none
Stop user mobile devices from registering themselves in DNS server

    Question

  • How do we stop non MS-Clients that are clients of  ms dhcp server from registering in dns server ?

    Stopping Ipads, Androids, Iphones from populating DNS. These devices will be obtaining IP from a MS Dhcp Server which is a part of MS AD and hence MS DNS Server.<o:p></o:p>



    Friday, October 04, 2013 10:15 PM

Answers

  • My notes below is an accumulation of links from previous discussions on this topic. In a nutshell, you need to look at MAC filtering, and/or an 802.1x solution with NAP enforcement to prevent rogue machines (devices and personal laptops, etc), from registering, or even getting an IP, if you want to take it that far.

    If just DNS, then create a separate VLAN just for wireless, create a DCHP scope, but do not create an Option 015 (the connection specific domain suffix), and they shouldn't register.

    -

    Enhance your 802.1x deployment security with MAC filtering
    "Ever wanted to tighten the security to the point that only some machines are allowed access on 802.1x/Wireless network? Well here’s the solution, combine MAC filtering, with EAP Authentication and you get, User AND machine authentication all in one." (such as blocking iPhones and Droids)
    http://blogs.technet.com/b/nap/archive/2006/09/08/454705.aspx

    But to block iPhones or Droids, your only real option is a full NAC solution, such as using Windows Server 2008 NAP+NPA, Cisco NAC, Aruba ECS, etc. Read the following discussion:
    Keeping Employees with Consumer Devices that do 802.1x off the Employee Network - How
    http://airheads.arubanetworks.com/vBulletin/showthread.php?t=793

    Network Access Protection
    http://technet.microsoft.com/en-us/network/bb545879

    Checklist: Configure NAP Enforcement for 802.1X Wired
    http://technet.microsoft.com/en-us/library/cc730926(v=ws.10).aspxb

    Step-by-Step Guide: Demonstrate NAP 802.1X Enforcement in a Test Lab
    http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=733

    Configuring Windows Server 2008 for NAP DHCP Enforcement (Step by Step w/screenshots)
    http://www.techotopia.com/index.php/Configuring_Windows_Server_2008_NAP_DHCP_Enforcement

    Thread: » Can I Block Ipods connecting to Network?
    http://forums.whirlpool.net.au/archive/1387986 


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Monday, October 07, 2013 6:04 AM
  • Hi,

    Since the IP addresses were assigned by the DHCP server, DHCP server would register the records in DNS server. It had nothing to do with clients.

    In order to stop this, you can stop DHCP server from registering record in DNS.

    If you do this you should configure the other clients to register records by themselves.

    Control Panel\Network and Internet\Network Connections\Properties\Internet Protocol version 4\Properties\Advanced

    Check the option “Register this connection’s addresses in DNS”

    Hope this helps.

    Monday, October 07, 2013 5:11 AM
    Moderator

All replies

  • Hi,

    Since the IP addresses were assigned by the DHCP server, DHCP server would register the records in DNS server. It had nothing to do with clients.

    In order to stop this, you can stop DHCP server from registering record in DNS.

    If you do this you should configure the other clients to register records by themselves.

    Control Panel\Network and Internet\Network Connections\Properties\Internet Protocol version 4\Properties\Advanced

    Check the option “Register this connection’s addresses in DNS”

    Hope this helps.

    Monday, October 07, 2013 5:11 AM
    Moderator
  • My notes below is an accumulation of links from previous discussions on this topic. In a nutshell, you need to look at MAC filtering, and/or an 802.1x solution with NAP enforcement to prevent rogue machines (devices and personal laptops, etc), from registering, or even getting an IP, if you want to take it that far.

    If just DNS, then create a separate VLAN just for wireless, create a DCHP scope, but do not create an Option 015 (the connection specific domain suffix), and they shouldn't register.

    -

    Enhance your 802.1x deployment security with MAC filtering
    "Ever wanted to tighten the security to the point that only some machines are allowed access on 802.1x/Wireless network? Well here’s the solution, combine MAC filtering, with EAP Authentication and you get, User AND machine authentication all in one." (such as blocking iPhones and Droids)
    http://blogs.technet.com/b/nap/archive/2006/09/08/454705.aspx

    But to block iPhones or Droids, your only real option is a full NAC solution, such as using Windows Server 2008 NAP+NPA, Cisco NAC, Aruba ECS, etc. Read the following discussion:
    Keeping Employees with Consumer Devices that do 802.1x off the Employee Network - How
    http://airheads.arubanetworks.com/vBulletin/showthread.php?t=793

    Network Access Protection
    http://technet.microsoft.com/en-us/network/bb545879

    Checklist: Configure NAP Enforcement for 802.1X Wired
    http://technet.microsoft.com/en-us/library/cc730926(v=ws.10).aspxb

    Step-by-Step Guide: Demonstrate NAP 802.1X Enforcement in a Test Lab
    http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=733

    Configuring Windows Server 2008 for NAP DHCP Enforcement (Step by Step w/screenshots)
    http://www.techotopia.com/index.php/Configuring_Windows_Server_2008_NAP_DHCP_Enforcement

    Thread: » Can I Block Ipods connecting to Network?
    http://forums.whirlpool.net.au/archive/1387986 


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Monday, October 07, 2013 6:04 AM