Logging dynamic update requests

Jim Reid jim at mpn.cp.philips.com
Wed Aug 18 12:01:23 UTC 1999


>>>>> "Levon" == Levon Esibov (Exchange) <levone at Exchange.Microsoft.com> writes:

    Levon> I'd like to ask whether it is possible to turn off
    Levon> logging of the dynamic update requests on BIND servers? It
    Levon> also may make sense to have the logging of unauthorized
    Levon> dynamic updates off by default.

The logging subsystem of BIND8 can be configured to do whatever the
admin wants with dynamic update requests. If he/she wants them thrown
in the bit bucket, they can choose to do so. Just have them send all
messages in the update category to the null channel.

Personally, I want these requests logged by default. For one thing, it
tells me who's doing unauthorised things with W2K - the source of most
of the requests our name servers get. It also alerts me to people or
software that are trying to do naughty things to the DNS. [Like change
the contents of a zone without permission.] For these reasons, the
default action of logging these requests is reasonable and sensible.

For me, changing this behaviour makes no sense at all. Why doesn't
Microsoft stop using Dynamic Updates in W2K by default? :-) This is
just as reasonable as asking the BIND folks to change their code so
that by default it ignores an obvious security problem.


More information about the bind-workers mailing list