14

I've got a Windows 2012 Domain Controller running DNS and DHCP servers. The default setting appears to be Dynamically update DNS A and PTR records only if requested by the DHCP clients.

(This is under Scope Properties -> DNS)

Is there a downside to selecting Always dynamically update DNS A and PTR records?

What's the difference between that and Dynamically update DNS A and PTR records for DHCP clients that do not request updates (for example, clients running Windows NT 4.0)?

Roger Lipscombe
  • 2,057
  • 5
  • 24
  • 37

2 Answers2

8

Is there a downside to selecting Always dynamically update DNS A and PTR records?

It depends on what you want to do.

By default, a Windows machine will speak directly to DNS and update its own A record, and it will ask DHCP to update the PTR record.

By enabling Always dynamically update DNS A and PTR records you are telling DHCP to update both records even if the client only asks it to update the PTR.

What's the difference between that and "...for DHCP clients that do not request updates..."

The NT 4.0 example isn't so relevant these days, so consider a mixed environment where you have Windows and Mac (or Linux) clients.

The Windows machines handle their dynamic DNS updates (or they ask DHCP to do so).

But the Mac/Linux clients do not. This option allows DHCP to create records for these machines which do not or cannot request dynamic DNS updates.

Some things to consider:

  • You should create a dedicated, non-privileged AD user account for DHCP to use for dynamic DNS updates, and add it to the DnsUpdateProxy group (this is especially important if DHCP runs on a domain controller).
  • DHCP always registers the name reported by the client, even if you set up a reservation. If the client reports a name different than the one you set in the reservation, the reservation's name will be overwritten.
  • Dynamic DNS records set via DHCP will have a timestamp set on them. You should properly set up DNS scavenging to delete these records, even if you have DHCP set to remove records when the lease expires (it's good to have that on, but there are many cases where this just doesn't happen).
briantist
  • 2,535
  • 18
  • 34
  • I think you nailed it. I typically set scavenging on the zone for every 24 hours, it keeps the zones nice and tight. – Citizen Jan 24 '15 at 02:18
  • 3
    "By enabling Always dynamically update DNS A and PTR records you are telling DHCP to update both records even if the client only asks it to update the PTR." ... and is there a **downside** to doing this? – Roger Lipscombe Mar 09 '15 at 16:11
  • @Roger Lipscombe There is no generic downside that I can think of, but I can't really say if there's a downside for your situation. I figured that explaining the effect would allow you to make that determination for your environment. – briantist Mar 09 '15 at 16:15
  • "If the client reports a name different than the one you set in the reservation, the reservation's name will be overwritten." I would call any changes to a reservation a downside. We are losing reservations all the time, wondering if the special user is doing more than just changing the name of the reservation. – rjt Nov 24 '15 at 16:33
0

Regarding the use of DnsUpdateProxy group, it is my understanding that only the DHCP Servers should be member of that group, not the dynamic DNS update user. The user account is supposed to be added to the DHCP server configuration, not to the DnsUpdateProxy group.

The DnsUpdateProxy group is for DNS Clients. The user is not a client, it is a mechanism used by the client (the DHCP server) to make dynamic updates to DNS when you have secure updates only turned on. The client remains the DHCP server.

https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-security-groups#bkmk-dnsupdateproxy

When the DHCP server is on a DC, in addition to making the server member of the group and adding the user to the DHCP configuration, you also need to set OpenACLOnProxyUpdates off. If you don't you are adding a vulnerability, because membership in the DnsUpdateProxy group gives too much authority over the DNS records.

Some schools of thought suggest that DHCP on a DC should not be member of DnsUpdateProxy, and only should have the DNS update user assigned to DHCP. That may be true for older Windows Server but for 2012R2 and later, the sense I have from the tech docs is that the server should still be in the DnsUpdateProxy group, but because of being a DC, that group membership's permissions opens up the vulnerability.

So, if you have DHCP on a DC with secure dynamic DNS update enabled, you should also run this command on the DC that is running DHCP, so its DNS won't allow "foreign" updates to change records owned by DHCP:

dnscmd /config /OpenAclOnProxyUpdates 0

Bottom line - the DnsUpdateProxy group is not for any user object - it should only be used for DHCP server objects (DHCP clients), and is primarily intended for the "best practices" of having your DHCP server on a non-DC server, to impart the necessary permissions to dynamically update DNS. Adding the secure update user to that group serves no purpose.

JimS
  • 1
  • 2