From owner-freebsd-security Tue Aug 17 16:41: 3 1999 Delivered-To: freebsd-security@freebsd.org Received: from tgn2.tgn.net (tgn2.tgn.net [205.241.85.2]) by hub.freebsd.org (Postfix) with ESMTP id BD23A14DBB; Tue, 17 Aug 1999 16:40:49 -0700 (PDT) (envelope-from butlermd@tgn.net) Received: from dial122.tgn.net (dial122.tgn.net [205.241.85.52]) by tgn2.tgn.net (8.9.3/8.8.8) with SMTP id SAA07371; Tue, 17 Aug 1999 18:44:24 -0500 (CDT) From: butlermd@tgn.net (Michael Butler) To: , list@inet-access.net, freebsd-isp@freebsd.org, freebsd-security@freebsd.org Subject: Re: tzo dynamic DNS Date: Tue, 17 Aug 1999 18:36:22 -0500 Organization: Texas GulfNet Reply-To: butlermd@tgn.net Message-ID: <37c9d331.222705972@mail.tgn.net> References: In-Reply-To: X-Mailer: Forte Agent 1.5/32.451 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hokay, boys and girls, turn your channel if you don't like the long mushy ones ;-> It's time to summarize because I'm satisfied. There are different opinions for different reasons and that is to be expected. It was human nature for me to react to the unknown, percieved as threat. My original post was simple if somewhat knee-jerk. >On Wed, 11 Aug 1999 12:58:51 -0500, I wrote: >This may be old stuff but is anyone getting dns mods fromtzo.com >hijacking ip addresses to their domains? > >What do we do about it? > >see www.tzo.com > >They're about to be cut off at the FW >TIA Turns out the danger was there, not because TZO presented one though. I had simply sat on an ancient BIND wayyyy too long. Thanks to "Mitch Vincent" who hit the nail on the head.=20 --Date: Thu, 12 Aug 1999 08:40:28 -0400 --Older versions of BIND allow for cache modification remotely, that --might be what you're running into, you better upgrade, there are --other serious security holes in those versions too. ---Mitch Mitch looked at it like me as a potential problem but Mitch, in a mature manner eschewed emotional or selfish conversation. Some folks acted like I am an idiot (at least a debatable concept, heh) by being concerned about a legitimate entity that provides a legitimate service within the Internet framework, read "TZO was resourceful" as well as harmless. I then focused back on the symptoms with a later post. >Anybody had problems with Sendmail anti spam, fwd/reverse DNS >mismatches? I *think* that was what we saw.=20 Mitch however, had this covered in the BIND problem. We've brought BIND, sendmail, Apache, and some other stuff into the present as a result of this thread, thanks to all. OTOH, there were folks like myself who regarded this as manipulation of my DNS and IP space. I still feel funny that someone could *modify* my configuration at least in the eyes of other DNS servers on the 'Net. Not having total control is also human nature, I'll get over it. --------------- Since 1994 I've enjoyed Michael Dillon's posts right here at inet-access among other places. This belongs (if not already stated) in Boardwatch for ISP exposure. Please note that if you ban servers then you are banning anything that works like a telephone set. A telephone hogs the line 24 hours a day but uses no bandwidth unless a call is in progress. But because it *IS* hogging that line, the telephone is able to ring and announce an incoming call. With convergence of the Internet and telephony services, any ISP who has not structured their business to deal with always-on services will be at a disadvantage. So don't ban servers because that is a sleazy way of sidestepping the issue and users will hate you for it. Let them run all the servers they want as long as they understand that they will pay excess charges for being online too long or using too much bandwidth. Rig your systems so that users can opt for being cut off by the system rather than incurring excess charges. Basically, keep your customers happy, give them what they want, and charge a fee that covers your costs and makes you a profit. Views like this, backing up into the shotgun formation so you can see the field and responding quickly, is what keeps independent ISPs in business whilst the big boys hammer away with their inherent strength *and* weaknesses. -- =46inally, what sealed it for me was a message from Eric McIntyre: =46rom: "Ericm" Date: Tue, 17 Aug 1999 14:44:38 -0400 >If you are unhappy that your users are using our service, you should = place >something about dynamic dns in your terms of service agreement. =20 Agreed, I had to learn more about you. >The >newsgroups are not the place to complain about us, you should complain = to >your users that are abusing your service. If you offer either static IP >addresses at low prices, or offered dynamic dns options to them, they >wouldn't need our services. OK, this ain't a newsgroup is it? We're all mature ISPs, right? I had a problem to solve. I had to do like the dogs and "bow-up" until we sniffed each other's butts. As I said defense from the unknown is the human response. Several responses thought I was lame in my thoughts that you were a threat. Others saw it like I did... another hurdle to overcome. I have thought in the past about the third level, like customer.tgn.net I'm still looking at your stuff. From what I understand this now it looks like your methods may work for me too. I'll continue to read your information to see how you operate. I may be a customer or affiliate of yours too. >We have no control over the content or the terms of service agreements = that >the users sign. They choose our services because they typically have a = need >that their ISP will not help them with. I didn't ecalate or feed the AUP fight. I had old BIND seems to be the core of my problem. I am pretty liberal with my hours. I posted a mushy response to Michael Dillon that talks a little about this. >thanks Thanks to you, I may be in touch after I get a chance to resurface for air. =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Philosophical summary: ...back up from the shotgun formation, into the stands where you see it's just a game, you paid to get in, and we're just here for a good time I hope our team ISPs and other independents win. When it's all over (Y2k, heh) we all go home and get on with life. Overall, I was pleased to see this thread turn into the epitome of what the old Internet was about. I was concerned, asked a question to the vast unpaid research department, and got many answers.=20 Distilling that info I came about my decision. Mine was different from other readers for different reasons. Different folks cvome and go reading the same words and go away with different ideas. I pray that never changes. I got on "da 'Net" rather late in 1994 but appreciate and admire the way the 'Net was and *how* it was built and by whom. These days, though we seem to be paranoid from all angles. Black hat hackers are more numerous, we now have to watch for commercial threats ( big boys and less than moral or ethical opportunists), legal potholes (and black holes) all around the "Information Superhighway", and finally the government is redefining history... again. (lest anarchy get a good name I guess) =46or the latter though, I realize in this case changing history <"doublespeak" -- Orwell> was just campaign loose-lip. I found this cute: Al Gore's claim to creating the Internet is still creating some zingers from Republicans. The latest is from Dan Quayle making light of his potato misspelling - "If Al Gore created the Internet, then I invented the spell-check."=20 -- http://www.swickey.com/archive/3-16-99.html peace ____________________________________________________________ Michael Butler, Texas GulfNet, | www.tgn.net =20 908 South Brooks, PO Box 2089 |=20 Brazoria, TX 77422-2089 | Voice 409-798-NETT Part of the Pointecom International| FAX 409-798-6398 =20 Network and the Global Internet | To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message