Maintaining DNS records can be very challenging if it is done manually. That is why Microsoft DNS servers allow dynamic DNS updates but this needs to be enabled with caution as it needs to be done in a secure way. This Wiki
article explains how DNS updates can be secured on Microsoft Windows DNS servers.
DNS records could be static or dynamic.
A static DNS record is a record that was created manually by a DNS administrator or a dynamic record that was converted by a DNS administrator to a static one. These records are maintained manually and should be administered only by trusted persons. Securing
the updates of static DNS records requires limiting the persons having the rights to update them.
How to convert a dynamic resource record to a static one without re-creating it in DNS:
Dynamic DNS records are created by DNS clients or systems on behalf of DNS clients (Example: DHCP servers). Allowing Dynamic DNS updates minimizes the administrative effort to maintain DNS zones. On Microsoft DNS servers, there are three possible configurations
for dynamic updates:
If enabling Dynamic updates is required for a company, it is highly recommended to use
Secure only dynamic updates option.
This is because a DNS update source is considered as trusted only if:
(*) If the DNS record to update does not exist in your DNS zone then a new DNS record will be created and the DNS update source will be set as the owner and will be granted
Full Control permission on the new DNS record.
The following figure shows the Secure Dynamic Update Process:
Secure Dynamic Update:
To identify who can make updates on an existing DNS record, you can examine the ACLs in the
Security tab of its properties:
By clicking on Advanced and then going to Owner, you would be able to identify the owner of the DNS record (By using
Secure only Dynamic updates, the DNS update source AD account will be set as the owner of the DNS record).
Combining an AD based authentication and an ACL authorization system offers a secure way of allowing DNS updates when DNS clients directly query your DNS servers to request updates.
By default having DNS records dynamically updated requires that DNS clients request it. If a company has DNS clients (Windows NT for example) that do not request DNS record updates to be registered in their DNS zones, then the company requires a system that
will register the DNS records on behalf of the client: Microsoft proposes using Windows Server DHCP servers to achieve that.
A DHCP server could be configured to register DNS records on behalf of their clients and propose the following settings:
You need to note here that the DHCP servers will not be able to identify if the DHCP client is trusted or not and will request the updates on behalf of its client. To avoid having a server / client name squatting by another server / client via DHCP dynamic
updates for DNS, it is important to have Name Protection feature enabled on DHCP servers.
What Is Name Protection:
There are actually two ways to make a Windows Server DHCP server authorized to register A and PTR DNS records on behalf of its client:
DNS Record Ownership and the DnsUpdateProxy Group:
Remark: If a DNS record was created directly by a DNS client then, by default, a DHCP server would not be able to make updates on this DNS record as it does not have the permissions to do it.
Using DHCP registration for DNS A and PTR records on behalf of DHCP clients has another disadvantage which is the fact that, having the DHCP AD account as the owner of new DNS records will make these records not available to be updated directly by clients.
This is because, in the ACLs of these records, the clients do not have the permission to update their own records.
Updating DNS Resource Records:
DHCP: The DNSupdateproxy group must be secured if Name Protection is enabled on any IPv6 scope: