On Fri, Sep 07, 2001 at 08:17:04AM -0700, Dean A. Roman wrote: > I'm a bit confused, and it is probably because I don't totally > understand how the dynamic dns updates work.
if the rejected updates are coming from a W2K machine then it has nothing to do with dhcp-dns. it's a fault with W2K. > 192.168.100.100 is the windows machine that checked out the IP address > from the dhcp server(srfs1-192.168.100.20). > > Should update requests be coming from a dhcp client? nope. > How is the windows 2k dhcp client requesting a dns update? because microsoft thought it would be a good idea for clients to be able to update the DNS on the server, and for that stupidity to be ON by default. anyone but microsoft would have realised that it is insane from a security perspective to let unauthenticated & unauthorised client machines screw around with such a fundamental service. this bug, btw, is particularly annoying if you host the DNS for a domain that is similar to a well-known/popular domain...you get hit by bogus update requests from all over the planet from moron users running W2K. ditto if you run a dialup ISP with customers running W2K. at first i thought this was some new kind of DNS attack, until i realised that it was just another "innovative" new idea from Microsoft. and there's nothing you can do about it unless you control the client machines. fortunately you have access to the machines on your network so it can be disabled. look under TCP/IP settings on the W2K machine. > Does this mean that I need to put the entire subnet range that I allow > for dhcp checkout(192.168.100.100-255) in the acl? not unless you want your end-users to be able to modify your DNS at whim. > I thought that I only had to list the dhcp server(192.168.100.20) in > the allow-update field? correct. craig -- craig sanders <[EMAIL PROTECTED]> Fabricati Diem, PVNC. -- motto of the Ankh-Morpork City Watch
