DJC,
You sound pretty much on target so far. The concept of a dynamic update is
that client sends a modified DNS query that indicates to the DNS server that
its IP address has changed and it would like for the DNS server to update
itself. For example
You have a file server name fs1.domainname.com. Its A record is currently
is 192.168.1.9. If you have a technician who accidentally configures a
computer with the same FQDN, then the workstation will update the DNS server
with its IP address (incorrect logically speaking since fs1.domainname.com
should be your file server). Clients attempting to resolve
fs1.domainname.com will no longer be directed the file server but now to the
workstation. Could be a problem in most cases... More importantly a rogue
machine could come online on your network attempting to spoof the name of a
server. Without some way of securing the process, this could be an issue.
RFC 2136 provides no way of securing this concept.
To stop this you obviously could just turn off DU (Dynamic Updates).
Problem solved. I assume you are using an Active Directory domain. If you
are, then every service record registered by those domain controllers would
have to done by hand. Not a lot of fun- but with practice isnt so bad.
Dynamic updates could be protected with tools such 802.1x authentication or
even for shock value IPSec. This would stop rogue machines, however, the
bumbling technician issue would still raise its ugly head.
Now the ADIZ piece- since the DNS local system account had been updating the
zone file (%systemroot%\system32\dns\zonename.dns) anyone computer sending
the packet had access to this file since the local system account governed
the permissions. (Also admins and server operators do by default). When we
store the zone database file in Active Directory every dns record now can
have its own set of permissions. This guarantees that a computer must
authenticate to active directory (kerberos) to update its own dns record). I
think you have the rest pretty well down pat. security part that is.
let me if this helps
alex k
"djc" wrote:
> I have gathered that active directory integrated zones are required for
> secure dynamic updates and that the owner of the dns record is the computer
> account that created it so only that account can subsequently update the
> record again... and in the case of dhcp server proxy updating, that dhcp
> server would be the owner (and the dhcp server should be added to the group
> that allows them to do this.. I can't think of the name of that group at the
> moment... dns update proxy or something like that)
>
> Is that the whole story or is there something else to a 'secure dynamic'
> update?
>
> 1) Why are active directory integrated zones required?
>
> 2) Unless I am remembering wrong I believe that standard dns zones have the
> options 'none', and 'secure and nonsecure' for dynamic updates... so what
> gives?? what does 'secure' mean there?
>
> 3) Does 'secure' in the dynamic dns update context strictly mean that the
> owner of the record is the only one that can update it or is there something
> else to it?
>
> any info on this would be greatly appreciated. I'm just trying to tighten up
> my understanding of the subject.
>
>
>
|
Similar Threads
Linear Mode
