Craig, Thanks for all the info. It's amazing what Microsoft will try to pass off as a feature while the whole time opening up your entire DNS structure to the whims of any user out there.
Anyway, back to the problem at hand: Will turning this "feature??" off in Win2K allow the dhcp-dns scripts in linux to update bind? How do I fix the problem of dhcp-dns not updating bind? Is it related to the win2K "feature??" Thanks for all the help and info., ---Dean. Craig Sanders wrote: > On Fri, Sep 07, 2001 at 08:17:04AM -0700, Dean A. Roman wrote: > > I'm a bit confused, and it is probably because I don't totally > > understand how the dynamic dns updates work. > > if the rejected updates are coming from a W2K machine then it has > nothing to do with dhcp-dns. it's a fault with W2K. > > > 192.168.100.100 is the windows machine that checked out the IP address > > from the dhcp server(srfs1-192.168.100.20). > > > > Should update requests be coming from a dhcp client? > > nope. > > > How is the windows 2k dhcp client requesting a dns update? > > because microsoft thought it would be a good idea for clients to be able > to update the DNS on the server, and for that stupidity to be ON by > default. > > anyone but microsoft would have realised that it is insane from a > security perspective to let unauthenticated & unauthorised client > machines screw around with such a fundamental service. > > this bug, btw, is particularly annoying if you host the DNS for a domain > that is similar to a well-known/popular domain...you get hit by bogus > update requests from all over the planet from moron users running W2K. > ditto if you run a dialup ISP with customers running W2K. > > at first i thought this was some new kind of DNS attack, until i > realised that it was just another "innovative" new idea from Microsoft. > > and there's nothing you can do about it unless you control the client > machines. > > fortunately you have access to the machines on your network so it can be > disabled. look under TCP/IP settings on the W2K machine. > > > Does this mean that I need to put the entire subnet range that I allow > > for dhcp checkout(192.168.100.100-255) in the acl? > > not unless you want your end-users to be able to modify your DNS at > whim. > > > I thought that I only had to list the dhcp server(192.168.100.20) in > > the allow-update field? > > correct. > > craig > > -- > craig sanders <[EMAIL PROTECTED]> > > Fabricati Diem, PVNC. > -- motto of the Ankh-Morpork City Watch
begin:vcard n:Roman;Dean tel;work:707-527-8949 x-mozilla-html:FALSE org:Roman Systems adr:;;2116 Crosspoint Ave.;Santa Rosa;California;95403;USA version:2.1 email;internet:[EMAIL PROTECTED] title:Owner x-mozilla-cpt:;-31008 fn:Dean Roman end:vcard
