Case For Microsoft DNS v. BIND 9 - Or Best Practices ForCoexisting

Vinny Abello vinny at tellurian.com
Mon Feb 9 03:09:26 UTC 2009


> -----Original Message-----
> From: Danny Mayer [mailto:mayer at gis.net]
> Sent: Sunday, February 08, 2009 9:57 PM
> To: Vinny Abello
> Cc: Baird, Josh; bind-users at lists.isc.org
> Subject: Re: Case For Microsoft DNS v. BIND 9 - Or Best Practices
> ForCoexisting
> 
> Vinny Abello wrote:
> >> -----Original Message-----
> >> From: Danny Mayer [mailto:mayer at gis.net]
> >> Sent: Sunday, February 08, 2009 8:32 PM
> >> To: Vinny Abello
> >> Cc: Baird, Josh; bind-users at lists.isc.org
> >> Subject: Re: Case For Microsoft DNS v. BIND 9 - Or Best Practices
> >> ForCoexisting
> >>
> >> Vinny Abello wrote:
> >>>> Baird, Josh wrote:
> >>>>> Actually, yes, if you have dynamic DNS registration enabled on
> the
> >>>> client/host and server, an 'A' record will automatically be
> created
> >> in
> >>>> the AD zone.
> >>>> It needs to be registered in the domain first. Otherwise any
> system
> >>>> could mascarade as another system.
> >>>>
> >>>> Danny
> >>> And they can if the administrator mistakenly allows unsecure
> dynamic
> >> updates.
> >> Registration of the system in ADS has nothing to do with dynamic
> >> updates
> >> of the DNS records.
> >
> > Right. We're talking about dynamic updates in DNS, not the creation
> > of
> computer accounts in AD. That was my point. If the allow dynamic
> updates
> setting is not set to secure only, anybody that can send a DDNS update
> to the server can update a record.
> >
> 
> Microsoft's implementation of dynamic DNS requires that the client use
> the GSS-TSIG protocol and the prerequisite for that is that the client
> system is registered with ADS. After that it makes use of the GUID in
> the GSS-TSIG protocol to register the DNS records for the system. If
> the
> system is not registered it cannot use GSS-TSIG.

Right, IF secure dynamic updates are enabled. If secure updates aren't used, GSS-TSIG isn't needed. If you simply enable dynamic updates on a domain "Yes" vs "Secure Only", anyone can update it. I've seen it, done it, and it is documented in an extreme example by Mark Minasi in a test domain he had registered in his "Mastering Windows 2000" books. He used this domain for his testing, did not have it set to secure dynamic updates on his server, and had it publicly accessible. He also used this example domain in his books. As a result of many of his readers following his domain name example in his book, he had hundreds of host names registered on his DNS server when he looked at it one day. None of which corresponded to computer accounts in Active Directory. He promptly reconfigured to set the domain to "secure only" dynamic updates and it resolved these occurrences.

So, not that this has to do with BIND, but ALWAYS make sure you set your domain to allow dynamic updates using "secure only".

-Vinny



More information about the bind-users mailing list