BIND 8.2.2P5, Windows 2000, and security
Kevin Darcy
kcd at daimlerchrysler.com
Mon May 1 23:24:04 UTC 2000
Delmer Harris wrote:
> I am running 8.2.2P5 on Solaris 2.7 in a test setup, trying to support
> Windows
>
> 2000 for our server development group. I have allowed updates from the
> domain
>
> controllers and thought all was well. Now the Windows 2000 server group
> tells
>
> me I must allow updates from all workstations as well. This goes against
> my
>
> security instincts, as I don't trust all the workstations on our network.
>
> My questions are to anyone who has tried to support Windows 2000 from a
> Un*x
>
> DNS.
>
> Do I really need to allow every workstation to update DNS?
As I understand it, the W2K DHCP servers can be configured to perform both
the forward and reverse dynamic updates on behalf of the clients they serve.
I don't think this is the default configuration, though, and I've heard
there are some problems with it (apparently W2K DHCP servers aren't very
careful about deleting A records and will happily delete an existing A
record even if it's for a statically-assigned node, yikes!). Restricting
updates to only the W2K DHCP servers is an option to consider, though, for
security reasons, since at least then you only need to trust a limited
number of addresses.
> If I do, what would I gain by creating a subdomain for Windows 2000 and
> letting
>
> the server group maintain the DNS for that subdomain. I think I would
> still
>
> have all those entries propagated to my DNS servers.
If the W2K clients are configured to use that forward subdomain for
themselves, then I think they would perform those updates only to the
master(s) or the subdomain(s), which is to say, only to the W2K DNS servers.
Those entries would then only "propagate" to your servers _en_masse_ if you
chose to slave the zone(s), which is entirely up to your discretion. The
only real downside, from the W2K implementation perspective, is that these
"subdomained" W2K domain names are likely to be longer and more cumbersome
than names used for other nodes in the enterprise, e.g.
<whatever>.w2k.company.com versus just <whatever>.company.com.
As for reverse entries, this is not so easy to deal with since clients with
dynamically-assigned addresses will frequently share the same C-class
networks with statically-assigned nodes, and you probably wouldn't want to
move administration of your *entire* reverse-address namespace to
W2K servers. But, again, for reverse records I think you only need to trust
the W2K DHCP servers, and if you limit their update access to only the
reverse namespace, at least they won't be deleting any important A records.
It would be nice if the W2K DHCP server were able to follow RFC 2317-style
PTR aliases back from a non-W2K-DNS-server-hosted zone, e.g. something
hosted by a BIND server, to a zone controlled by a W2K DNS server. That way,
you could "delegate" addresses in the ranges known to be
dynamically-assigned, and *all* of the dynamic updates for W2K clients could
be isolated to the W2K world. But I've heard that the W2K DHCP server isn't
this smart; that it doesn't bother checking for CNAMEs and will simply
*fail* if it is denied update access to a zone or it goes to add a PTR and
then discovers that a CNAME for the same name already exists. Too bad.
Even nicer, of course, would be if the dialect of Dynamic Update used in W2K
were interoperable with what the rest of the DNS community uses or intends
to use. But I guess that's a little much to expect from a company like
Microsoft...
I should point out that I'm just getting my feet wet on this
W2K/BIND integration thing (being dragged kicking and screaming into it is
perhaps a more accurate metaphor), so corrections are welcome on any or all
of the above.
- Kevin
More information about the bind-users
mailing list