stopping unauth updates

[Kevin Darcy]

With a little investigative work, it is possible to distinguish Dynamic Update
attempts coming from Win2K workstations (most likely just because of
misconfiguration or, more specifically, failure to change the default setting for
automatic client registration in DNS) from other types of Dynamic Update attempts
(which are more likely to be malicious). But I hesitate to elaborate on how to
distinguish between the two, since I don't think the burden should fall on
nameserver admins to figure this out; the burden should fall on Microsoft to
CHANGE THEIR DAMNED DEFAULT CONFIGURATION. If it takes reporting these Dynamic
Update attempts to the FBI as hacking activity, then so be it.


- Kevin

Michael Kjorling wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> 319 is the PID of the process logging the message (in standard UNIX
> format, processname[pid]). Especially if you are getting the
> unauthorized updates from several IPs, I would suggest that you
> contact the administrator of the offending network and ask them to
> stop with this activity.
>
> I have seen many attempts on domain name theft by trying to send
> unauthorized DNS updates.
>
> Michael Kjörling
>
> On Tue, 1 May 2001, MegaNet Domainreg. wrote:
>
> > My logs are filled with the message below, I will be stopping this at our
> > core router. My question is, should I stop the network its coming from or is
> > there a better way of doing it. Also what is 319 is that the port #.
> >
> > named[319]: client 64.254.47.227#2874: update denied
> >
> > thanks P
>
> - --
> Michael Kjörling - michael at kjorling.com - PGP: 8A70E33E
> "We must be the change we wish to see" (Mahatma Gandhi)
>
> ^..^     Support the wolves in Norway -- go to     ^..^
>  \/   http://home.no.net/ulvelist/protest_int.htm   \/
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 6.5.8
>
> iQA/AwUBOu7Nbyqje/2KcOM+EQKtyACfRTLQznwQ52MTaBgwGMstW2VK0nsAn2Dx
> ezePAEoExj8jHM6pDs2EonEX
> =OcX/
> -----END PGP SIGNATURE-----