DNS hardening / question

I have an interesting problem or issue and need assistance on keeping this from happening again.

We have a server named "APPLE"  

Apple is a nix server, but there is a A record in DNS the apple.

Everything was working fine, until a contractor with a computer named APPle attached to our network... Since it connected via wireless with the credentials it was able to connect.

It got its IP address from DHCp.... I am guess dhcp or whatever updated A record with his address...

(1) our DNS is set for secure and dynamic updates... what do I need to do to keep this from happening now or in the future..... Since I wont know all the computer names of unknow personel connecting to our network...

Also need best practices on hardening DNS... any docs, step by step would be greatly appreciated.
Who is Participating?
footechConnect With a Mentor Commented:
With your DHCP settings as is, the DHCP server is the one that is registering the DNS record for all DHCP clients.  The only way I see that you could have all non-domain machines not have a DNS record created would be to change the DHCP settings so that the option to dynamically update only if requested is checked, and the option to dynamically update for clients that do not request updates is unchecked.

With those settings, all Windows DHCP clients would be responsible for registering their own A records (PTR would still be created by DHCP), so with only secure updates allowed for the zone, only domain machines would have the necessary credentials.

However, depending on your environment, it may be desirable to leave your DHCP settings as is.  I think there's a bit of a trade-off one way or the other.

It may be better to just prevent existing static records from being overwritten by DHCP.  I would make sure that the DHCP server has credentials configured for DNS dynamic update.  You may also want to set the DNS option /OpenACLonProxyUpdates to 0.  See this link for recommendations.

You may also want to configure Name Protection in DHCP.
Is your DHCP running 2008 R2?  Is it also a DC?
Assumptions -

I assume you are using WIndows 2003 or 2008 as the DNS server (you do not say but as you have tem in your tags - I'm making a BIG assumption).

I assume the Server is on a fixed IP and not on DHCP.  You state that it has an 'A' record which would suggest this but is not a guarantee.

If this is the case in the DNS admin tool in windows there is a tick box where you reserve an address and 'lock it'
IndyrbAuthor Commented:
Yes 2003 and 2008

yes server is static...

I went to server name A record in dns manager.

right clict and saw properites, I don't see where you lock the record.

I see update PTR record, and I see security tab...

The other thing... besides making all a server records secure.
Is I don't want any "any" non-domain computers to register is A record in dns...
So this would prevent this issue.

But as I write that, does Linux, Unix, Solaris and such register is A record in DNS?
I still need them to access DNS.

Is there something in DHCP I need to do?

Still need DNS hardening docs/steps.
Get 10% Off Your First Squarespace Website

Ready to showcase your work, publish content or promote your business online? With Squarespace’s award-winning templates and 24/7 customer service, getting started is simple. Head to Squarespace.com and use offer code ‘EXPERTS’ to get 10% off your first purchase.

David Johnson, CD, MVPOwnerCommented:
All servers should have static ip addresses, and have reservations in dhcp via their MAC address.  You can in your dhcp server setup the allowed MAC addresses/address ranges. Then in another DHCP server set it with a different network range and only exclude the other DHCP servers allowed MAC address.
IndyrbAuthor Commented:
Not sure I am following you... I want vendors to be able to connect and get an ip address and do whatever they ... I just don't want vendors updating dns records especially for computer aka server that are already in there.
David Johnson, CD, MVPOwnerCommented:
how is their machine joining the domain? Somewhere down the road you've given them admin privileges to join their machine to the domain.  Why don't you just give them an userid that they can use to remote desktop into an existing machine
IndyrbAuthor Commented:
No not joining to the domain, just using DHCP to get an address and use its DNS servers to resolve and get access to internet... They were never joined to the domain, and the users don't have admin access. I assume however since its their computer they may have local admin permissions, but definitely not Domain permissions.

But somehow, a non-domain computer, with a non-domain user connected to network, and with its DHCP assigned IP address, it updated the DNS record with the new IP address of his computer, removing the IP address of the server that has the same name....

I understand how to make DHCP reservations, I understand how to statically assign IPs.. and I understand how to create A and PTR records... that's not the issue.

I just need to prevent any non-domain computer the ability to write a A record to DNS. even though it got its IP address through our DHCP server.

Not sure if this helps but in the DHCP properiteis.

Right click IPv4 - properties
Under the DNS tab
Enable DNS dynamic updates according to the settings below is checked...

The Always dynamiccaly update DNS A and PTR records radio button is checked too

It also has Discard A and PTR records when lease is deleted, and Dynamically update DNS A and PTR records for DHCP clients that do not request updates (for example, clients running Windows NT 4.0) both options are checked too....

DNS zone as mentioned to dynamic updates : Secure Only
IndyrbAuthor Commented:
Yes the DHCP is a DC/DNS server.

How do you do name protection in DNS..
See the link I already posted for steps to set Name Protection.
IndyrbAuthor Commented:
Sorrry, I hit submit to soon... Does this apply to Windows 2008 (non R2)
I didn't see that option available in my screen.
It's not available in 2008.
IndyrbAuthor Commented:
I appreciate the instructions, links, and feedback
IndyrbAuthor Commented:
I appreciate the instructions, links, and feedback
IndyrbAuthor Commented:
footech -- quick question

You recommend that unchecking the
Dynamically update DNS A and PTR records for DHCP clients that do not request updates
from the DNS tab will fix our issues (correct)

I accepted solution, but wanted to verify

or does it also need the dnscmd on the forward lookup zone too.
I mentioned that the DHCP servers are not 2008 R2, nor is the domain\forest functional level, so as you verified, the configure protected name server is not available in regular 2008... but Is the dnscmd

dnscmd /config /OpenAclOnProxyUpdates 0 available on 2008, and will it also work with mixed win 2003 Dcs.

Is this just an extra step of security, or a nessity of preventing BYOD devices from updating DNS records that are not part of the domain.. or Is the uncheck DHCP registers in its behalf sufficient..  Thanks again for your thoughts, and comments.
That's only a piece of what I said.  That option may help you depending on what type of clients you have.  The two settings I mentioned affect whether DHCP registers the DNS record on behalf of the client or not.

Test these settings for yourself in a lab to observe their effects.  Understand how secure dynamic updates work.

You may want to check out the following article.  It covers a lot of aspects of DNS, and specifically has sections that talk about DNS dynamic updates and DHCP.

To the best of my knowledge /OpenAclOnProxyUpdates is only available on 2008 R2 DNS servers.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.