Secure Updates in Server 2008 DNS

Striking a compromise between security and ease of administration

One of the big benefits of combining AD and DNS on the same system using Active Directory Integrated (ADI) zones is that you can specify that dynamic updates should be “secure.” (This operation is accomplished either through the DNS administrative console or the DNSCMD command line tool. You’re given the choice in the new zone wizard but you can always change it later on.)

Dynamic updates (detailed in the RFC 2136 standard document) mean that when systems change their IP address, the DNS database will be automatically updated with this information. With an ADI zone, when a machine makes a dynamic update, it becomes the owner of the associated resource record. (Try it and see.) That machine can submit future updates (e.g. new IP address) because it’s the owner, but other machines can’t update that machine’s resource record.

If you look at the access control list for an ADI zone or for an individual record in an ADI zone, you can see exactly who has rights to add and modify records. Basically this mechanism prevents machine A from modifying machine B’s DNS registrations. It also prevents any entity which doesn’t have a legitimate AD account from performing DNS dynamic updates.

Secure updates are only available with ADI zones, and it’s probably the single most compelling reason to use such zones, given that attacking an organization’s DNS database can be a pretty effective technique for disrupting an Active Directory network. However, you also have the option of turning off dynamic update entirely, which will increase security even more, at the cost of additional manual administration overhead.

• Microsoft
• DNS
• domain name service
• Domain Name System
• dynamic updates
• secure updates
• Server 2008