Secure Dynamic DNS updates

So reading a bit more about DNS I’d thought I’d write a little about the secure DNS update feature.

When the Zone properties of an Active Directory Integrated zone is modified to allow secure updates Kerberos is used.
Things to keep in mind is that legacy clients cannot perform dynamic updates (think pre windows 2000 systems) in which case the dhcp server can be configured to update the dns records for the legacy client.


Good things about secure updates.

Because it uses the Kerberos protocol you can be sure that the client has authenticated to the domain and has a valid computer account (have a look at my Kerberos tutorial for more info).

So that’s the good stuff, now consider that because Kerberos is used to authenticate the client. Consider a win98 box. This cannot perform dynamic updates of any kind so a DHCP server can register the DNS records for it (if configured to do so). Because Kerberos is used to authenticate the originating client the DHCP server then becomes the owner of that record. Now a slight issue arises from a good idea. Owners of a record are the only clients that can update the resource record in DNS (from an automagical system point of view).

Now consider that the Windows 98 box is upgraded to windows XP (unlikely I know because of the probable age of the hardware but still worth knowing for the exam). Now the upgraded Windows XP box can perform its own dynamic updates. So XP boots and attempts to update its DNS record and….. its fails. Because the “OWNER” of the DNS record is the DHCP server that used to handle updates for it when it was a windows 98 OS. In that instance someone would have to manually delete the record and either recreate it correctly or reboot/renew etc the client pc so it attempts to update DNS again.

This can be resolved by adding systems to a group called DNSUpdateProxy, which stops the owner information being sent when the client/dhcp server attempts to perform a DNS update.

Also worth a thought is what happens if you have a network with one DHCP server/200 win XP boxes and 50 win 98 boxes. Friday evening (it always happens on a Friday) your dhcp server explodes magnificently, and you receive a phone call just after you’ve popped the lid on your favourite beer.
So you drag yourself back to work commission another server as a dhcp server reconfigure the scopes and then go home for whats left of your weekend.

Eventually you will notice that all of the win 98 boxes are not getting their records updated because all those records were owned by the DHCP server which is now being used as your deskside cupholder. So you will have to manually delete all those DNS records and get the DHCP server to attempt to re-register the DNS records for the clients. This can be avoided if you use the DNSUpdateProxy group. Because DNS will not know who the owner of the record was only that it was authenticated by Kerberos.