Configuring Dynamic Updates with DHCP
By default, post-Windows
2000 DHCP clients attempt to perform dynamic updates of their host (A)
resource records in DNS whenever an address event (such as an address
renewal) occurs. However, these same clients do not attempt to perform
dynamic updates of their PTR resource records; instead, post-Windows
2000 DHCP clients request that the DHCP server attempt to update their
PTR resource records in DNS on behalf of the client.
Default DNS Update Settings for DHCP Servers
By default, a DHCP
server registers records on behalf of a DHCP client only according to
client request. That is, because the DHCP client by default requests
that the server update only the client’s PTR resource records, the DHCP
server attempts only this type of update. However, a server can also be
configured to attempt an update of both A and PTR resource records,
regardless of the client request. This behavior is determined by the
settings on the DNS tab of the DHCP server properties dialog box, shown
in Figure 1.
Note
These settings can also be configured in the scope properties dialog box or the reservation properties dialog box. |
When the Enable DNS
Dynamic Updates According To The Settings Below check box is selected,
which is the default, dynamic update is enabled for the DHCP server.
When it is enabled, either of two options is specified. If the first
option, the default, is selected (shown in Figure 1),
the DHCP server attempts to update resource records only according to
the client’s request. When you select the second option, the DHCP server
always attempts to update the client’s A and PTR resource records after
an address event, regardless of the client request. However, this
setting is significant only for DHCP clients capable of requesting
dynamic updates, including computers running Windows 2000, Windows XP,
or Windows Server 2003.
When you clear the
Enable DNS Dynamic Updates According To The Settings Below check box,
the DHCP server never attempts dynamic updates on behalf of Windows
2000, Windows XP, or Windows Server 2003 clients.
Another setting you
can configure on the DNS tab of the DHCP server properties dialog box
is the Discard A And PTR Records When Lease Is Deleted check box. By
default, this check box is selected, which means that the DHCP server
removes clients’ resource records from DNS when their DHCP address
leases are deleted. However, by clearing this check box, you can
configure the DHCP server to leave client records in DNS even when a
client’s DHCP address lease is deleted.
The
final dynamic update setting you can configure on this tab determines
whether the DHCP server should provide dynamic DNS update service on
behalf of DHCP clients not capable of performing dynamic updates, such
as computers running Microsoft Windows NT 4. By default, Windows Server
2003 DHCP servers do not attempt to perform dynamic updates on behalf of
these clients. To modify this default behavior, select the appropriate
(lowest) check box on the DNS tab of the server properties dialog box
(shown in Figure 7-13).
Using the DnsUpdateProxy Security Group
As previously
described, you can configure a Windows Server 2003 DHCP server so that
it dynamically registers both A and PTR resource records on behalf of
DHCP clients. In this configuration, the use of secure dynamic updates
with Windows Server 2003 DNS servers can occasionally lead to stale
resource records. Because secure dynamic updates require that the owner
of a resource record update that record, resource records are not
updated if your configuration ever changes.
For example, suppose the following sequence of events occurs:
A
Windows Server 2003 DHCP server (DHCP1) performs a secure dynamic
update on behalf of one of its clients for a specific DNS domain name.
Because DHCP1 successfully created the name, DHCP1 becomes the owner of the name.
Once
DHCP1 becomes the owner of the client name and associated resource
records, only DHCP1 can update the name or its IP address.
In some
circumstances, this situation might cause problems. For instance,
suppose DHCP1 later fails. If a second backup DHCP server (DHCP2) comes
online, DHCP2 is unable to update the client’s resource record because
DHCP2 is not the owner of the record.
In a similar example,
suppose DHCP1 has registered the name host.example.microsoft.com on
behalf of a client running a version of Windows earlier than Windows
2000. Then the administrator upgrades that client computer to Windows XP
Professional. Because the DHCP server (DHCP1) is the owner of this
name, the client cannot update its DNS records once the computer is
upgraded.
To solve these kinds of
problems, Windows Server 2003 Active Directory provides a built-in
security group called DnsUpdate-Proxy. Any object created by the members
of this group has no security settings. As a result, initially, the
object has no owner, and it can therefore be updated by a DHCP server or
client that did not create it, even in zones requiring secure updates.
However, as soon as the first DHCP server or client that is not a member
of the DnsUpdateProxy group modifies such a record, that server or
client then becomes its owner. After that point, only the owner can
update the record in zones requiring secure updates. Thus, if every DHCP
server registering resource records for older clients is a member of
this group, and the clients themselves are not members of the group, the
problems discussed earlier are eliminated.
Adding Members to the DnsUpdateProxy Group
You
can configure the DnsUpdateProxy global security group through the
Active Directory Users And Computers console, as shown in Figure 2.
Important
If
you are using multiple DHCP servers for fault tolerance, and secure DNS
dynamic updates are required on zones serviced by these DHCP servers,
be sure to add each of the computers operating a Windows Server 2003
DHCP server to the DnsUpdateProxy global security group. |
Security Concerns
Although adding all
DHCP servers to this special built-in group helps resolve some concerns
about maintaining secure DNS updates, this solution also introduces some
additional security risks.
For example,
any DNS domain names registered by the computer running the DHCP server
are not secure. The A resource record for the DHCP server itself is an
example of such a record. To protect against this risk, you can manually
specify a different owner for any DNS records associated with the DHCP
server itself.
However, a more
significant issue arises if the DHCP server (which is a member of the
DnsUpdateProxy group) is installed on a domain controller. In this case,
all service location (SRV), host (A), or alias (CNAME) resource records
registered by the Netlogon service for the domain controller are not
secure. To minimize this problem, you should not install a DHCP server
on a domain controller when using dynamic updates.
Caution
For
Windows Server 2003, the use of secure dynamic updates can be
compromised by running a DHCP server on a domain controller when the
Windows Server 2003 DHCP service is configured to perform registration
of DNS records on behalf of DHCP clients. To avoid this problem, deploy
DHCP servers and domain controllers on separate computers. |
