4

I have a standalone DNS server configured for "Secure and Non-Secure" dynamic updates. I also have the DHCP role installed on the same server.

How do I ensure that only the DHCP server can update records in DNS? I don't want to allow clients to update DNS records directly. I'm hoping that combined with the "Name Protection" setting in the DHCP server, at the very least the no one can maliciously overwrite an existing dynamic record.

This should be sufficient since I've configured my switch for 802.1x as well as DHCP snooping to allow only trusted DHCP assigned IP addresses on the VLAN. I'm trying to avoid Active Directory for this network.

Monstieur
  • 536
  • 2
  • 15

2 Answers2

1

First remove unsecure mode.

As in secure mode just ad joined machine can update their record. (and the dhcp service under the dhcpproxy acl) update the dns.

Second point, to answer your question, check that acl; to be sure its set.

enter image description here

Took from that answer: How to limit dynamic DNS updates

Pierre.Vriens
  • 1,159
  • 34
  • 15
  • 19
yagmoth555
  • 16,300
  • 4
  • 26
  • 48
  • I'm not on Active DIrectory, so there is no "Secure" mode alone. There is also no ACL for DNS records without Active Directory. – Monstieur Feb 28 '16 at 21:21
  • @Locutus Thanks for the clarification. Does your dhcp server support radius authentification ? Can be a workaround to ensure no unwanted computer get on the network. – yagmoth555 Feb 28 '16 at 22:27
  • I already use 802.1x for the switch and Wi-Fi, however I need to prevent even authenticated users from being able to simply overwrite any DNS record. Only the DHCP server should update the DNS record with their hostname - the user should have no control over it. – Monstieur Feb 29 '16 at 07:02
  • @Locutus without acl the only way I see is with a firewall that could filter the ddns packet. (as the filter tcpdump 'udp[0xa] & 0x78 = 0x28' seem to show only update, from there I dont know if you can make a rule with that in iptable) – yagmoth555 Mar 01 '16 at 04:10
0

I can't find this setting documented anywhere, but last week I found this key on a test server I manage.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters\AllowUpdate

If this key exists and it has a value of 0, dynamic updates from clients are refused. I am not sure if how it would affect updates from a DHCP service on the same server, but you could try it out and see if it may be an alternative to the firewall block.

Clayton
  • 4,483
  • 16
  • 24