First off, I'm sorry if this is vague, but I'm not very familiar with DNS or DNS terminology.
What I'm trying to do:
I want to limit what hostnames are allowed to dynamically update DNS. I don't want to end up with a malicious user sending a dynamic DNS update with the same hostname as a domain controller or radius server or something.
Here's why this is a problem:
We run a mixed environment shop and have a lot of devices that aren't tied to AD, so I can't limit DNS updates to secure-only.
Can someone please tell me how to fix this and what it's called? DNS is running on Windows Server 2008 R2 domain controllers.
Best Answer
Windows DNS entries have ACLs. Check and/or set them.
Generally speaking, dynamically updated hostnames/A records allow anyone to update them, but static ones do not, but either way, this behavior is configurable.
When creating a new A record/hostname entry, you have the option to either allow any authenticated user to modify the record or not:
And it sounds like "not" is what you'd prefer. Lucky for you, that's the default.
In fact, the default settings work pretty well, in that they won't allow just anyone to poison the DNS records, or take over a domain controller's A record in the DNS table by simply renaming their machine and performing a dynamic DNS update. So unless your DNS environment is has been explicitly configured in a particularly poor and very specific way, you and your boss don't have anything to worry about.
But don't take my word for it... check the ACLs yourself, and try to hijack a domain controller's (or whatever else's) DNS records with an unauthenticated client.