Restricting secure ddns to specific hosts

Discussion in 'DNS Server' started by Bjarne, Jun 27, 2009.

  1. Bjarne

    Bjarne Guest

    Windows 2003, AD environment, Windows 2003 DNS server.

    In our AD environment, all servers and workstations which are authenticated,
    add themself to dns in the forward zones via secure ddns, But we do not
    want any of them to update the PTR records in the reverse zones.

    On the other hand, we have a dns management tool on a specific server which
    controls the AD DNS using ddns.

    Are there any way to restrict secure ddns update to a few hosts/ip addresses
    on a zonebasis, so only our management station can use secure ddns on our
    reverse zones, and ddns on the reverse zones from everybody else is
    ignored ?

    Bjarne, Jun 27, 2009
    1. Advertisements

  2. Bjarne

    Chris Dent Guest

    It should be possible to do that by removing the Authenticated Users
    "create" right on the DNS zone.

    If the management station updates based on specific credentials, or with
    it's computer account you would have to add that back in.

    Chris Dent, Jun 27, 2009
    1. Advertisements

  3. Good thought, Chris.

    Or possibly simply disable dynamic updates and manually enter the required
    PTR entries.


    This posting is provided "AS-IS" with no warranties or guarantees and
    confers no rights.

    Please reply back to the newsgroup/forum to benefit from collaboration among
    responding engineers, as well as to help others benefit from your

    Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
    Microsoft Certified Trainer

    For urgent issues, you may want to contact Microsoft PSS directly. Please
    check for regional support phone numbers.
    Ace Fekay [Microsoft Certified Trainer], Jun 27, 2009
  4. Bjarne

    Chris Dent Guest

    If you do opt for the manual method and the what needs to be added is in an
    accessible place it can be easily scripted :)

    Chris Dent, Jun 27, 2009
  5. Good point, such as using dnscmd. :)

    Ace Fekay [Microsoft Certified Trainer], Jun 28, 2009
  6. Bjarne

    Bjarne Guest

    hm, I actually allready tried that, without success. According to documents
    from technet, the security settings in properties only covers who are
    allowed to "manage" the zone and nothing about dynamic updates.

    thanks for your thoughts.

    Bjarne, Jun 28, 2009
  7. Bjarne

    Bjarne Guest

    Yes We have done it this way until now, but the point is that we want to
    mange the reverse zone from our management station which uses ddns to
    update the dns, but we do not want any workstations/servers to overwrite
    the reversezones.

    Bjarne, Jun 28, 2009
  8. Bjarne

    Chris Dent Guest

    That's not true. The clients can only create records if they have permission
    (provided only secure updates are permitted), same applies for updating
    records (depending on the source of the update).

    There is a possibility that it would run into problems if (MS) DHCP were
    updating on a clients behalf, and DHCP were running on a Domain Controller.
    The update would be performed with the credentials of the DC (unless you
    told it otherwise) which would be covered by the Enterprise Domain
    Controllers; Full Control right on the zone.

    And, of course, if the records already exist the right isn't required, the
    system will have explicit rights over the already created record.

    It works in my tests anyway :) When attempting to update a zone which has
    the authenticated users right removed I get a message from DNSAPI (in the
    event log) stating that the update was refused. Reinstate the right and
    registration is permitted once more.

    Chris Dent, Jun 28, 2009

  9. Well, workstations and servers won't overwrite anything in the zone, as well
    as DHCP (if configured correctly to update existing records), other than
    their own records when their IP changes when they acquire a new IP

    Are you saying that something is overwriting existing records with incorrect
    information? What kind of issue are you seeing that something is being

    Ace Fekay [Microsoft Certified Trainer], Jun 28, 2009
  10. Bjarne

    Bjarne Guest

    OK sounds good.
    The dhcp servers do not update the dns, but on second thought, the AD
    consists of three servers and I only changed the zone permissions on one
    dns server. It sounds like I will have to do some more testing. If this
    works, that would really be great.

    Thanks a lot for your input.

    Bjarne, Jun 28, 2009
  11. Bjarne

    Bjarne Guest

    We are managing the ip address space by allocating addresses from the
    reverse zones. The servers and workstations then create their own records
    in the forward zones. When we need a free ip address, we look in the
    reverse zone.
    When workstations connect via vpn, they create (if allowed) a PTR record
    with their private address (typically 192.168.1.xx). Also if a server has a
    not correctly configured interface it will select 192.168.1.xx and create a
    PTR record with that IP.
    That means we no longer knows which address are free in that segment. I use
    192.168.1.x a example but the problem would apply on all our zones.

    So, at least for now, we don't want anything to make entries in the reverse
    zones, except our management station which uses ddns. Later on we might do
    things differently.

    Bjarne, Jun 28, 2009
  12. Interesting way of doing it. I've actually never heard of it done this way.
    Are you using a third party product, or something you've written?

    Ace Fekay [Microsoft Certified Trainer], Jun 28, 2009
  13. Bjarne

    Bjarne Guest

    Interesting.. yes, This is an established procedure from before I started in
    company. The management station is a new tool, IPControl from BT, I am
    implementing at the moment. It is not quite clear yet how the day to day ip
    management is going to be done, but it will most likely be different from
    the current procedure. For one the management of selected scopes can be
    delegated to different departments.
    Until I am ready with new procedures however, i would like to continue the
    existing setup.

    Bjarne, Jun 28, 2009

  14. Interesting, again! Although I've heard about it, but I've never used
    IPControl nor don't know anyone that's used it, so I can't even comment on
    it or its nuances, etc. I can understand not changing something too quickly.

    Good luck!

    Ace Fekay [Microsoft Certified Trainer], Jun 28, 2009
  15. Bjarne

    Chris Dent Guest

    It should only need setting on the one, security is stored in AD and
    replicates with the zone.

    Chris Dent, Jun 29, 2009
  16. Bjarne

    Bjarne Guest

    You are right of course. Didn't make any difference.
    I could use a hint as to how to set security to restrict ddns to a specific
    ip adress or AD account. I spent the entire day trying different stuff, but
    without success.
    Still says the permission only changes who can administer the zone and does
    not influence ddns.

    So if you got any good idea I am all ears.

    Bjarne, Jun 29, 2009
  17. Bjarne

    Chris Dent Guest

    I've got some 2003 servers at work, I'll re-test with those.

    That snippet contradicts itself a bit, but I'll let you know in the morning
    how that works out.

    Chris Dent, Jun 29, 2009
  18. Bjarne

    kj [SBS MVP] Guest

    The computer that registers it's records is the owner of the record and
    should have full control + read + write. The zone allows "authenticated
    users" to create child objects (records). When it creates the child object
    it then owns the child object. If you change the security of the object (A
    or PTR) and / or owner of the record, then the workstation won't be able to
    update existing records.

    I'm not really clear on why you want to do this, but if you take ownership
    of the exsitsing object (PTR) and change the workstation$ permisssions, then
    it won't be able to change it.
    kj [SBS MVP], Jun 29, 2009
  19. Bjarne

    Chris Dent Guest

    Right, I got to the bottom of this now.

    If a record has never existed, and the Authenticated Users right has
    been removed allowing creation of Child Objects, clients will not be
    able to register records within the zone.

    If a record existed previously but was deleted in the DNS GUI a
    TombStone (of sorts) will exist with an adjusted dnsRecord attribute
    (renders it invisible in the GUI).

    Since the client which created the record is an owner of that record,
    and should have some level of explicit control in the ACL, it can still
    update the object as it pleases (even though this isn't visible in the
    DNS console).

    Therefore, to get this to work you must flush the old records (dnsNodes)
    out of Active Directory (ADSIEdit time). Once done, systems attempting
    to directly register PTR records should end up with Event ID 11160
    logged stating there was a security problem.

    Chris Dent, Jun 30, 2009
  20. Bjarne

    Bjarne Guest

    Check. I will change the zonesetting
    Ok secret storage
    I spent some time with ADSIEdit today, but I think i need more time to
    figure that out - never seen that before.
    I must thank you for your kind help with this. I really appreciate the time
    you have taken to lead me through my troubles.

    Bjarne, Jun 30, 2009
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.