Getting "unapproved update from" slave servers

sblee at tazmania.org sblee at tazmania.org
Sat Sep 4 16:19:55 UTC 1999 

Seems like this represents an even bigger problem. About a month and a
half ago, we starting experiencing problems with our pirmary name
server - the #1 system listed on the Internic records. This problem
occurred on this 1 ip address, regardless of hardware system, Linux OS
version, Linux kernel version and Bind 8.1.2 and greater. I'm
currently running RH6.0 and Bind 8.2.1. Now, the problem is that we
would experience system service failures - equivalent to a DOS attack
- everytime an external system would attempt an unapproved update. It
seems that the failures begin after after about the 2 or 3
'door-knocking'. The only thing I could think of to stop this was to
create 'blackhole' list. The problem with this is that I have to
continually check the name server at failure time, add the address to
the list, HUP th eserver. BUT it works!

All this brings me to the following: why on earth would be anyone wany
Dynamic DNS to be a default? Seems a big security issue if you allow
dynamic updates and additions to zones are included. Since I've been
told that W2K does dynamic DNS by default, and supposedly won't talk
to servers that allow porvide static DNS, where does that leave ISPs?
Somehow I don't think it's a good idea to allow other to regulary
update our servers. In the boradband industry this would get really
ugly.

So, 2 requests. 
	1)  PLease tell me that there is a way to turn off this 	
	feature in the new Microsoft OS so I can inform our helpdesk.

		a) please tell me that the new Microsoft OSs will

		still play static DNS

	2) Perhaps I've overlooked a config option in Bind to prevent

	these DOS attacks?

		a) If not, how about giving us a global and zone
		 option to make them go away? As I've said, all quiets

		down when I add the offending ip address to the 
		blackhole list which is probably not the nicest way to

		hanlde things (it started out as a test) but it works.

Thanks.
On 27 Aug 1999 11:22:29 -0700, ken at gesn.com wrote:

>
>> You've probably got some NT5-betas (W2K) boxes in your net and they're
>> trying to use Dynamic DNS to register themselves. Hunt these systems
>> down and get them to stop doing this.
>
>It turns out that I am the NT5-beta in question.  Any idea how to turn
>this off in W2K(or better yet, how to uninstall NT5 without a HD
>reformat).
>
>Ken
>
>
>Sent via Deja.com http://www.deja.com/
>Share what you know. Learn what you don't.
>

More information about the bind-users mailing list