Slashdot Mirror

← Back to Stories (view on slashdot.org)

W2K and MAC OS9 Flood Root Nameservers?

Posted by ryuzaki0 on from the unintentional-dos dept.

wizzy writes "Irelands toplevel domain registry has a notice on Microsoft and Apple DHCP clients sending dynamic DNS updates per RFC2136. The problem is they are not sufficiently careful about where they send it if they are in RFC1918 space - usually used for behind-firewall addressing, which is where they usually are.. This is resulting in bogus updates being sent at the rate of nearly one million an hour to root nameservers, only to be rejected - as reported on the NANOG mailing list."

19 of 238 comments (clear)

  1. Firewalls by chrysalis · · Score: 4, Informative

    Yet another reason to use firewalls to filter _OUTGOING_ connections and not only incoming ones (the other reason : to avoid backdoors) .

    --
    {{.sig}}
    1. Re:Firewalls by barberio · · Score: 5, Informative

      (Begin liestochildren style technical summary)

      In a proper DNS system, you dont have outbound DNS querries except from the DNS server in your network. Hence, blocking all outbound DNS querries works. Each client in the network should be set to querry the networks DNS server, and this in turn querries other servers. (DNS is a recursivly distributed network, your DNS server will pass on your querries on the clients behalf)

      Clients should not have to directly querry DNS servers off site or outside of your ISP. Clients should never directly querry the root servers.

      What is happening here is that various ISPs and Companies which have large amounts of desktop PCs getting their information via dhcp. These do some house keeping on boot up. If the settings are screwed up either on the desktop or the server, then the dhcp will send off querries and updates to DNS servers it thinks it needs to.

      So, if you'r so eleet that you set your internal home network to be slashdot.net, with little nodes such as www for your webcache, you might be causing the real slashdot.net problems. This will be because the dhcp gets confused and thinks it needs to report to its higher up level, the real slashdot.net DNS servers.

      If you just have bare nodes like 'foo' and 'bar', then dhcp can be screwed up so it trys to report to the higher up level, the root servers.

      As you can track down every system and user who has these things malset, you have to filter on firewalls.

    2. Re:Firewalls by barberio · · Score: 5, Informative

      http://www.domainregistry.ie/tech/dynamic-dns.html tells you how to disable the 'registration' problem with MacOS and NT.

      The bigger problem is that of making sure you use sane name spaces, and never conflict with real ones.

  2. Flooded name servers... by chtephan · · Score: 4, Informative

    I know these problems. In my small ISP company, we ar running our own nameserver.

    The logs are flooded from rejected name server updates (several hundreds a day).

    They are mostly coming from misconfigured W2K servers from our customers, running their intranet with DHCP and using the same domain as in the real net.

    Sadly, we contacted the administrator, but he didn't have a clue what I was talking about (they're justig running windows on their server because they know windows...)

    Usually I would suggest to use an internal domain name that doesn't exist in the internet and just "masquerade" the mail domains. So resolving internal addresses from extern fails if some information slips out and the internal servers won't resolve some external name server to contact when an internal server should be.

  3. Forget firewalls by CounterZer0 · · Score: 5, Informative

    They only solve a SYMPTOM of the issue. These people need to set their systems up correctly! Either a) install MS-DNS and point your boxen at that, or b) use BIND, but ENABLE dyn-dns and stop this traffic at the local level.
    And if you use a RFC1918 address space, your DNS server should have reverse lookups enabled for that address space - even a split zone so the world won't see them - and that will a) help management of the network easier, and b) prevent problems like this from happening ;)

  4. Popular domains by SealBeater · · Score: 5, Interesting

    Another problem is that people are naming their boxes after popular domains
    that they don't own, and the dynamic updates are pounding the hell out of the
    domain owners nameservers. If anyone here is doing this, owl.com and jove.com
    were two of the domains named.

    Sealbeater

    --
    -- Its survival of the fittest...and we got the fucking guns!!!
  5. Re:How to Fix? by schon · · Score: 5, Informative

    No idea about the Mac, but instructions for Windows can be found at http://www.isc.org/ml-archives/bind-users/2000/11/ msg00109.html

    It's pretty funny that the "Win2K is as good as Unix because you don't need to reboot it to change settings" mantra that I hear from MCSE's doesn't apply to this :o)

  6. Check if you're misconfigured (I was) by interiot · · Score: 5, Informative
    Here's a page detailing how to check this in Win2K and OS9. I'm glad I check because I was misconfigured.

    Specifically, if your WinXP advanced DNS settings look like this, then just uncheck that box.

  7. Re:this is a bit complex for me.. by blixel · · Score: 4, Funny

    why is this the first time that anyone's noticed this?

    You think that just because you read this article on Slashdot today that it was "just noticed" as of yesterday or something?

  8. Untrained Microsoft Sys Administrators... by weave · · Score: 4, Insightful
    Thanks to stupid ad campaigns and Microsoft saying that Windows servers are easy to administer and don't require expensive experts, it causes the worth of Microsoft Sys Admins everywhere to be cheapened. As someone who administers Microsoft servers, it pisses me off enough that my bosses don't understand the level of intelligence required to properly administer large systems. Now I have Microsoft saying to the top Chiefs in orgs basically that you can get your Microsoft sys admins much cheaper than Unix admins.

    Gee, thanks a lot.

    So you get what you pay for. You drive down the perceived value of a Microsoft sys admin and you fill these positions with poorly trained or MCSE certified test takers with no real grasp of the larger issues involving administer *any* IT site.

    Any competent sys admin would ensure crap like this doesn't happen, no matter what the OS is.

    And if the gap in pay and value between Unix and Windows sys admins is widened, who in their right mind coming out of a CS degree in college (not some fly-by-night certification course) is going to want to use their training to specialize in the market that pays the least?

    1. Re:Untrained Microsoft Sys Administrators... by Anonymous Coward · · Score: 4, Interesting

      > So you get what you pay for. You drive down the perceived value of a Microsoft sys adm

      Unfortunately, your case doesn't hold so much water.

      Back in the day, pro-MS admins pushed Windows when it was obviously a poor choice. You (plural) won, your political agenda cost any number of people trying to do good work stature in their careers, you toppled competetors, and your favorite OS "won". You collectively fought that battle, actually more a multitude of personal power-play agendas, blindly, and at a great cost to very many people. Now, it's clear to a bazillion wannabes what game they have to play - Windows.

      Your market is saturating, and your salaries are being adjusted to match. Next time, be more careful when you (again, collectively) foul mouth competing technologies in which you have no knowlege.

      Competent admins, in any OS, are fixed at maybe 10% of all admins available. Economics are based on supply and demand, not, ever, "getting what you pay for". When there are 2 people for every 1 job, you can expect lower pay no matter how good those 2 people are.

      > who is going to want to use their training to specialize in the market that pays the least

      Good question. The Monopoly lives, so it is now (by definition) the only game in town. The only competitor apparent is "Free Software", and that pays even less.

      Having done a number of TCO studies in my time, the pro-MS types that fought to advance their power base by pushing MS, only shunted administrative dollars to MS. Admin cost of *NIX are higher, but not so much so as the costs shunted to MS license fees.

      So, typical 10000 person Corp paid upwards of US $20 million to upgrade to W2K. That's alot of dollars that are no longer available to admins like you (singular).

      Not to be so hard on you... Computers are by their very design intended to capture "improvment" thorough automation, and retain that automation for the express purpose of permenantly "disposing" of the entire related (paid) labor force. Administration is one area that can be vastly "improved" using automation. If we look at "appliances" we see they can, in fact, be improved to require nearly zero admin. Sooner, or later, they will reach that goal and render their keepers redundant.

      Computers only need "one good soul" to carefully explain to them "how it's done". After that, a paid labor force is no longer needed to accomplish that goal. Today's IT "market" is based almost exclusively on the inefficencies of its youth. But, markets are designed to eliminate inefficencies as quickly as posssilbe, and your dwindling salary is a manifestation of them doing so.

      So, getting into computers is NOT such a wise career choice for people of college age. The number of "computer people" needed will be falling dramatically over the next decade. Good money now, but there just isn't the 40 year horizon one needs to call it a career.

    2. Re:Untrained Microsoft Sys Administrators... by HiThere · · Score: 4, Insightful

      Truthfully, I'm surprised that the career of computer programmer has lasted as long as it has. (N.B.: I didn't say sys admin.)

      OTOH, the job has changed significantly in that time frame. I attribute it's longevity to the slowdown produced by the MS monopoly. (And, to an extent, I'm a bit grateful, in a guilty kind of way.) VisiCalc was the handwriting on the wall.

      However, this has just meant that the activity has shifted to a higher level. Now languages are expected to contain things like GUI building toolkits, or even full GUI builders. (Glade is an example here. It's relatively easy to add the ability to read the Glade XML file to a language.) N.B.: A language here is including not only the core features, but also the default libraries (e.g., Swing or AWT).

      I am less aware of the trends in system administration, but I assume that the same path is being followed. The early tools are clearly sub-optimal, but as time goes on they improve. They'd better. The ones that don't will fail to reproduce successfully.

      System administrators need to adapt to the changing environment. So do programmers. Both paths have a finite duration. (I.e., when computers start to manifest "common sense" the handwriting will be on the wall. Bloat be dammed!)

      Once upon a time I did a forecast of future employment trends (as a kind of academic exercise). I wrote it up as a paper titled "Be a garbage man". This was based on expected duration of the professions that I considered. Management is in a peculiar position here. The formal decision making that the managers engage in is clearly something that they are incompetent at. But if there isn't a person on the top of the pyramid, many people get quite upset. Thus, ignoring for the minute the obvious advantage a manager at the top has toward job presentation, human nature seems to ensure that the top of the pyramid will be a person. Possibly a figurehead (one can hope?), but a person.

      If one includes political considerations this whole projection thing becomes a lot more complex. And unmanageable. But notice that whenever political considerations enter the technical folk tend to get the short end of the stick (because they don't pay enough attention). This means you!

      Don't expect any job that you take to last for 20-40 years. At least not without evolving into something you wouldn't have recognized at the beginning. Any job.

      --

      I think we've pushed this "anyone can grow up to be president" thing too far.
  9. MS-DOS by sarcast · · Score: 5, Funny

    Hasn't MS had this around for a while now?

    They even called it MS-DOS...oh wait, that was Disk Operating System...nevermind.

  10. Re:Same bug on two different OS's by ckd · · Score: 4, Informative
    I wonder who copied whose code?

    It's not the same bug. Windows, by default, is trying to put its name into the MS Active Directory stuff, which is implemented using Dynamic DNS. The Mac OS 9 systems only try to do this if you have either TCP/IP Personal File Sharing or Personal Web Sharing enabled--which both default to off...and even if you turn on File Sharing the TCP/IP connectivity defaults to off.

  11. Re:How to Fix? by sabi · · Score: 5, Informative

    On the Mac, disable the "DNSPlugin" Network Services Location plugin,
    in the Extensions folder. This applies only to Mac OS 9.0 through
    9.2.2; the 8.5-8.6 version of NSL didn't have DNS update support (it
    answered SLPv1 broadcasts only, and might have registered with a SLP
    DA, I don't remember); the OS X version of NSL doesn't have it
    either.

    Also note that this registration does not happen always on the Mac,
    only if you enable network servers that use NSL (primarily the
    personal AFP/file sharing and Web sharing services). I've never
    enabled them, so I've never seen this.

    Another thing to do is just set your domain so it's one whose
    nameservers you control :-)

  12. Block RFC1918 addresses at your border... by ipsuid · · Score: 5, Informative

    To quote from RFC1918:

    It is strongly recommended that routers which connect enterprises to external networks are set up with appropriate packet and routing filters at both ends of the link in order to prevent packet and routing information leakage. An enterprise should also filter any private networks from inbound routing information in order to protect itself from ambiguous routing situations which can occur if routes to the private address space point outside the enterprise.

    If you are connecting your internal LAN using a private address space (10/8, 172.16/12, or 192.168/16) you are obviously using a firewall or router configured with NAT.

    These need to be configured correctly for many different reasons, including the prevention of the effect mentioned in this article... Add null routes, or packet filter rules for any outgoing packets containing a destination falling in the RFC1918 address space. Also do the same for the incoming packets. By not doing this, you are flooding your upstream provider (in this case the root DNSs) with tons of bogus *(^@.

    A few years ago I was lead engineer for a wireless internet company. Our clients were provided with a raw connection, just as if they had gotten a T1. After doing a week long network audit shortly after starting there, I was amazed to find that over 80% of our customer base had internal configuration problems with their NAT setups. Sniffing on the network, I got to see everything from MS Browse messages, DHCP requests, Netware "burbs", and tons of other stuff that should have never left their LANs.

    I finally ended up installing firewalls at each POP site, just to dump out the extra junk... Our network speed increased by over 20% just blocking this nonsense at the POP (tower site) and keeping it from coming over our wireless backbone connections... On a typical 16MB/s link that's over 3MB/s of bandwidth we saved.

    --
    It appears Ockham lost his razor and grew a beard.
  13. Re:Great. Yet Another Bandaid by mcrbids · · Score: 5, Informative
    Someone else said it, I'll try to say it nicely.

    Using a private "unroutable" IP address affords surprisingly little protection. Using techniques like source routing or a compromise of a trusted host, your network can be quickly and easily penetrated.

    Firewalls are needed even if you are using private addresses and NAT to access the Internet. In fact, the main reason to use NAT for a local LAN is so that your LAN IP addresses don't conflict with public addresses!

    You have to use NAT with these private addresses, or else external connectivity doesn't work. (without a public address, it's damn near impossible to determine how to get the packets back to you!) And that means some things (for example, many network games) either don't work or work in only limited fashion.

    --
    I have no problem with your religion until you decide it's reason to deprive others of the truth.
  14. CAIDA's "DNS Measurements at a Root Server" paper by mrwilsox · · Score: 5, Informative

    This problem, among with many, many others, was described in a CAIDA paper, "DNS Measurements at a Root Server." They basically ran TCPDump on root server F, and analyzed the traffic. An amazing number of invalid requests are sent all the time. It really shows how important it is for network admins to correctly set up their name services, but it also identifies problems caused by bugs in software. Very interesting read: http://www.caida.org/outreach/papers/2001/DNSMeasR oot/

  15. Frequency by rant-mode-on · · Score: 4, Funny

    How often does Win2K register these ip addresses? Is it once an hour or so, or is there really a million win2k boxes being rebooted every hour?