Send dhcp-users mailing list submissions to
dhcp-users@lists.isc.org
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.isc.org/mailman/listinfo/dhcp-users
or, via email, send a message with subject or body 'help' to
dhcp-users-requ...@lists.isc.org
You can reach the person managing the list at
dhcp-users-ow...@lists.isc.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of dhcp-users digest..."
Today's Topics:
1. Re: ISC DHCPv6-BIND9 DDNS update problem (Mirsad Goran Todorovac)
2. Re: ISC DHCPv6-BIND9 DDNS update problem (Simon)
----------------------------------------------------------------------
Message: 1
Date: Fri, 10 Jun 2022 15:11:57 +0200
From: Mirsad Goran Todorovac <mirsad.todoro...@alu.unizg.hr>
To: dhcp-users@lists.isc.org
Subject: Re: ISC DHCPv6-BIND9 DDNS update problem
Message-ID: <7a863a1c-a637-4a5f-6b8b-c2b83cba1...@alu.unizg.hr>
Content-Type: text/plain; charset=UTF-8; format=flowed
On 9.6.2022. 16:50, Simon wrote:
> Mirsad Goran Todorovac <mirsad.todoro...@alu.unizg.hr> wrote:
>> It seems that I have identified the culprit. Our subnet has 6 rogue DHCPv6
>> servers according to this nmap scan:
> Yeah, that would do it. Time to get out the clue bat, or ?clue by four?, and
> start some user education :D
Well, that would displease the Heavens above ? . Certainly, the Author
of my story wants me to persevere in longsuffering of the ignorant.The
narrow path ;-)
> But more seriously, on a network of any size, and especially if using RAs to
> trigger use of DHCP for address assignment, your network infrastructure
> should at the very least alert you to rogue DHCP servers - and preferably
> block them (by filtering the packets) at the edge switch ports. Without that,
> as you?ve experienced, anyone can start up a rogue service - whether
> accidentally or maliciously.
> The same applies to RAs - without rogue detection and isolation, anyone can
> break your network and/or hijack traffic.
Unfortunately, I am not even the admin of all those net segments and
rogue devices. I might be simply out of luck with this one.
As Al Pacino said once, "Nobody wins 'em all!"
Kind regards,
Mirsad
--
Mirsad Todorovac
CARNet system engineer
Faculty of Graphic Arts | Academy of Fine Arts
University of Zagreb
Republic of Croatia, the European Union
--
CARNet sistem in?enjer
Grafi?ki fakultet | Akademija likovnih umjetnosti
Sveu?ili?te u Zagrebu
------------------------------
Message: 2
Date: Fri, 10 Jun 2022 18:14:12 +0100
From: Simon <dh...@thehobsons.co.uk>
To: Users of ISC DHCP <dhcp-users@lists.isc.org>
Subject: Re: ISC DHCPv6-BIND9 DDNS update problem
Message-ID: <7dbe8d7e-7b26-4d83-ba6c-a871e9a30...@thehobsons.co.uk>
Content-Type: text/plain; charset=utf-8
Mirsad Goran Todorovac <mirsad.todoro...@alu.unizg.hr> wrote:
>> But more seriously, on a network of any size, and especially if using RAs to
>> trigger use of DHCP for address assignment, your network infrastructure
>> should at the very least alert you to rogue DHCP servers - and preferably
>> block them (by filtering the packets) at the edge switch ports. Without
>> that, as you?ve experienced, anyone can start up a rogue service - whether
>> accidentally or maliciously.
>> The same applies to RAs - without rogue detection and isolation, anyone can
>> break your network and/or hijack traffic.
>
> Unfortunately, I am not even the admin of all those net segments and rogue
> devices. I might be simply out of luck with this one.
Presumably you know the network admins who are responsible for those segments ?
And presumably there must be a person or group which oversees the network as a
whole (subnets/prefixes etc) ? Just letting everyone ?do their own thing?
without central planning is a recipe for disaster.
So you need to go to them and point out what the problem is, and what needs to
be done to fix it. Of course, if they don?t want to then you?re down to
internal politics and potentially you end up reporting back to management that
you can?t implement what?s asked for because others are actively sabotaging the
network (that?s how I?d describe it if supposed network admins are doing
nothing to deal with rogue services like this.)
Simon
------------------------------
Subject: Digest Footer
_______________________________________________
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
dhcp-users mailing list
dhcp-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/dhcp-users
------------------------------
End of dhcp-users Digest, Vol 164, Issue 21
*******************************************
