Non-secure DNS server - Allow dynamic updates only from DHCP server

Question

I have a standalone DNS server configured for "Secure and Non-Secure" dynamic updates. I also have the DHCP role installed on the same server.

How do I ensure that only the DHCP server can update records in DNS? I don't want to allow clients to update DNS records directly. I'm hoping that combined with the "Name Protection" setting in the DHCP server, at the very least the no one can maliciously overwrite an existing dynamic record.

This should be sufficient since I've configured my switch for 802.1x as well as DHCP snooping to allow only trusted DHCP assigned IP addresses on the VLAN. I'm trying to avoid Active Directory for this network.

score 1 · Answer 1 · edited May 29 '17 at 15:13

1

First remove unsecure mode.

As in secure mode just ad joined machine can update their record. (and the dhcp service under the dhcpproxy acl) update the dns.

Second point, to answer your question, check that acl; to be sure its set.

Took from that answer: How to limit dynamic DNS updates

edited May 29 '17 at 15:13

Pierre.Vriens

1,159
34
15
19

answered Feb 28 '16 at 20:40

yagmoth555

16,300
4
26
48

I'm not on Active DIrectory, so there is no "Secure" mode alone. There is also no ACL for DNS records without Active Directory. – Monstieur Feb 28 '16 at 21:21
@Locutus Thanks for the clarification. Does your dhcp server support radius authentification ? Can be a workaround to ensure no unwanted computer get on the network. – yagmoth555 Feb 28 '16 at 22:27
I already use 802.1x for the switch and Wi-Fi, however I need to prevent even authenticated users from being able to simply overwrite any DNS record. Only the DHCP server should update the DNS record with their hostname - the user should have no control over it. – Monstieur Feb 29 '16 at 07:02
@Locutus without acl the only way I see is with a firewall that could filter the ddns packet. (as the filter tcpdump 'udp[0xa] & 0x78 = 0x28' seem to show only update, from there I dont know if you can make a rule with that in iptable) – yagmoth555 Mar 01 '16 at 04:10

score 0 · Answer 2 · answered Mar 01 '16 at 22:34

I can't find this setting documented anywhere, but last week I found this key on a test server I manage.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters\AllowUpdate

If this key exists and it has a value of 0, dynamic updates from clients are refused. I am not sure if how it would affect updates from a DHCP service on the same server, but you could try it out and see if it may be an alternative to the firewall block.

This just disables dynamic updates completely. – Monstieur Mar 12 '16 at 11:23 — Monstieur, Mar 12 '16 at 11:23

Non-secure DNS server - Allow dynamic updates only from DHCP server

2 Answers2