[lug] IPCHAIN rule to block dynamic update from Win2K
Nate Duehr
nate at natetech.com
Thu Sep 13 18:42:07 MDT 2001
It uses the same ports as your DNS server, so if you block that you'll
be blocking DNS lookups also.
The only way to do it is with a proxy that tears every packet apart and
checks to see if it's a remote DNS update.
Better yet, have the moron admin running the Windows box turn them off
in the Registry.
If your CPU load is high because of them, it's probably because you're
logging all of them. Unfortunately the only way to stop logging them on
BIND servers right now is to turn off all logging of the "security"
information in the options{} section of the config, which is probably
a Bad Thing(TM). :-)
I've been ready to strangle a few moron Microsoft "engineers" (notice
the quotes) over this one more than once. Not the poor schmucks who
don't know how to admin their machines, but the schmucks who added the
"feature" to DNS to tie it to DHCP updates and ALWAYS send updates
upstream to a non-participating server without making the admin TURN IT
ON. Argh.
On Tue, Sep 11, 2001 at 08:27:22AM -0700, Stephen Smith wrote:
> I am looking for the best way to block this
> before it gets blocked by the DNS.
>
>
> Any Ideas?
>
> Stephen
>
> __________________________________________________
> Do You Yahoo!?
> Get email alerts & NEW webcam video instant messaging with Yahoo! Messenger
> http://im.yahoo.com
> _______________________________________________
> Web Page: http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
--
Nate Duehr <nate at natetech.com>
GPG Key fingerprint = DCAF 2B9D CC9B 96FA 7A6D AAF4 2D61 77C5 7ECE C1D2
Public Key available upon request, or at wwwkeys.pgp.net and others.
More information about the LUG
mailing list