DDNS: how save it is??

Barry Finkel b19141 at achilles.ctd.anl.gov
Tue Feb 6 16:26:08 UTC 2001 

"Christian Clos" <bind at cc-web.de> wrote:

>I`m planing to use DDNS with the following 'concept':
>
>BIND DNS 8.2.3 & Windoze DHCP (2K)
>The Clients are not allowed to do an update. If they connect to the dhcp,
>the dhcp-server should do the ddns/update.
>So far, no problem, but what happends when...
>a Client got the same hostname as one of our servers.
>Are the client/dhcp allowed to do override the entry???
>The servers and clients are all in the same zone 'de.hcom', but in different
>IP-Seg./zones (96.50.10.in-addr.arpa are the servers; no client will ever be
>in this IP-Segment/zone).
>So, I have to allow the dhcp-server to do updates in the zone de.hcom.
>But there are also entry`s for servers. How can I make this entry save, so
>that nobody can override this by ddns???
>
>Hope anybody can give me a hint - THANX

I have not yet gotten any sniffer traces of secure DDNS packets sent by
a W2k DHCP server, so I do not know what pre-requisite checks are sent
with the update packets.  Whether the dynamic DNS updates corrupt
existing information in DNS depends on the pre-requisite checks.
Search the archives of this list; I have posted the pre-reqs for
a W2k workstation attempting self-registration.  Pre-reqs built by a
DHCP server might be different.

I have been told (but I have not yet researched or verified) that the
DHCP server must NOT be on a DC.  If it is on a DC, then the DHCP
server has full update access to any DNS zone.  We have a testbed
network with a domain

     aa.anl.gov

and the DHCP server is on the DC for the aa domain.  The DNS zone for
aa (and the corresponding reverse zone) are both AD-integrated with
secure updates only.  The zones reside on a DC for the anl.gov domain.
I have a sniffer trace of all activity between the aa DC and the DC on
which the zones reside.  All of the DDNS updates were non-secure, and
ALL were successful.  I plan to get traces from another DHCP server
that is not on a DC to compare the results.  I did not look at the
pre-req sections of the packets.  I think the normal W2k operation is

     1) Try an unsecure updates.
     2) If the unsecure update fails, then try a secure update.

As the unsecure update worked, the DHCP server did not attempt case 2).
I do not know if the pre-reqs in step 1) would be identical to the
pre-reqs in step 2).  Logic would dictate that they should be the same,
but I am going to wait for a sniffer trace before coming to any
conclusions.
----------------------------------------------------------------------
Barry S. Finkel
Electronics and Computing Technologies Division
Argonne National Laboratory          Phone:    +1 (630) 252-7277
9700 South Cass Avenue               Facsimile:+1 (630) 252-9689
Building 221, Room B236              Internet: BSFinkel at anl.gov
Argonne, IL   60439-4844             IBMMAIL:  I1004994

More information about the bind-users mailing list