Re: DHCP security breach

I do not believe you are taking the entire scope of the underlying
technologies into account. Specifcially, if a machine "touches" its
DNS records, for example a DC, then it is owner of those, and
future attempts to update them by other principals will fail. Hence,
your claim that you can hijack any DNS name is a little overstated.
Nevertheless, yes, what you indicate is so, for names temporarily
not in DNS, that a malicious client could usurp them via DHCP.
Of course they could do so themselves directly also if they are
AD joined machines.
DHCP's ability to register DNS records was originally provided
as a means to support backlevel (read Win9x, Unix, etc.) clients.
Use of DHCP reservation-only IP leasing can (laboriously) bring
some mitigation (chasing the issue back to MAC masquerading).
Important names ought be registered by their owning machine (or
defined statically) so that the ACL on the DNS objects in AD are
used to effectively prevent name hijacking.

<boomboom999@xxxxxxxxx> wrote in message

I have an Active Directory integrated DNS zone cofigured for secure
I am evaluating risks of permitting our DHCP server (Windows 2003-based

one) to register A and PTR records on behalf of workstations (Windows

If I understand correctly this option will compromise the whole idea of

the Secure DNS updates.

As the DHCP protocol is not secured at all, DHCP has absolutely no
means to validate who is requesting a DNS name update. So why Microsoft

does not mention these risks of allowing DNS updates via DHCP servers.
With a little effort, I can hijack any workstation's name.

Any ideas on how to secure DNS updates via DHCP?


Relevant Pages

  • Re: Security permissions for DHCP registration credentials
    ... DHCP to use this new user's credentials. ... AD Integrated DNS set up, ... dynamic DNS updates are still not occurring for our WinCE ...
  • Re: DHCP IP lease renewal ok, but a new PC can not obtain an IP ("An e
    ... I guess the problem seen with DHCP from PC's is a symptom of another ... Note that both robert and tina are blade servers within the save blade ... Connection-specific DNS Suffix. ... I.e. DNS servers has their own IP as the first DNS server and another as ...
  • Re: dhcp not matching DNS
    ... What we are finding is the client will get a lease and you check dns ... and it does not match what was given by dhcp. ... To elaborate on scavenging and DnsUpdateProxy group that Meinolf mentioned, please read the following to gain a better understanding of how the whole thing works. ... Force DHCP to register all records, Forward and PTR, (whether a client ...
  • Re: Duplicate HOST A record entries on the reverse lookup Zone
    ... then 24 and did the manual/ start scavenging of the stale resource records ... Used the DHCP server to update DNS records: ... "Set Aging/Scavenging for All Zones. ...
  • RE: Remote Access Issue
    ... the DHCP server do not update the A record for the ... Click DNS ... Microsoft CSS Online Newsgroup Support ... This newsgroup only focuses on SBS technical issues. ...