0

Goal: For a non-Microsoft DHCP server to send dynamic DNS updates on behalf of non-Microsoft domain clients.

Question: With a particular zone in a Microsoft DNS server configured for "Nonsecure and secure" updates, can Microsoft limit which IP addresses are allowed to send dynamic DNS updates to the entire server or zone?

We would like to limit only the the non-MS DHCP server to send updates Microsfot and would like to achieve this goal in this fashion.

GSS-TSIG is another option that does work; although, I need to explore this option due to some limitations of the Kerberos protocol.

Environment:

1 Non-Microsoft DHCP server

1 MS DNS server

I have been looking into this for some time and have come across the following articles:

How to limit dynamic DNS updates https://technet.microsoft.com/en-us/library/ee649193%28v=ws.10%29.aspx

Community
  • 1
madhatter
  • 1
  • 2
  • IP address ACLs should not be mixed with DNS when there are security implications. UDP is stateless and easily spoofed. Unless you're using a key to authenticate the DDNS changes, this is completely insecure. – Andrew B Apr 15 '16 at 18:57
  • @AndrewB Thank you Andrew for the quick response. Point taken. – madhatter Apr 15 '16 at 19:16
  • Considering the risks, would the DNS ACL's that allows only specify source IP's to accept dynamic DNS updates be applied in Windows Firewall or somewhere in the DNS configuration? I cannot find a configuration window within MS' DNS Management. Thank you. – madhatter Apr 18 '16 at 16:59
  • Firewalling will not prevent a spoofed source IP, unfortunately. You would have to firewall UDP off completely and only allow TCP. TCP includes a session handshake, UDP does not. The latter can be used to spoof DDNS updates unless the packets contain a signature. Beyond that, I'm not a Windows expert and I will defer to someone else. :) – Andrew B Apr 18 '16 at 18:39

0 Answers0