worms, virii, and broken DNS

Post #115,986 by lordbeatnik 8/30/03 2:24:19 PM Reply	worms, virii, and broken DNS Like so many other businesses, my employer has been hammered by by sobig and blaster. All the admins have been busy kicking the infected off the network and making sure everyone has the latest patches. And IT is run by very pro MS people. Our local admin doesn't like it, but almost of the servers are MS crap including DNS and DHCP (which is what this piece is all about.) So Friday, our admin sent out a list of computer names and corrasponding IP addresses that weren't patched. And the name of my windows machine was on the list! I went "What?! I double checked my patches earlier and all was in order!". Then I noticed the IP address by my computer name. My machine hadn't had that IP address is ages. Most computers get their IP addresses from DHCP and DNS is supposed to be updated with the DHCP lease. But DNS reverse lookups at work have been, and continue to be total garbage. Forward DNS will point to the correct machines, but reverse DNS points to some random machine that had the IP address god only knows how long ago. (As an example, my only windows machine gets its address through DHCP, but has had the same address for months. Reverse lookup yields the name of someone elses computer. And reverse lookup of that IP yields another bogus entry and so on.) So, now our poor admin has to track things down using physical ports. Windows is certainly keeping all of the admins in this company busy. Dave "LordBeatnik"
Post #115,988 by andread 8/30/03 3:11:51 PM Reply	Re: worms, virii, and broken DNS as a Windows admin, I'd appreciate some more details server OS desktop OS thanks A Play I Some Music w/ Papa Andy Saturday 8 PM - 11 PM ET All Night Rewind 11 PM - 5 PM Reggae, African and Caribbean Music [link\|http://wxxe.org\|Tune In]
Post #115,995 by lordbeatnik 8/30/03 3:45:17 PM Reply	Win2k mostly The server is some version of Win2k. Most clients are win2k but maybe a 1/3 are linux, NT4, win2k3, SCO Eunuchs, and even OS/2. Most of these machines are dual boot (or more) with windows. Dave "LordBeatnik"
Post #115,991 by deSitter 8/30/03 3:29:41 PM Reply	gawd, sheesh -drl
Post #116,010 by orion 8/30/03 6:07:47 PM Reply	This explains things a bit about that Dell incident where one of our own was accused of Internet abuse and a listing of IP addresses that were not his, were used as evidence. Obviously one of those might used to have been his, but might actually point to someone else's box if this same mistake was made in DNS. *"Lady I only speak two languages, English and Bad English!" - Corbin Dallas "The Fifth Element"*
Post #116,015 by pwhysall 8/30/03 6:28:57 PM Reply	This isn't about broken DNS. This is about a WINS server that's gone to la-la land and is no longer updating the DNS server. Peter [link\|http://www.debian.org\|Shill For Hire] [link\|http://www.kuro5hin.org\|There is no K5 Cabal] [link\|http://guildenstern.dyndns.org\|Blog]
Post #116,028 by lordbeatnik 8/30/03 8:32:20 PM Reply	Re: This isn't about broken DNS. Interesting...I try and deal with the evils of WINS as little as possible so I know nothing of its interactions with the MS DNS server. It's just weird that forward lookups consistantly work but reverse lookups seem to be set once and stuck until manually cleared. Dave "LordBeatnik"

Welcome to IWETHEY!