1

I am working on a case study related to risks from insecure dynamic DNS updates. Suppose there is an internal DNS configured that has a mix of static and dynamically created addresses. Consider a Windows AD integrated DNS environment.

I need some help on few of the queries below

  1. Can there coexist a static and a dynamically created A record for the same host - referring to different IP addresses on the DNS server? (eg. Dynamic A record created by a new system introduced on the network with same hostname)
  2. If yes, how would the DNS resolution happen for such cases? Can DNS query resolve to the incorrect dynamic A record instead of the static A record?
  3. Can this be avoided by having a secure dynamic dns configuration instead of a insecure ddns updates? If so how could secure DDNS prevent such scenario.

Any assistance on this matter wil be quite helpful.

Thanks in advance.

Impossible
  • 11
  • 2

1 Answers1

2

Can there coexist a static and a dynamically created A record for the same host

A name can resolve to multiple IP addresses, that is have multiple A or AAAA records. Clients will get the whole set of them when querying for the name.

How the IP addresses are provisioned is kind of irrelevant to the above, except that in "dynamic" cases, often an update is in fact a replacement, that is: "please resolve X to address Y now, after having removed all existing IP addresses for it".

So it all depends how your dynamic stuff is working. If it is additive, then you can have a mix.

If yes, how would the DNS resolution happen for such cases? Can DNS query resolve to the incorrect dynamic A record instead of the static A record?

If there are multiple A records, they are all returned. The client has no way to know from where they come (dynamic or static).

Can this be avoided by having a secure dynamic dns configuration instead of a insecure ddns updates? If so how could secure DDNS prevent such scenario.

Yes, and also making only a subzone of your zone open to dynamic updates, not the whole zone.

Patrick Mevzek
  • 9,273
  • 7
  • 29
  • 42
  • Thanks for the quick response, i have a follow up. Agreed Dynamic IP addresses not the concern here. Concern is on the implementation of insecure DDNS updates. Suppose there is a static DNS record xyz : 1.1.1.1 : A and now a new host is introduced in the network with same hostname xyz, when this tries to register its DNS record dynamically, what happens? 1. Does it create a another DNS entry this one being dynamic? 2. Does it update the existing static DNS record with the new IP address? 3. Does it decline creating new record? Consider windows AD integrated DNS for the scenario – Impossible Sep 23 '21 at 18:21
  • All 3 points are implementation specific, so that can vary and you specify it is Windows AD integrated DNS on which I have 0 knowledge, sorry. You should put the details of your comment in your main question, and specifically the platform it would help people giving more precise answer, mine is just a generic one. – Patrick Mevzek Sep 23 '21 at 18:23
  • Got it. Really thank you to take out time and respond to the thread. i have updated the environment now. – Impossible Sep 23 '21 at 18:29
  • I believe that you can configure it so that only the DHCP server can send dynamic updates to DNS instead of the clients sending the dynamic DNS update after receiving an update from the DHCP server. This also prevents issues as only your trusted DHCP servers can send updates and not every single client computer in the network. – Tommiie Sep 24 '21 at 07:01