BIND 8.2.2P5, Windows 2000, and security

Delmer Harris dharris at kcp.com
Tue May 2 14:21:23 UTC 2000 


My W2K contact says the workstations have to use dynamic updates to support
shares and to allow network browsing.  According to him these are
advertised as services and supported by SRV records added and removed from
DNS using dynamic updates.  I have no information to refute this claim.
Any further information to which you can point me would be valuable.  Much
thanks.

If it really is necessary to allow workstations to update DNS then I think
I will have to delegate a subdomain to W2K.  If the W2K DNS declares itself
a slave for the main domain, and I allow zone transfers from the main
domain's DNS servers, then the W2K server should have all the information
of the main domain but the main domain's DNS servers will not need to ever
know anything about the subdomain.  I would welcome comments on the merits
of this solution.  Thank you.




Tim Maestas <tmaestas at idc.dhs.org> on 05/02/2000 03:13:42 AM
                                                              
                                                              
                                                              
 To:      Delmer Harris/ASFMT at ASFMT                           
                                                              
 cc:      bind-users at isc.org                                  
                                                              
                                                              
                                                              
 Subject: Re: BIND 8.2.2P5, Windows 2000, and security        
                                                              







We are (beginning) to support a W2k environment using BIND dns servers.
There is no reason that I can think of, or that we have run across, that
should require you to allow updates from workstations.  In fact, part of
the requirements that we (the infrastructure group) are passing to the
workstation build team, is the disabling on all workstations of automatic
forward and reverse zone updates.  Domain controllers we will allow to
update, as they need to update all their SRV records.  But that's it.
Period.  Our DHCP servers will be the only servers to dynamically update
DNS, and those only under tightly controlled prerequisites.

-Tim


On Mon, 1 May 2000, Delmer Harris wrote:

>
>
> I am running 8.2.2P5 on Solaris 2.7 in a test setup, trying to support
> Windows
>
> 2000 for our server development group.  I have allowed updates from the
> domain
>
> controllers and thought all was well.  Now the Windows 2000 server group
> tells
>
> me I must allow updates from all workstations as well.  This goes against
> my
>
> security instincts, as I don't trust all the workstations on our network.
>
> My questions are to anyone who has tried to support Windows 2000 from a
> Un*x
>
> DNS.
>
> Do I really need to allow every workstation to update DNS?
>
> If I do, what would I gain by creating a subdomain for Windows 2000 and
> letting
>
> the server group maintain the DNS for that subdomain.  I think I would
> still
>
> have all those entries propagated to my DNS servers.
>
> Thanks.
>
>
>
>

More information about the bind-users mailing list