What are the practical risks of enabling the unsecure DNS updates on Windows?
As far as I found enabling the unsecure DNS updates is a requirement for enabling DHCP Linux clients from registering their names with a FQDN.
I do want to know that are the practical risks involved in this in order to evaluate if that's ok to have these enabled or not.
As far as I know a machine would not be able to takeover another reserved name which would be the only real concern that I now.
Obviously it would be the DDOS but considering that we are talking about intranet here, I doubt this could be a real risk.
Do you have it enable on your domain or not? Did you ever had to disable it due to having some problems with it?
Best Answer
You should basically never, ever allow non-secure updates. Personally I don't even like that the DNS server even allows you to turn off secure updates. This allows anyone on your network (like a hacker) to register DNS records with no Active Directory authentication required. This would allow the attacker to "spoof" a DNS name on your network and redirect people to another server than the one they thought they were going to.
Another example of when this setting can ruin your day accidentally rather than maliciously... someone turned secure updates off... all of the HP ILOs (out of band management) on all the machines on the network were suddenly able to start dynamically registering their own DNS records... but the ILOs were named the same as the servers, so they overwrote the host servers' DNS records!
Disabling secure updates is a terrible idea. Just don't.
For a possible solution for getting your Linux clients to leverage DHCP in order to register DNS records securely, this might help: Register A records for my Linux box on my Windows 2008 DNS/DHCP server