Re: dhcp-dns problem

To: Craig Sanders <cas@taz.net.au>
Cc: Debian User List <debian-user@lists.debian.org>
Subject: Re: dhcp-dns problem
From: "Dean A. Roman" <droman@romansys.com>
Date: Fri, 07 Sep 2001 20:47:10 -0700
Message-id: <[🔎] 3B9994BE.4A7E47F2@romansys.com>
References: <[🔎] 3B9862D7.8131CE42@romansys.com> <[🔎] 20010907162506.T17314@taz.net.au> <[🔎] 3B98E4EF.F864E47A@romansys.com> <[🔎] 20010908091107.U17314@taz.net.au>

Craig,

   Thanks for all the info.  It's amazing what Microsoft will try to pass off as
a feature while the whole time opening up your entire DNS structure to the whims
of any user out there.

Anyway, back to the problem at hand:

   Will turning this "feature??" off in Win2K allow the dhcp-dns scripts in
linux to update bind?
   How do I fix the problem of dhcp-dns not updating bind?  Is it related to the
win2K "feature??"


Thanks for all the help and info.,
   ---Dean.







Craig Sanders wrote:

> On Fri, Sep 07, 2001 at 08:17:04AM -0700, Dean A. Roman wrote:
> >   I'm a bit confused, and it is probably because I don't totally
> >   understand how the dynamic dns updates work.
>
> if the rejected updates are coming from a W2K machine then it has
> nothing to do with dhcp-dns. it's a fault with W2K.
>
> > 192.168.100.100 is the windows machine that checked out the IP address
> > from the dhcp server(srfs1-192.168.100.20).
> >
> > Should update requests be coming from a dhcp client?
>
> nope.
>
> > How is the windows 2k dhcp client requesting a dns update?
>
> because microsoft thought it would be a good idea for clients to be able
> to update the DNS on the server, and for that stupidity to be ON by
> default.
>
> anyone but microsoft would have realised that it is insane from a
> security perspective to let unauthenticated & unauthorised client
> machines screw around with such a fundamental service.
>
> this bug, btw, is particularly annoying if you host the DNS for a domain
> that is similar to a well-known/popular domain...you get hit by bogus
> update requests from all over the planet from moron users running W2K.
> ditto if you run a dialup ISP with customers running W2K.
>
> at first i thought this was some new kind of DNS attack, until i
> realised that it was just another "innovative" new idea from Microsoft.
>
> and there's nothing you can do about it unless you control the client
> machines.
>
> fortunately you have access to the machines on your network so it can be
> disabled. look under TCP/IP settings on the W2K machine.
>
> > Does this mean that I need to put the entire subnet range that I allow
> > for dhcp checkout(192.168.100.100-255) in the acl?
>
> not unless you want your end-users to be able to modify your DNS at
> whim.
>
> > I thought that I only had to list the dhcp server(192.168.100.20) in
> > the allow-update field?
>
> correct.
>
> craig
>
> --
> craig sanders <cas@taz.net.au>
>
> Fabricati Diem, PVNC.
>  -- motto of the Ankh-Morpork City Watch

begin:vcard 
n:Roman;Dean
tel;work:707-527-8949
x-mozilla-html:FALSE
org:Roman Systems
adr:;;2116 Crosspoint Ave.;Santa Rosa;California;95403;USA
version:2.1
email;internet:droman@chattycow.com
title:Owner
x-mozilla-cpt:;-31008
fn:Dean Roman
end:vcard

Reply to:

Follow-Ups:
- Re: dhcp-dns problem
  - From: Craig Sanders <cas@taz.net.au>
- Re: dhcp-dns problem
  - From: Nathan E Norman <nnorman@micromuse.com>
- Re: dhcp-dns problem
  - From: Nathan E Norman <nnorman@micromuse.com>

References:
- dhcp-dns problem
  - From: "Dean A. Roman" <droman@romansys.com>
- Re: dhcp-dns problem
  - From: Craig Sanders <cas@taz.net.au>
- Re: dhcp-dns problem
  - From: "Dean A. Roman" <droman@romansys.com>
- Re: dhcp-dns problem
  - From: Craig Sanders <cas@taz.net.au>

Prev by Date: Re: Why doesn't 2.2r3 CD boot on Toshiba 4080 XCDT ...
Next by Date: Re: dhcp-dns problem
Previous by thread: Re: dhcp-dns problem
Next by thread: Re: dhcp-dns problem
Index(es):
- Date
- Thread