[97434] in North American Network Operators' Group
Re: FBI tells the public to call their ISP for help
daemon@ATHENA.MIT.EDU (Chris Adams)
Thu Jun 14 14:47:01 2007
Date: Thu, 14 Jun 2007 13:45:50 -0500
From: Chris Adams <cmadams@hiwaay.net>
To: nanog@nanog.org
Mail-Followup-To: Chris Adams <cmadams@hiwaay.net>, nanog@nanog.org
In-Reply-To: <20070614181222.18831.qmail@simone.iecc.com>
Errors-To: owner-nanog@merit.edu
Once upon a time, John Levine <johnl@iecc.com> said:
> I realize it's not a technical problem, although I suspect there are
> some technical twiddles that could help, e.g., persuading Microsoft to
> put the update servers in their own ASN to make it easier to put them
> in a sandbox. And I realize that Microsoft's combination of arrogance
> and naivete can make them painful to deal with.
$ dig download.windowsupdate.com
;download.windowsupdate.com. IN A
download.windowsupdate.com. 3411 IN CNAME main.dl.wu.akadns.net.
main.dl.wu.akadns.net. 111 IN CNAME dom.dl.wu.akadns.net.
dom.dl.wu.akadns.net. 111 IN CNAME dl.wu.ms.edgesuite.net.
dl.wu.ms.edgesuite.net. 8080 IN CNAME a26.ms.akamai.net.
a26.ms.akamai.net. 20 IN A 216.180.86.39
a26.ms.akamai.net. 20 IN A 216.180.86.37
$
If you have Akamai servers, the IPs will be on your network (and of
course shared with many other sites). You'd have to limit access with a
limited DNS server (since few will use or even know IPs to visit) that
only gives out DNS for certain hosts/domains.
--
Chris Adams <cmadams@hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.
