could and should block outgoing DNS updates that aren't coming from the machines you'd expect them to come from, but the DHCP servers are often responsible for DNS updates, in my experience. Maybe there's something fundamental I'm not getting here...

Re:Firewalls

[barberio]

(Begin liestochildren style technical summary)

In a proper DNS system, you dont have outbound DNS querries except from the DNS server in your network. Hence, blocking all outbound DNS querries works. Each client in the network should be set to querry the networks DNS server, and this in turn querries other servers. (DNS is a recursivly distributed network, your DNS server will pass on your querries on the clients behalf)

Clients should not have to directly querry DNS servers off site or outside of your ISP. Clients should never directly querry the root servers.

What is happening here is that various ISPs and Companies which have large amounts of desktop PCs getting their information via dhcp. These do some house keeping on boot up. If the settings are screwed up either on the desktop or the server, then the dhcp will send off querries and updates to DNS servers it thinks it needs to.

So, if you'r so eleet that you set your internal home network to be slashdot.net, with little nodes such as www for your webcache, you might be causing the real slashdot.net problems. This will be because the dhcp gets confused and thinks it needs to report to its higher up level, the real slashdot.net DNS servers.

If you just have bare nodes like 'foo' and 'bar', then dhcp can be screwed up so it trys to report to the higher up level, the root servers.

As you can track down every system and user who has these things malset, you have to filter on firewalls.

Re:Firewalls

[barberio]

http://www.domainregistry.ie/tech/dynamic-dns.html tells you how to disable the 'registration' problem with MacOS and NT.

The bigger problem is that of making sure you use sane name spaces, and never conflict with real ones.

Re:Firewalls

[jelle]

"OK, so how do i find out that one of my machines is doing this and how do i fix it"

Check all machines (and then doublecheck), or check the traffic that is leaving your site:

Look at your firewall logs: There should not be any outgoing traffic to any IP address and port number 53 except from the company internal DNS servers. If you don't see any traffic to port 53 at all in your logs, then you'll first have to enable logging of that traffic on your firewall (unless your firewall doubles as the DNS, in which case you might not see the queries).

Next step: Get educated in TCP/IP and firewalling.

Re:Firewalls

[Harumuka]

I had this problem a while ago. The goons at wzr.net own org.com.kg (stupid, I know) and allow registration of *.org.com.kg. My default DNS server was in a .com.kg domain, causing .org domains to occasionally map to .com.kg. One day Slashdot.org even pointed to wzr.net, saying "Slashdot.org is available! Register today!" I e-mailed a quite harsh message to keith, the owner, and received back only oh boohoo..dumbass. Some people just don't belong on the Internet...

Anyways, if you ever are redirected to "WebZone Resources v3.0 - asdf.org is still available!" contact webmaster@wzr.net and give him a piece of your mind. Obviously, I tried speaking to him about this issue but to no avail. Remember that's webmaster@wzr.net.

Wow. Companies that care.

[ChanxOT5]

This reeks of something that should've been caught in user testing. Unless, of course, Microsoft and Apple decided that they didn't care about the operators of the root nameservers.

just another reson

[Kaoslord]

just another reason to start using mac os X... or lets start educating people, i wonder how much resources those bad-changes make anyways....

Too many links!

[FattMattP]

Christ! Which link is the real story?

Re:Too many links!

I believe this is the actual notice.

http://www.domainregistry.ie/tech/dynamic-dns.ht ml

How to Fix?

[1stflight]

Before everyone jumps down MS's throat (or Apple's) does anyone know how to reconfigure a system to fix this issue?

Re:How to Fix?

[schon]

No idea about the Mac, but instructions for Windows can be found at http://www.isc.org/ml-archives/bind-users/2000/11/ msg00109.html

It's pretty funny that the "Win2K is as good as Unix because you don't need to reboot it to change settings" mantra that I hear from MCSE's doesn't apply to this :o)

Re:How to Fix?

[sabi]

On the Mac, disable the "DNSPlugin" Network Services Location plugin,
in the Extensions folder. This applies only to Mac OS 9.0 through
9.2.2; the 8.5-8.6 version of NSL didn't have DNS update support (it
answered SLPv1 broadcasts only, and might have registered with a SLP
DA, I don't remember); the OS X version of NSL doesn't have it
either.

Also note that this registration does not happen always on the Mac,
only if you enable network servers that use NSL (primarily the
personal AFP/file sharing and Web sharing services). I've never
enabled them, so I've never seen this.

Another thing to do is just set your domain so it's one whose
nameservers you control :-)

Re:How to Fix?

[frogdeep]

With Win2k client you can:

1. from start menu you choose
setting -> network and dial up connections
2. from network and dial up connections
right click local area connection properties
3. from local area connection properties
click internet protocol (TCP/IP) properties then click properties button below
4. from internet protocol (TCP/IP) properties
click the advance button
5. from advance TCP/IP settings
click DNS menu bar
6. from DNS sub menu
uncheck "register this connection's address in DNS"

and it is fixed :)~~

Re:How to Fix?

[HiThere]

Running MS Office.

If it's not true at some point, just wait until the next release (of MS Office).

Re:How to Fix?

[5KVGhost]

It's pretty funny that the "Win2K is as good as Unix because you don't need to reboot it to change settings" mantra that I hear from MCSE's doesn't apply to this :o)

Interesting. Thanks for the link. But you don't need to reboot. Just stop and restart the service with the command line or GUI interface.

You very seldom need to reboot under Windows 2000 or XP. Some *nix advocates like to claim that Windows administrators don't know what they're doing. But it's often clear that those advocates are just as clueless where Windows systems are concerned.

Re:How to Fix?

[Tony-A]

I read it but have no good idea what it's talking about.
Looks like it would be useful if you only wanted SOME of your network cards to beat on the root name servers.

Re:How to Fix?

[MsGeek]

Also, file this under "things they don't include in Microsoft Official Courseware."

I'm scurrying to fix this now.

Re:How to Fix?

[5KVGhost]

"The difference is that the *nix admins aren't being paid to know how to admin Windows."

Well, that depends, doesn't it? Some of them might prefer not to admin Windows systems, but if their employers expect otherwise then it is, indeed, exactly what they're paid for. Someone who's administering Windows 2000 DNS servers on the job, for example, should probably know that a full reboot is unnecessary.

"There's nothing wrong with not knowing something - it's when you're supposed to know it (either because it's your job, or because you tell someone you know) that's bad."

You're absolutely right. No one can know everything. Willful ignorance is another matter. I just get frustrated when people make statements of fact that are incorrect rather than admit inexperience or lack of knowledge. There's nothing shameful about saying "I don't know."

Re:Well, of course Microsoft did...

[AntiNorm]

Their name servers are under the "IE" domain...

.ie = Ireland

Flooded name servers...

[chtephan]

I know these problems. In my small ISP company, we ar running our own nameserver.

The logs are flooded from rejected name server updates (several hundreds a day).

They are mostly coming from misconfigured W2K servers from our customers, running their intranet with DHCP and using the same domain as in the real net.

Sadly, we contacted the administrator, but he didn't have a clue what I was talking about (they're justig running windows on their server because they know windows...)

Usually I would suggest to use an internal domain name that doesn't exist in the internet and just "masquerade" the mail domains. So resolving internal addresses from extern fails if some information slips out and the internal servers won't resolve some external name server to contact when an internal server should be.

Re:Flooded name servers...

[Zocalo]

I've seen this very problem, and worked out a a quick and cheap (read Free OS capable of running a DNS server) fix for this; two sets of DNS servers. What you do is set up one set of DNS servers to act as authoritive servers for all your domains, and another set that actually does DNS resolution for your customers. You firewall the former set so that they cannot receive DNS requests from your IP space, except from your trusted DNS servers.

The only DNS zones the the authoritive set know about and can answer queries for are your own - the resolvers work as normal DNS servers that answer any query coming to them in the normal way. This works like a charm, protects your DNS from DDNS updates and other hacky crap that shouldn't be allowed on the Internet. Oh and if you understand your chosen DNS daemon the configuration is probably easier too!

Forget firewalls

[CounterZer0]

They only solve a SYMPTOM of the issue. These people need to set their systems up correctly! Either a) install MS-DNS and point your boxen at that, or b) use BIND, but ENABLE dyn-dns and stop this traffic at the local level.
And if you use a RFC1918 address space, your DNS server should have reverse lookups enabled for that address space - even a split zone so the world won't see them - and that will a) help management of the network easier, and b) prevent problems like this from happening ;)

Re:Forget firewalls

[HiThere]

"Why should I care?..."

That should probably rated +5 insightful. The local user needs to fix things, but isn't feeling any effect. At least none that he can see is related to the cause of the problem. And truthfully, no particular user is causing much of a problem. But there are so many of these machines that ...

It's basically a commercially sponsored DOS attach against the DNS servers. That's what it is if you strip everything but the basic features away. The only thing that's (probably) missing is the malice.

Initially diagnosed as the "slashdot effect"

[ChanxOT5]

The root nameserver's initially thought that they'd been linked to by /. daily, but then realized that nobody cared about them :)

Popular domains

[SealBeater]

Another problem is that people are naming their boxes after popular domains
that they don't own, and the dynamic updates are pounding the hell out of the
domain owners nameservers. If anyone here is doing this, owl.com and jove.com
were two of the domains named.

Sealbeater

Re:Popular domains

[Jester998]

They don't even have to be popular domains.

Back In The Day(tm) when I was first setting up my home network, I didn't know jack shit about DNS. I knew it resolved names to IP addresses, but I didn't _really_ understand how it all worked. So I figured... I'm on a network, and it's local, so my domain is gonna be 'local.net'. Worked great. Then one day I got a flash of inspiration... 'whois local.net'. A *real* domain record came back with that domain name. Whoops. I very quickly changed everything over to 'local.lan' instead, before I caused any headaches. ;)

- Jester

Re:Popular domains

[LordNimon]

Shouldn't your local domain be just "localdomain" (without any top-level domain)? Linux installations typically default to localhost.localdomain, and I think that's the standard.

Re:Popular domains

[squiggleslash]

At one point, there was an IETF draft where .link was proposed as a TLD for internal use only, a sort of equivalent of 10.x.x.x in DNS. You could try that - even though the draft has long ago expired, I would suspect nobody will take that TLD for now.

Damn I posted. At least it wasn't anything insightful.

Re:Popular domains

[aridhol]

At my former employer's office, we used .priv as our TLD.

Re:Popular domains

[Jester998]

IIRC, *.localdomain. is used for individual hosts only; localhost.localdomain is always bound to the loopback interface in my boxen. I don't know if it would work for whole networks... ???

Besides... it doensn't have the same ring to it. 'hermes.localdomain' or 'hermes.local.lan' (or as I had it before, 'hermes.local.net'). Might be just me, but I think the latter has a nicer sound to it.

- Jester

Re:Wow. Companies that care.

[Nogami_Saeko]

I thought this sounds more like a case of misconfiguration than a bad server itself.

Also, assuming that people are DHCP'ing on a local 192.168.* address space, shouldn't upstream routers (especially those on cable companies and the like) automatically filter out any packets with local addressing as opposed to forwarding them?

Infact you'd think they'd filter out ANY DHCP information coming from their subscribers as opposed to sending it out publically?

Old news, unfortunately

There are a couple thousand Windows machines of various flavors inside my network and they are constantly generating crap lookups. I see my poor machines forwarding them to the outside, no doubt pissing someone off.

Where 'FOO' is one of our servers:

FOO.k12.co.us
FOO.co.us
FOO.us
FOO (this is what hits the root servers)

These things are trying to do DNS even when WINS would have a perfectly good answer. Multiply this by thousands of lemming systems and you have a bunch of load that should never be there.

Re:Old news, unfortunately

[ColaMan]

I know that if you just type in "Foo" into your average windows web browser (IE 5+), it will iterate through the usual TLD's trying to find a match, and if not ,will then go to your default search engine.

Probably what you're seeing here. What you need to do is convince people not to just type a word into the address bar, and get them to use Google instead.

NS records

[3247]

I wonder if adding NS records for the bogous in-addr.arpa domains would help, i.e.:

168.192.in-addr.arpa NS 192.168.1.1
10.in-addr.arpa NS 10.0.0.1
...

Microsofts answer

[caluml]

A Microsoft spokesman said, "Thing is, is that those root nameservers would all be fine if they were running Win2K DNS services. " :)

Check if you're misconfigured (I was)

[interiot]

Here's a page detailing how to check this in Win2K and OS9. I'm glad I check because I was misconfigured.

Specifically, if your WinXP advanced DNS settings look like this, then just uncheck that box.

Re:Check if you're misconfigured (I was)

[mastagee]

The real problem is that the default for win2k and winXP is to have that box checked. So anybody who is running win2k and winXP and doesn't have any idea what a dynamic DNS update is (which would probably be the vast majority), is sending these updates. My dynamic DNS provider (dyndns.org -- they dont use RFC2136 to dynamically update) has been sending mails telling its members to turn this option off for over a year now because of all the unnecessary traffic it causes.

Re:Check if you're misconfigured (I was)

[56ker]

Does it affect anyone outside the OSes previously mentioned (apart from the people running the DNS servers of course)?

Same bug on two different OS's

[dcocos]

I wonder who copied whose code?

Re:Same bug on two different OS's

[SiMac]

The TCP/IP is very, very different on those two different OSes.

Windows, IIRC, uses sockets. Mac OS 9 uses streams (although Mac OS X uses sockets). It's very unlikely that someone stole someone else's TCP/IP code, as much as I would like to blame Microsoft for stealing code...

Re:Same bug on two different OS's

[ckd]

I wonder who copied whose code?

It's not the same bug. Windows, by default, is trying to put its name into the MS Active Directory stuff, which is implemented using Dynamic DNS. The Mac OS 9 systems only try to do this if you have either TCP/IP Personal File Sharing or Personal Web Sharing enabled--which both default to off...and even if you turn on File Sharing the TCP/IP connectivity defaults to off.

Re:this is a bit complex for me..

[blixel]

why is this the first time that anyone's noticed this?

You think that just because you read this article on Slashdot today that it was "just noticed" as of yesterday or something?

Untrained Microsoft Sys Administrators...

[weave]

Thanks to stupid ad campaigns and Microsoft saying that Windows servers are easy to administer and don't require expensive experts, it causes the worth of Microsoft Sys Admins everywhere to be cheapened. As someone who administers Microsoft servers, it pisses me off enough that my bosses don't understand the level of intelligence required to properly administer large systems. Now I have Microsoft saying to the top Chiefs in orgs basically that you can get your Microsoft sys admins much cheaper than Unix admins.

Gee, thanks a lot.

So you get what you pay for. You drive down the perceived value of a Microsoft sys admin and you fill these positions with poorly trained or MCSE certified test takers with no real grasp of the larger issues involving administer *any* IT site.

Any competent sys admin would ensure crap like this doesn't happen, no matter what the OS is.

And if the gap in pay and value between Unix and Windows sys admins is widened, who in their right mind coming out of a CS degree in college (not some fly-by-night certification course) is going to want to use their training to specialize in the market that pays the least?

Re:Untrained Microsoft Sys Administrators...

[Sander_]

This specific problem isn't about wether M$ admins are good, bad, untrained, uninformed or if wether they are Gods(tm). This is a completely non-M$ issue.

However, it looks bad for us who build and maintain networks and their security (or inherent lack thereof).

Proper design is to have two or more DNS proxies in a DMZ (or better yet, two different DMZs facing two different ISPs), and they relay any proper queries, never let an internal client have direct access out in the wild.

Hiding all kinds of cruft beind NAT'ing gateways only hides design problems and exports your bad descision to anyone who might be in your path on the Net.

ttfn,
A

Re:Untrained Microsoft Sys Administrators...

> So you get what you pay for. You drive down the perceived value of a Microsoft sys adm

Unfortunately, your case doesn't hold so much water.

Back in the day, pro-MS admins pushed Windows when it was obviously a poor choice. You (plural) won, your political agenda cost any number of people trying to do good work stature in their careers, you toppled competetors, and your favorite OS "won". You collectively fought that battle, actually more a multitude of personal power-play agendas, blindly, and at a great cost to very many people. Now, it's clear to a bazillion wannabes what game they have to play - Windows.

Your market is saturating, and your salaries are being adjusted to match. Next time, be more careful when you (again, collectively) foul mouth competing technologies in which you have no knowlege.

Competent admins, in any OS, are fixed at maybe 10% of all admins available. Economics are based on supply and demand, not, ever, "getting what you pay for". When there are 2 people for every 1 job, you can expect lower pay no matter how good those 2 people are.

> who is going to want to use their training to specialize in the market that pays the least

Good question. The Monopoly lives, so it is now (by definition) the only game in town. The only competitor apparent is "Free Software", and that pays even less.

Having done a number of TCO studies in my time, the pro-MS types that fought to advance their power base by pushing MS, only shunted administrative dollars to MS. Admin cost of *NIX are higher, but not so much so as the costs shunted to MS license fees.

So, typical 10000 person Corp paid upwards of US $20 million to upgrade to W2K. That's alot of dollars that are no longer available to admins like you (singular).

Not to be so hard on you... Computers are by their very design intended to capture "improvment" thorough automation, and retain that automation for the express purpose of permenantly "disposing" of the entire related (paid) labor force. Administration is one area that can be vastly "improved" using automation. If we look at "appliances" we see they can, in fact, be improved to require nearly zero admin. Sooner, or later, they will reach that goal and render their keepers redundant.

Computers only need "one good soul" to carefully explain to them "how it's done". After that, a paid labor force is no longer needed to accomplish that goal. Today's IT "market" is based almost exclusively on the inefficencies of its youth. But, markets are designed to eliminate inefficencies as quickly as posssilbe, and your dwindling salary is a manifestation of them doing so.

So, getting into computers is NOT such a wise career choice for people of college age. The number of "computer people" needed will be falling dramatically over the next decade. Good money now, but there just isn't the 40 year horizon one needs to call it a career.

Re:Untrained Microsoft Sys Administrators...

[weave]

Computers only need "one good soul" to carefully explain to them "how it's done". After that, a paid labor force is no longer needed to accomplish that goal.

... unless they run a Microsoft OS. Thanks to a security hole every week being patched and the cowardice of the people I work for to make a bold switch away from Windows, my job security is all but assured...

I feel like a high-tech janitor. I just get to clean up shit all day long... :-(

Re:Untrained Microsoft Sys Administrators...

[HiThere]

Truthfully, I'm surprised that the career of computer programmer has lasted as long as it has. (N.B.: I didn't say sys admin.)

OTOH, the job has changed significantly in that time frame. I attribute it's longevity to the slowdown produced by the MS monopoly. (And, to an extent, I'm a bit grateful, in a guilty kind of way.) VisiCalc was the handwriting on the wall.

However, this has just meant that the activity has shifted to a higher level. Now languages are expected to contain things like GUI building toolkits, or even full GUI builders. (Glade is an example here. It's relatively easy to add the ability to read the Glade XML file to a language.) N.B.: A language here is including not only the core features, but also the default libraries (e.g., Swing or AWT).

I am less aware of the trends in system administration, but I assume that the same path is being followed. The early tools are clearly sub-optimal, but as time goes on they improve. They'd better. The ones that don't will fail to reproduce successfully.

System administrators need to adapt to the changing environment. So do programmers. Both paths have a finite duration. (I.e., when computers start to manifest "common sense" the handwriting will be on the wall. Bloat be dammed!)

Once upon a time I did a forecast of future employment trends (as a kind of academic exercise). I wrote it up as a paper titled "Be a garbage man". This was based on expected duration of the professions that I considered. Management is in a peculiar position here. The formal decision making that the managers engage in is clearly something that they are incompetent at. But if there isn't a person on the top of the pyramid, many people get quite upset. Thus, ignoring for the minute the obvious advantage a manager at the top has toward job presentation, human nature seems to ensure that the top of the pyramid will be a person. Possibly a figurehead (one can hope?), but a person.

If one includes political considerations this whole projection thing becomes a lot more complex. And unmanageable. But notice that whenever political considerations enter the technical folk tend to get the short end of the stick (because they don't pay enough attention). This means you!

Don't expect any job that you take to last for 20-40 years. At least not without evolving into something you wouldn't have recognized at the beginning. Any job.

Re:Untrained Microsoft Sys Administrators...

[VB]

There's more to systems administration than having irritating dialog boxes asking you to authorize inbound port 80 connections. These types of processes are end user activities, for which it sounds you're more inclined. If you don't have the patience to analyze packet data, don't be a network administrator. Be an end user instead and don't complain about how hard it is to be a system administrator.

Of course, I'm assuming this is your lot. If the original poster hadn't struck a nerve, I doubt you'd have replied. No offense, but network administration is hardly child's play. It's difficult for a reason. Some people aren't qualified to do it. M$ is educating PHBs incorrectly, which was the original poster's point and I agree with it....

Re:Untrained Microsoft Sys Administrators...

[fferreres]

I agree. That's why i studied economics but work in the IT field :) ... anyway i think your conclusion is a bit exagerated. My advice would be as follows:

If you are basing your future income in learning Windows administration, you'll be definetly out of luck, because it has no permanent value. It will change all time, automated, "asimilated". You'll be relearning your basic skills every 5 years, and everything else you know will be "history".

On the other hand, if you learn what "persists" through time (like programming or knowing CAD basics, or generic databasing skills) then you will be able to focus on problem solving in hundreds of areas. If you combine these skills with that of an unrelated career which is likely to benefit from computing and comunications (internet), then best of both worlds.

My opinion though. I may also be the case where for some reason unknown to me, things turn very different with HUGE specialization and very narrow scope of view for each individual.

Re:Untrained Microsoft Sys Administrators...

[fferreres]

And, as the limit of "business effecnicy" improves as the function of X approches 100%, who's left with money to buy anything?


This is kind of offtopic (so i'll delete the +1 bonus), yet it's quite interesting. You have to outcomes. You are either someone owning one of those companies or you are not. If you are not, then you are dead (more precicely, death by starvation). If you do own "capital" (deposits, stocks) then you have no problem. When X approaches to 100% what you'll see is that 100% of the goods produced will be targeted at the "survivors" products demand, else you won't be able to sell the product or service.

That's following your extreme example logic, but there is a variation: food gets so cheap in terms of costs that you are better of "simulating" average Joes are usefull, so you don't have your streets poluted with dying children, or civil wars. But for them to earn that food, they must work A LOT, and not be able to "enter into the survivors elite" in huge numbers. Just the ilusion of it, some guys doing great fortunes (like a lottery thing).

The exact opposite view is also thinkable, but unlikely to happen ("survivors" know when to do some giveaways and how): when everything gets automated and X approaches 100% efficiency, then you won't have any more need for rich people, saving money, etc.

(note: i do really understand things don't work conciously in this way. But it's true. Jobs are lost everyday arround the globe and creating new ones is hard because there is no real need. If you don't have a job you don't earn the right to eat. So they can't sell anything to you. If you have capital, then you really don't NEED to work). So eventually, jobs are lost everyday and recreated artificially because it makes sense to the capital owners to show capitalism is THE way. It IS the way, it works. But it's not perfect. It barely works because people are people. If we though of ourselves us things then a lot of us would have been terminated long ago.)

Re:Untrained Microsoft Sys Administrators...

[buss_error]

The number of "computer people" needed will be falling dramatically over the next decade

Hmm. I still remember hearing fifteen-eighteen years ago that in five years programmers would no longer be needed, the user would be able to do all the programming by using a "smart" program generator in an "interview" process.

Well, I don't see programs being written by programs very often, and there are still quite a few programmers around. Even many with (whisper it) jobs. Powerful systems are flexable systems, and flexable systems are not simple. There will always be a growing need for "computer people". We can argue the curve, but it will always increase, not decrease, and the job will get harder, not easier. Just my .02 worth.

Re:Untrained Microsoft Sys Administrators...

[fferreres]

Well, yes. If you are comparing the career versus a MSCE like "training", you are 101% correct. Nevertheless, i was talking about applied computing, because at sime time, pure computer science alone may reach a point where only a small portion will be able to find a real (good) job.

Where I live there is no much distinction between someone that REALLY knows what he is doing, and a guy that behaves as if he really knows what he is doing, and he doesn't know squat :). So unless you know something else, you became a self-marketing monster only to find out that the rest sells (apparently) the same "knoledge" for 1/3 the money (that ends up costing the company 50x what they should have spent).

Re:Untrained Microsoft Sys Administrators...

[mpe]

This specific problem isn't about wether M$ admins are good, bad, untrained, uninformed or if wether they are Gods(tm). This is a completely non-M$ issue.

The central issue is having something switched on by default when it might be better defaulting to off. This is certainly to some extent a Microsoft issue, simply because Microsoft are notorious for packing in "features" which are rarely needed, but which default to being enabled.

Re:Untrained Microsoft Sys Administrators...

[fferreres]

Yes, i really agree with your point of view. It's not important to be the expert in "null pointers with void random whatever foo", because that may change suddently and you are left "uneducated" from a practical perspective.

The times that one could say "I know computers" and only be able to make some VB scripts in Excel are over. That's one of the positive sides of the dot-bomb crash :-)

Makes me happy. People need to really understand the fields where they work. And the dot com era clearly showed nobody had a clue about it. Yet, Internet will move huge amounts of money. They just spent 1000000x more than needed in the dot.com boom, now they are spending less than optimal, and the ones that position themselves today will play an important role in the future.

MS-DOS

[sarcast]

Hasn't MS had this around for a while now?

They even called it MS-DOS...oh wait, that was Disk Operating System...nevermind.

What's with...

[Jacer]

putting this under the microsoft headline, i mean, i know you don't like them, but it's hardly fair to them, apple is doing it too! hatred is only successful if you annihalate them without being partisan.....

Re:What's with...

[archen]

Well it's more of an MS issue (even though OS9 is doing it too). With OS9 it's more like a special case, with Win2k it's a more of a problem because it's a default. Despite the fact that it's pathetically easy to fix, the problem will be actually getting PEOPLE to uncheck a box.

Solution

[standards]

Here's the solution:

1. Upgrade to Mac OS X. It's so cool.
2. People use W2k on the internet? Is that safe???

Re:Wow. Companies that care.

[Fembot]

If the problem is the private IP's attempting to update DNS records then they have to have been nat'd or masqueraded in someway, so short of parsing EVERY DNS packet there is no way to tell since the source address will the user's public IP

Re:Wow. Companies that care.

[jacobito]

Actually this does not sound at all like an issue that should've been caught in user testing. There is no magic to software testing, and it's a thoughtless misconception to think that "good" software testers will catch every conceivable issue. Software testing catches what the software testers are looking for. Any other issues have to be fairly obvious to be caught, in most cases.

People still not unchecking that option?

[bogie]

You know, I never understood why they did this as default. And I am also surprised it took this long for anyone to loudly complain. First thing I have always done when installing 2k/xp machines that don't need it is uncheck that option.

MS clients should not attempt this unless they are on a 2k AD domain. This is also as someone pointed out a good reason to filter your outgoing traffic.

It reminds me of when they had that check for "logon" enabled by default for ppp connections, when 90% of ISP's didn't support this.

MS Embracing & Extending DNS!

[mrwiggly]

Look out, I think this is an MS plot

First flood the root servers (running bind), cause them to fail, and then claim that if they ran MS-DNS, this wouldn't be happening.

Block RFC1918 addresses at your border...

[ipsuid]

To quote from RFC1918:

It is strongly recommended that routers which connect enterprises to external networks are set up with appropriate packet and routing filters at both ends of the link in order to prevent packet and routing information leakage. An enterprise should also filter any private networks from inbound routing information in order to protect itself from ambiguous routing situations which can occur if routes to the private address space point outside the enterprise.

If you are connecting your internal LAN using a private address space (10/8, 172.16/12, or 192.168/16) you are obviously using a firewall or router configured with NAT.

These need to be configured correctly for many different reasons, including the prevention of the effect mentioned in this article... Add null routes, or packet filter rules for any outgoing packets containing a destination falling in the RFC1918 address space. Also do the same for the incoming packets. By not doing this, you are flooding your upstream provider (in this case the root DNSs) with tons of bogus *(^@.

A few years ago I was lead engineer for a wireless internet company. Our clients were provided with a raw connection, just as if they had gotten a T1. After doing a week long network audit shortly after starting there, I was amazed to find that over 80% of our customer base had internal configuration problems with their NAT setups. Sniffing on the network, I got to see everything from MS Browse messages, DHCP requests, Netware "burbs", and tons of other stuff that should have never left their LANs.

I finally ended up installing firewalls at each POP site, just to dump out the extra junk... Our network speed increased by over 20% just blocking this nonsense at the POP (tower site) and keeping it from coming over our wireless backbone connections... On a typical 16MB/s link that's over 3MB/s of bandwidth we saved.

Re:Great. Yet Another Bandaid

[mcrbids]

Someone else said it, I'll try to say it nicely.

Using a private "unroutable" IP address affords surprisingly little protection. Using techniques like source routing or a compromise of a trusted host, your network can be quickly and easily penetrated.

Firewalls are needed even if you are using private addresses and NAT to access the Internet. In fact, the main reason to use NAT for a local LAN is so that your LAN IP addresses don't conflict with public addresses!

You have to use NAT with these private addresses, or else external connectivity doesn't work. (without a public address, it's damn near impossible to determine how to get the packets back to you!) And that means some things (for example, many network games) either don't work or work in only limited fashion.

Re:Whew!

[Tony+Hoyle]

Actually, you probably are. Win2k sends the DNS updates anyway even if it's got a static IP. If the DNS server rejects it it waits a couple of minutes and sends it again... seemingly forever.

Win2k server also tries to send to a bogus 172.16 address even if it's been assigned a static IP which isn't in this range - there seems no reason for this, it's just being odd. You have to make sure your firewall blocks that too otherwise you're just passing private IP addresses to the upstream router (which will either dump them or pass them even higher).

If you want a bit of fun run tcpdump on an idle Win2k machine & watch how many packets it sends... you'll be surprised.

New Ad Campaign

[Shriek]

Who do you want to flood today?

CAIDA's "DNS Measurements at a Root Server" paper

[mrwilsox]

This problem, among with many, many others, was described in a CAIDA paper, "DNS Measurements at a Root Server." They basically ran TCPDump on root server F, and analyzed the traffic. An amazing number of invalid requests are sent all the time. It really shows how important it is for network admins to correctly set up their name services, but it also identifies problems caused by bugs in software. Very interesting read: http://www.caida.org/outreach/papers/2001/DNSMeasR oot/

Re:Have no worry :(

[weave]

There are no entry-level unix jobs right now. There are plenty of entry-level MS jobs.

I'm not trying to be smart, but this proves my point. Do you really think it's wise to throw an entry-level microsoft admin into a role administering microsoft servers?

Sure, you may be able to install a w2k server and pick all the defaults for active directory and basically have it work, but an experienced admin understands not only the technical requirements of something like Active Directory, but the huge human issues surrounding it, like the need to push an organization to define its structure so as to better define a workable active directory structure that does a little more than just spit out random DHCP replies, answer DNS requests, and authenticate a few logons...

It doesn't matter if you bow before the great Unix or Microsoft God, you should have experienced as well as entry-level tech positions in an organization. Having a policy that excludes either set is short-sighted and foolish.

These posts are annoying

CmdrTaco, this news article has six links, but
only of them actually relates directly to this
particular piece of news. Please make it
more obvious which one is correct -- I'm tired
of having to move the mouse over each one and
see what the address is in order to try to figure
out which link actually gives me the news.

(please mod this up so people see it! this is
becoming a big problem on slashdot. and this is
anonymous, so it's not karma whoring)

Re:These posts are annoying

[Lazy+Jones]

Agreed. It should read something like this:

wizzy writes "Irelands toplevel domain registry [ http://www.domainregistry.ie/] has a notice on Microsoft and Apple DHCP [http://www.isc.org/products/DHCP/] clients sending dynamic DNS updates per RFC2136 [http://www.ietf.org/rfc/rfc2136.txt]. The problem is they are not sufficiently careful about where they send it if they are in ...

or, perhaps:

wizzy writes "Irelands toplevel domain registry ( *) has a notice on Microsoft and Apple DHCP (*) clients sending dynamic DNS updates per RFC2136 (*). The problem is they are not sufficiently careful about where they send it if they are in ...

I guess we should be happy that they don't link to Apple and Microsoft as well ;-)

Re:Great. Yet Another Bandaid

[lunky]

What exactly is your complaint about firewalls?

Do you think that firewalls are a bad thing? ....because they are hard to configure?

>The only purpose of firewalls seems to be to accomodate people who can't be bothered switching to DHCP.

Is this a joke?

Frequency

[rant-mode-on]

How often does Win2K register these ip addresses? Is it once an hour or so, or is there really a million win2k boxes being rebooted every hour?

NAT's not necessarily implied here

[billstewart]

You might be using RFC1918 space because you're using NAT, but there are other reasons and other ways to configure firewalls. The important reason is that you aren't getting your IP address space from your ISP, so you're doing the right thing rather than picking random numbers that belong to somebody else. You might be using a proxy firewall in a DMZ to fetch web pages and handle email instead of using NAT, and you can implement it relatively simply even without the proper router filters :-)

Of course, ISPs should be filtering out packets in RFC1918 space, and their DNSs should be managing the requests rather than bugging the root servers with them.

Re:MAC?

[Tokerat]

MAC is an Ethernet addressing scheme.

Mac or Macintosh is for Apple Macintosh computers.

When people say "MAC" I think networking. When people say "Mac" I think Macintosh.

Re:That's *MAC OS* 9, not OS9 :-)

[interiot]

I generated the img on 68k.org, so I should be even more knowledgable, right?

Nope. I'm unix and windows person only, sorry. All I know is my friend's G4 powerbook has a cool taskbar thing.

Re:Why are sysadmins stupid?

[the+eric+conspiracy]

This isn't a security hole. In fact, it's more of a feature.

Hmmmm... DDNS updates could be considered to be a feature. What is definately NOT a useful feature is that they are enabled by default.

Why on earth would/should it ship differently?

Isn't that the point of the article? The fact that this feature is on by default is causing the root name servers to be flooded with 1 MILLION DDNS updates per hour. That means very simply that Microsoft's latest misplaced attempt to be featureful is resulting in what is effectively a DDOS against the root nameservers. That is a very bad thing.

MS does have a fix for this, sorta

[G00F]

Not to be making ms look better, but to give some people a way to fix it. http://support.microsoft.com/default.aspx?scid=kb; en-us;Q259922

SPAM

[Dwonis]

Ugh. People do it with "spam", too.

The canned meat is "SPAM".

The theft of resources is "spam".

Paul Vixie's original post to the NANOG list:

[talks_to_birds]

"...what these files are is a whole lot of lines that look like (broken by me):

18-Apr-2002 16:16:05.491 security: notice: denied update from [63.198.141.30].2323 for "168.192.in-addr.arpa" IN

by "a whole lot" i mean we've logged 3.3M of these in the last four hours..."

t_t_b

My complaints

[fm6]

I may be wrong about the utility of firewalls (see one of the other responses to my post, which I am not knowledgable enough to answer) but they sure as hell are a nuisance for the user. You can only use ports specifically allowed for by the fireware admin. I once worked for a well-known computer company that was every script kiddie's favorite target. (Not that one, the other one.) Provided your client was properly configured (this was supposed to happen automatically, but usually did not) you could do HTTP and TELNET. That was it. No SSL (do your home banking at home!), no Realaudio. No contacting web servers that don't use Port 80.

Part of the reason for being so restrictive (or so we were told): every service they allowed to pass over the firewire added to the cost of maintaining the thing.

Come to think of it, they probably shouldn't allow TELNET.

Perhaps my rant against them reflects my relative ignorance of routing issues. My current employer employs a proxyless system that allows me to see out of the network, but not others to see in. Is that a firewall? Given the vagueness of the concept ("Some of the best firewall professionals I know don't even bother with firewalls" -- Chapter 12 of Secrets and Lies), it probably depends on who you ask.

Re:Great. Yet Another Bandaid

[evilviper]

Using techniques like source routing or a compromise of a trusted host, your network can be quickly and easily penetrated.

No self respecting OS has source routing enabled. Yes, Windows does, but that was my point.

'Trusted Host' implies that in your infininte wisdom you have trusted it. If it gets compromized, well, you know the deal.

I've seen several firewalls with security so tight a single stray packet will cause an alarm to go off. However, equal though is not give to physical security as you can just walk in and stick a disc into the nearest machine. Just a point to ponder for sys admins out there.

OK, I'm confused

[fm6]

I'm not qualified to properly answer your argument. But I don't understand:

In fact, the main reason to use NAT for a local LAN is so that your LAN IP addresses don't conflict with public addresses!

I thought there were blocks of IP addresses specifically set aside for non-global use? RFC 1918, yada yada.

That's *Mac*OS 9

[Paladeen]

What is it with people and writing MAC instead of Mac?

Mac is short for Macintosh, it's not a bleeding acronym! I can put up with it when it comes to ignorant posters, but seriously, shouldn't the Slashdot editors know better?

Link for the original thread on the NANOG mailingl

[MavEtJu]

is here.

It's funny to see a ten megabyte logfile produced every seven minutes *SLAP* woops. It's /not/ funny seeing a ten megabyte logfile produced every seven minutes. I wonder what they use for logfile analyses, I think it's getting more information than it's able to process.

Edwin

localdomain may work but isn't canonically correct

[Olinator]

Blockpoth the quoster:

Shouldn't your local domain be just "localdomain" (without any top-level domain)? Linux installations typically default to localhost.localdomain, and I think that's the standard.

No. (Although using ".localdomain" doesn't suck as badly as naming your private network "slashdot.org" and assuming that your NATbox will prevent anyone from seeing this posturing..) In practice, using ".localdomain" probably won't break anything as a pseudo-TLD for an RFC 1918-conformant private IP space, presuming you're talking about a home network that's not going to have anything complex depending on absolutely strict, standards-compliant DNS behavior, but it's actually defined as a domain "having an A record pointing to the loop back IP address and is reserved for such use. Any other use would conflict with widely deployed code which assumes this use." I.e. for DNS purposes, the only .in-addr.arpa domain that should map into localdomain is 127.in-addr.arpa -- this is the class-A netblock for your loopback interface(s), which all have the form 127.#.#.#.

RFC 2606, "Reserved Top Level DNS Names", says that the TLD for a private network space should be one of the following:

• .example
• .test
• .invalid

(Note: there's no (technical) reason the TLD has to have three letters or less.)

Ole

Re:Wow. Companies that care.

[Tony-A]

"With enough eyes, all bugs are shallow" or something to that effect.
It's the find and identify. A lot of bugs stay very well hidden until you look at them in just the right way.

in-addr.arpa bogus queries - a Funny Story

[drwho]

I am an administrator for some IP space assigned but not ever routed. Several years ago, I was wondering where the hell all my bandwidth was going and found a lot of it was for DNS traffic trying to resolve IPs in that space. This was very odd, considering that it wasn't routed. These were at the rate of about 10 per second per IP address, and there were about 80 addresses two servers were querying for, for a total of 1600 requests per second. Now, there was no DNS server running on the host that these requests were going to so they were send port unreachable messages.

Evidently what was going on was this large corporation was using MY IP space internally, but they weren't making their DNS servers authoritative for it, so the DNS servers went to the Internet (and to me) for resolution. Something somewhere was configured wrong and so they retried constantly.

I firewalled these DNS servers out, but not before I composed email to the whois contact at the big corporation telling them to fix this stuff. They ignored me (yes I made sure their SMTP sending host was not blocked). Firewalling didn't fix the problem, only kept my server from sending port unreachable messages. The queries from the big stupid corporation's network were only getting worse. I was getting really pissed off.

So I put up a DNS server up on that host, and made entries for every single IP (I was using bind, which is too stupid to have default responses). And I had fun, with obscene and abusive DNS names for every host, and forward resolution to match (in a silly domain also routed to the same dns server) -- and the highest possible TTL! Problem solved!

The funny thing is that this staid corporation was now seeing all sorts of nasty names on their internal servers...BAH HA HA.

The abuse stopped. Hopefully, someone was fired. Now we know that they will never attack me again in this way: you see, that abusive network belonged to Enron :)

I actually let them off the hook easily. I had, at this point, control over data being returned to servers well firewalled away. Servers that probably had ancient resolvers that had buffer overflows in their DNS resolvers. High level servers that could have been r00ted straight through the firewall.

moral of the story: don't leave dns work to weenies. You may be surprised at the results.

Old news

[CowbertPrime]

We (uconn.edu) detected this either last year or the year before with misconfigured windows clients (typically win2k AS where someone left the DNS service running with a default configuration).

Re:Great. Yet Another Bandaid

[Tony-A]

Seems like security is a perimeter type of thing. Weakest link and all that.
As long as people inside get email and have access to web pages and floppy disks, there is nothing a firewall can do that will actually make the network secure. A hair-trigger firewall seems like a good target for diversionary attacks.

Re:Whew!

[Tony-A]

Just remember
These are the folks bringing you .NET

Re:I think about McDowell's

[Tokerat]

LOL.

We both got all beef patties, special sauce, lettuce, cheese, pickles, and onions. But, they use a sesame seed bun. My buns have no seeds.

What does dumb fuck mean?

Re:This is old news

[spectecjr]

Um, you dont uncheck the "Let Windows manage my virtual memory" box.

DNS is not specialised knowledge. Neither is swap (thats virtual to you) memory. I hope you can still get a job with that MCSE you bought.


Idiot.

I said how it works, not what settings you get to play with.

And DNS is specialized knowledge. Just because someone has an MCSD, doesn't mean they know how DHCP, DNS, BOOTP or RARP work. Typically, they don't need that knowledge.

Similarly, just because someone is a sysadmin and understands how these protocols work, it doesn't mean that they know the first thing about software development, software engineering or software architecture.

Most sysadmins, for example, wouldn't know what the difference between a single-threaded apartment and a free-threaded apartment was. Or what the first window message a dialog box receives. Or, for example, how to program in Sather. Or Cobol. Or Z80 assembly language.

Get the picture? Knowledge is specialized. Just because an "MCSE" or an "MCSD" doesn't know something, that doesn't mean it's wrong. You don't see an internal medicine specialist about your acne - and you don't see a software engineer about how to configure your network. Although, most likely, typically, both will know a little about the other field.

In other words, don't make fun of people's lack of knowledge until you know they're unwilling to learn about anything. Because they may know more than you will ever dream of knowing about some other field.

Simon

Problem solved...

[MsGeek]

Just got finished setting my 2K box straight. Yeah, I think that ICANN should think quite strongly of setting aside .LAN as a non-routable TLD. Simple, looks like a real TLD, but can't get out on the Internet. Just like non-routable IP addresses: 10.x.x.x, 192.168.x.x and those Class B's that nobody uses but are there anyway.

I didn't know about the attempt to codify .LINK as a non-routable TLD, but .LOCAL was once proposed and is often used as an example in books about TCP/IP networking. .LAN, however, has the advantage of looking like a "proper" TLD. (at least Stateside, anyway...)

Re:That's *MAC OS* 9, not OS9 :-)

[MsGeek]

Radio Shack also licensed OS9, and used it as the operating system for the Color Computer.