Skip navigation
QA

DNS Update Credentials vs. DnsUpdateProxy

Q: Does setting DNS dynamic update credentials on DHCP achieve the same result as adding a DHCP server to the DnsUpdateProxy group?

A: The short answer is no; however, it's important to step back and understand how DNS interacts with DHCP regarding dynamic updates, then look at what each of the two actions mentioned in the title actually does—namely, setting DNS dynamic update credentials on DHCP and adding a DHCP server to the DnsUpdateProxy group.

Dynamic DNS is a feature that allows hosts to register their records in DNS, thus removing the need for administrators to manually create records. In addition, Secure Dynamic Update can be required for zones that are Active Directory-integrated (and should be required, per best practices), which allows only members of the Authenticated Users group to register records. Those records have an ACL on them to stop registered records from being hijacked by other hosts.

When DHCP is used to allocate IP addresses, the default configuration is shown below—which tells the DHCP server to register records in DNS on behalf of clients only if requested to do so by the client or if the client is unable to dynamically register (e.g., Windows NT 4.0).

What this means in practice is the following:

  • The host will register its own A (host) record, which is logical because the host owns its name and should own its host record.
  • The DHCP server will register the PTR (reverse-looking) record, which is logical because the DHCP server owns the IP address.

This means the DHCP server computer account will own certain records in DNS, such as the PTR records and even some A records for older hosts. (However, it's unlikely that you would have many NT 4.0 hosts in your environment.) This can cause the following  two problems:

  1. If you have multiple DHCP servers—even in a cluster—and perhaps your primary DHCP server fails and you have to move the scope to a second DHCP server, that second DHCP server wouldn't have rights to change the DNS records created by the primary DHCP server, which is a problem.
  2. If you did have NT 4.0 hosts that are now upgraded to a newer operating system, those newer operating systems wouldn't have permission to update the host records that were previously registered on their behalf by the DHCP server.

For this reason, DHCP servers could be added to a group called DnsUpdateProxy. When a DHCP server is added to the DnsUpdateProxy group, its records aren't secured, meaning that other DHCP servers can update the records. In additon, hosts can change the records and then become the owner of the record. (The first update to a record that isn't a member of DnsUpdateProxy becomes the owner.) This is very dangerous if a DHCP server is also a domain controller because it means that all the Active Directory records for that domain controller are written with no security and can therefore be overwritten by other hosts (although an additional setting, OpenACLOnProxyUpdates, helps prevent this by stopping records from being overwritten by any server that isn't a member of DnsUpdateProxy group when set to a value of 0).

There's a better solution, however, which also solves the issue of DHCP running on a domain controller. This solution is to specify credentials for the DNS dynamic update, which is set on the Advanced tab's IPv4 properties. You should specify a regular Active Directory user with no special privileges, but the password should be set to never expire (or you should have a really good process to update it periodically!). You would then specify this configuration on all DHCP servers so that all DHCP servers use the same account to perform DNS updates. This means all DNS records registered by the DHCP servers would be owned by the specified account that is common to all DHCP servers.

Using a credential for the DHCP server doesn't solve the problem of transferring ownership of DNS records for hosts upgrading from NT 4.0; however, this is highly unlikely to still be a concern for organizations today.

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish