1

First off, I'm sorry if this is vague, but I'm not very familiar with DNS or DNS terminology.

What I'm trying to do:

I want to limit what hostnames are allowed to dynamically update DNS. I don't want to end up with a malicious user sending a dynamic DNS update with the same hostname as a domain controller or radius server or something.

Here's why this is a problem:

We run a mixed environment shop and have a lot of devices that aren't tied to AD, so I can't limit DNS updates to secure-only.

Can someone please tell me how to fix this and what it's called? DNS is running on Windows Server 2008 R2 domain controllers.

Avery Abbott
  • 113
  • 1
  • 5
  • Off the top of my head you can control it on the client but nothing prevents them from changing it back. – TheCleaner Nov 18 '14 at 19:49
  • ` I don't want to end up with a malicious user sending a dynamic DNS update with the same hostname as a domain controller or radius server or something` - Not to question the validity of your question but is this an actual problem that you're dealing with/seeing or is it just a worry that you have? – joeqwerty Nov 18 '14 at 20:15
  • It's a concern my boss has, and he's the former security guy here. – Avery Abbott Nov 18 '14 at 20:19
  • Uhuh. Why is it that management never thinks to put anyone with any platform-familiarity in charge of security? Or is that why he's the *former* security guy over there? – HopelessN00b Nov 19 '14 at 05:15

2 Answers2

1

Windows DNS entries have ACLs. Check and/or set them.

enter image description here

Generally speaking, dynamically updated hostnames/A records allow anyone to update them, but static ones do not, but either way, this behavior is configurable.

When creating a new A record/hostname entry, you have the option to either allow any authenticated user to modify the record or not:

enter image description here

And it sounds like "not" is what you'd prefer. Lucky for you, that's the default.

In fact, the default settings work pretty well, in that they won't allow just anyone to poison the DNS records, or take over a domain controller's A record in the DNS table by simply renaming their machine and performing a dynamic DNS update. So unless your DNS environment is has been explicitly configured in a particularly poor and very specific way, you and your boss don't have anything to worry about.

But don't take my word for it... check the ACLs yourself, and try to hijack a domain controller's (or whatever else's) DNS records with an unauthenticated client.

HopelessN00b
  • 53,795
  • 33
  • 135
  • 209
0

Resolving Name Conflicts

If during dynamic update registration a client determines that its name is already registered in DNS with an IP address that belongs to another computer, by default the client attempts to replace the registration of the other computer's IP address with the new IP address. This means that for zones that are not configured for secure dynamic update, any user on the network can modify the IP address registration of any client computer. For zones that are configured for secure dynamic update, however, only authorized users are able to modify the resource record.

You can change the default setting so that instead of replacing the IP address, the client backs out of the registration process and logs the error in Event Viewer. To do so, add the DisableReplaceAddressesInConflicts entry with a value of 1 (DWORD) to the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services \Tcpip\Parameters

The entry can be 1 or 0, which specify one of the following:

1 . If the name that the client is trying to create already exists, the client does not try to overwrite it.

0 . If the name that the client is trying to create already exists, the client tries to overwrite it. This is the default value.

(Technet)

TheCleaner
  • 32,627
  • 26
  • 132
  • 191
  • From what I understand, this is a setting on the client, right? – Avery Abbott Nov 19 '14 at 04:16
  • Yes, it is. If you allow non-secure updates (meaning no authentication at all during an update) on the server then this is the only method I know of to prevent this. You could look into having a separate DNS zone for your non-AD computers and then adding in an extra DNS search suffix for them to short name query the AD zone if you want. – TheCleaner Nov 19 '14 at 14:02