5

so we're a University campus, and in DNS Manager, all the students phones, tables, etc, are registering their A records in DNS. We don't want them to. Ideally, we'd just have domain joined devices registering/updating their DNS records.

We've done the following:

  • DNS: Right click on domain in fwd lookup zone > Properties > Changed "Dynamic Updates" to "Secure only." (it was previously "Nonsecure and secure")
  • DHCP: Right click the respective DHCP Scope > Properties > DNS Tab > UNCHECK "Enable DNS dynamic updates according to the settings below"
  • DNS: Delete all records from the student subnets (from every DNS server)

It seemed like it was working for a little while, but then every hour, on the hour, I start to see old records repopulate Windows DNS Manager.

What are we missing? The main push for this was, we had a DNS Squatting issue, where a student's phone's hostname was the same as one of our servers, which prevented end users from accessing that server via the DNS name. Temporary mitigation was to create a CNAME for it, as it appears Dynamic Updates don't update CNAMEs, but we'd ideally like to prevent all non-domain joined devices from registering in DNS.

Thanks in advance.

amoreno
  • 83
  • 2
  • 7
  • Is the DNS zone in question AD integrated? – joeqwerty Jun 06 '16 at 22:20
  • @joeqwerty yes it is. And about 15 minutes ago, there weren't any student A records. Now there a a gajillion. And it's summer, so I can't imagine these are all valid, especially when the number of leases in DHCP that recently renewed within this 15 minute time frame is less than the number of DNS records that just appeared. – amoreno Jun 06 '16 at 22:39
  • Are these records coming from a replicated forward lookup zone on another DNS server? – Citizen Jun 06 '16 at 23:00
  • @Citizen hopefully not? as part of the process, I went to each DNS server and deleted all records from the student subnet. So if DNS Manager isn't lying to me when it deletes the records, then there shouldn't be any replication. I would delete the records, refresh, go to the next server, delete, refresh, repeat, until I hit all of them, then I would cycle through and again and refresh each. – amoreno Jun 06 '16 at 23:05
  • we may have figured it out, though we're not sure. need to try something. we're seeing that some of these DNS records that are repopulating, the Owner of them is the same as the account configured in DHCP > Server > IPv4 (right click > Properties) > Advanced > Credentials... but, those leases in DHCP are old. I just checked and any new leases are actually not showing up in DNS, just, the old leases are the ones are getting repopulated... need to do some more testing to confirm... – amoreno Jun 06 '16 at 23:13
  • so we killed all the dhcp leases in these student dhcp scopes, then went to all the dns servers and killed all the dns records for the student subnets. going to let it sit overnight and check it in the morning since it's time to go home, but as of right now, there aren't any new DNS records repopulating DNS Manager...yet...*knock knock knock* – amoreno Jun 06 '16 at 23:33

2 Answers2

2

Something else you should do/need to do is to configure scavenging on one of the DC\DNS servers and on the DNS zone(s). This will clean up old, stale A records automatically. Note that you only need to enable scavenging on one of your DC/DNS servers, as the AD zone is integrated the DNS zone will be replicated to all other DC\DNS servers so any changes you make will be replicated as part of AD replication to all other DC\DNS servers. There's no need to enable scavenging on more than one DC\DNS server and doing so isn't helpful.

Also note that because the DNS zone is AD integrated, any manual clean up you perform only needs to be done on one DC\DNS server. Again, because the zone is AD integrated any DNS records you cleanup on one DC\DNS server will be replicated to all other DC\DNS servers.

joeqwerty
  • 108,377
  • 6
  • 80
  • 171
  • thanks @joeqwerty. that is something we've looked into in the past, but when we implemented it, the settings i enabled were slightly overly aggressive somehow, because what ended up happening was that some valid records that had old timestamps, that were getting purged. why the records weren't getting updated, i have no idea, but when we did turn on scavenging, a few services dropped off until we could figure out what happened. obviously the solution to avoid that is to create static records for critical services, but still. – amoreno Jun 07 '16 at 15:56
  • and as far as the AD Integration, yes, I knew that, BUT, because we were having that abnormal situation where even after purging the records, more records than what could have been valid were repopulating, I then took the approach of thinking "maybe the other servers are replicating old records somehow." Hence, hitting each one. – amoreno Jun 07 '16 at 15:59
1

After doing what I mentioned in the comments, checking this morning, there are only DNS updates from the student subnets from workstations that are joined to the domain. No DNS updates from phones, tablets, personal devices, etc.

So to recap, we did the following:

  • DNS: Right click on domain in fwd lookup zone > Properties > Changed "Dynamic Updates" to "Secure only." (it was previously "Nonsecure and secure")
  • DHCP: Right click the respective DHCP Scope > Properties > DNS Tab > UNCHECK "Enable DNS dynamic updates according to the settings below"
  • DNS: Delete all records from the student subnets (from every DNS server)

But, in addition to all that, we also did the following:

  • DHCP: Delete all leases from each respective scope.

After doing the first three items, we sorted the DHCP leases by Lease Expiration. This showed new leases. We then checked DNS and saw that any new leases that were clearly a non-domain devices (users-iphone.domain.com, bigdicksipad.domain.com [yup...college students...]), were NOT Dynamically Updating DNS.

So the first two of the first three actions we took actually worked. The issue we were having was that, after 15 or so minutes after the hour, every hour, 1400 new DNS records from the student subnets were getting repopulated into DNS and THAT'S what we couldn't figure out.

On a whim, we noticed that NEW, valid lease records' Owners were the devices themselves (domainworkstation01$), but RENEWED or OLD lease records were owned by either the DHCP server itself, or the domain account handling dynamic dns updates mentioned in a comment above (DHCP > Server > IPv4 (right click > Properties) > Advanced > Credentials...), or SYSTEM.

While those leases are fine, and will eventually drop off after expiration, what we found was that, while they were in DHCP, DHCP would create records based off those. What we did then was delete all the DHCP lease records in DHCP on the student subnet scopes, and then deleted the DNS records.

After checking this morning, I can see that only domain joined devices have DNS records on those student subnets (staff connecting to them).

Whew.

Thanks everyone for your input.

amoreno
  • 83
  • 2
  • 7