Did you find this useful?
Socialize it today.


DNS Records and Security

Friday, October 28, 2011

It is important to understand how clients update their DNS records dynamically to prevent issues where the process fails due to poor management of your DNS zones and records. Many DNS administrators find that the Dynamic DNS update process, and aging/scavenging processes may be difficult to understand and manage correctly. Hopefully, the information in this article will help you understand the relationship between DNS security and record updates to prevent issues such as clients NOT being able to update their DNS records, or DNS records being scavenged for legitimate domain computers.

When a DNS record is created by a new client, the NoRefresh interval is in effect, which is seven (7) days by default. When the client dynamically updates its DNS information in this situation, the client's DNS time stamp is not updated until the Refresh interval takes effect. This behavior controls and manages DNS and Active Directory replication (for AD Integrated Zones).

During the Refresh interval, which is 7 days by default, the client's DNS time stamp is updated. During the Scavenging interval, old DNS resource records are automatically deleted. This process works very well when the correct security permissions are in place for DNS client records.

When a DNS client or a DHCP server performs a dynamic update, the DNS record adds the Client_Computer_Name$ account to the permissions for the DNS record. Therefore, only the computer that registered the DNS record can update the DNS record. If the computer account in the domain is DELETED and then recreated for the same computer, the DNS record is not updated with the new SID for the computer account. Recall that computer accounts are also security principals and therefore deleting the object and recreating the object results in a NEW object with a different SID. In other scenarios, when a change is made on the DHCP server such as configuring the DHCP service to update DNS records on behalf of the client, the DHCP server may not update a DNS record when the client registers a DNS record. This behavior occurs if the Client_Computer_Name$ account already exists for the DNS record. The DHCP server does not have permissions to the records in DNS.

When the DNS client is configured to use a static IP address, the DNS client registers both host (A) resource records and pointer (PTR) resource records on the DNS server. Then, the DNS client adds the Client_Computer_Name$ account together with Full Control permissions for the DNS record.

In the case of using the DHCP service to register client's DNS records, you need to add the DHCP server's computer account to the DNSUpdateProxy Security group and set the appropriate settings on the DHCP server's properties.

  • Enable DNS Dynamic updates according to the settings below
  • Dynamically update DNS A and PTR records only if requested by the DHCP clients
In this case, the DNS client registers the host (A) resource record. Then, the DNS client adds the Client_Computer_Name$ account together with Full Control permissions for the DNS record on the DNS servers. Next, the DHCP server registers the pointer (PTR) resource record. Finally, the DHCP server adds the DHCP_Computer_Name$ account together with Full Control permissions for the DNS record.
  • Enable DNS Dynamic updates according to the settings below
  • Always dynamically update DNS A and PTR records
In this case, the DHCP server registers both the host (A) resource record and the pointer (PTR) resource record. Then, the DHCP server adds the DHCP_Computer_Name$ account together with Full Control permissions for the DNS record.

With the proper configuration and management of your DNS records, the updating and aging/scavenging process should work flawlessly in your environment

Please help us spread the word by socializing it today!

email contact us

Did you find something wrong with the information on this page? Please take a moment to report it to us so that we can continue to improve the quality of the information on this site. Click here to report an issue with this page.



Recommended Books & Training Resources

Windows Server 2008 R2 Unleashed MCITP Windows Server 2008 Enterprise Administrator: Training Kit 4-Pack: Exams 70-640 70-642 70-643 70-647