Re: DHCP security breach



Hi,
I do not believe you are taking the entire scope of the underlying
technologies into account. Specifcially, if a machine "touches" its
DNS records, for example a DC, then it is owner of those, and
future attempts to update them by other principals will fail. Hence,
your claim that you can hijack any DNS name is a little overstated.
Nevertheless, yes, what you indicate is so, for names temporarily
not in DNS, that a malicious client could usurp them via DHCP.
Of course they could do so themselves directly also if they are
AD joined machines.
DHCP's ability to register DNS records was originally provided
as a means to support backlevel (read Win9x, Unix, etc.) clients.
Use of DHCP reservation-only IP leasing can (laboriously) bring
some mitigation (chasing the issue back to MAC masquerading).
Important names ought be registered by their owning machine (or
defined statically) so that the ACL on the DNS objects in AD are
used to effectively prevent name hijacking.

<boomboom999@xxxxxxxxx> wrote in message
news:1150339476.061923.225800@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hello,

I have an Active Directory integrated DNS zone cofigured for secure
updates.
I am evaluating risks of permitting our DHCP server (Windows 2003-based

one) to register A and PTR records on behalf of workstations (Windows
XP).


If I understand correctly this option will compromise the whole idea of

the Secure DNS updates.


As the DHCP protocol is not secured at all, DHCP has absolutely no
means to validate who is requesting a DNS name update. So why Microsoft

does not mention these risks of allowing DNS updates via DHCP servers.
With a little effort, I can hijack any workstation's name.


Any ideas on how to secure DNS updates via DHCP?



.