Re: DHCP security breach

So you are saying that your servers are using DHCP and also
requesting DHCP to handle the DNS registrations ??
I get the impression you are looking to find a bulletproof approach
for using this capability in I believe unintended, and ill-advised, ways.
Have your servers handle their own DNS registrations.
That will automatically make each the allowed principal for updating
their own RRs in DNS.
Then, consider whether you really do need DNS resolution for the
clients - which usually is more of a management convenience except
in environments that encourage non-server-based collaboration.
Again, if a name is not yet present then any authenticated machine
could claim it anyway, so the issue the DHCP might be made to do
this is not that great except relative to non-domain and/or non-MS
DHCP client machines on your network. Your changing the account
used by DHCP or the ACLing on the DNS nodes in AD would not
alter the issue you have posted about. If DHCP is able to adjust the
RRs in DNS, then it still would if you have that behavior configured.
If you did not want that behavior change the DHCP configuration.

In short, you have a point in your inital post, but it implies choosing
not to do a number of more reasonable things in how you config.
so I guess I am not clear what you are attempting to accomplish
as outlined in your follow-up posting.

--
Roger Abell

<boomboom999@xxxxxxxxx> wrote in message
news:1150350124.426194.91760@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Roger,

I agree with you that theoretically I can preserve integrity of
important DNS records by preventing DHCP from rewriting them. But in
practice, what can I do?

Microsoft recommends to run DHCP under a low privilege account.
I am wondering why Microsoft omits in their docs any recommendations on
ACL that this account must have on DNS zones.

Suppose, I have one zone with 4000 workstations and 300 servers. The
DHCP server acts under a specific AD account. I do not want to tweak
ACLs on every single record in my DNS zone.

What permissions should I give to the DHCP account on my DNS zone?

May be something like this?

Domain Computers = Create child objects
CREATOR/OWNER = Full Control



.

Relevant Pages

  • Re: Dynamic DNS, DNS Records & Scavenging
    ... There are two DHCP ... Both the servers are set to update A and PTR records for clients. ... DNS however this doesn't seem to be the case. ... DNSUpdateProxy and when i did this i saw my test laptop register its ...
    (microsoft.public.windows.server.dns)
  • Re: networking private and public hosts questions
    ... DHCP isn't going to "help". ... you need to run NAT. ... Move all the Servers to the private side of the Firewall and start ... Controllers must point to themselves in thier DNS Setting and the ISP's DNS ...
    (microsoft.public.win2000.networking)
  • Re: Need DNS For Dummies! Please help!
    ... I set up DNS and DHCP on my Win2k Server without any ... > The FW/R is connected to the hub as are both of my servers. ... member servers and clients) MUST always and ONLY use ...
    (microsoft.public.windows.server.dns)
  • Re: DHCP assinged DNS servers dont work
    ... Although the WinXP firewall is enabled and configured via Group ... The first two DNS servers are AD controllers running ONLY core ... I have 75 WinXP machines on a Win2K3 domain using DHCP for address ...
    (microsoft.public.windows.server.networking)
  • Re: Troubleshooting connection loss (continued)
    ... "service network restart" clears the routing table and then hangs. ... DNS must be working even if the servers aren't from Verizon. ... that was to tell me if dhcp gave you an address or you were realy ...
    (comp.os.linux.networking)