Is it possible to have both static and a dynamic A record created for the same host on an internal DNS server?

bind internal-dns dynamic-dns ddns

I am working on a case study related to risks from insecure dynamic DNS updates. Suppose there is an internal DNS configured that has a mix of static and dynamically created addresses. Consider a Windows AD integrated DNS environment.

I need some help on few of the queries below

  1. Can there coexist a static and a dynamically created A record for the same host - referring to different IP addresses on the DNS server? (eg. Dynamic A record created by a new system introduced on the network with same hostname)
  2. If yes, how would the DNS resolution happen for such cases? Can DNS query resolve to the incorrect dynamic A record instead of the static A record?
  3. Can this be avoided by having a secure dynamic dns configuration instead of a insecure ddns updates? If so how could secure DDNS prevent such scenario.

Any assistance on this matter wil be quite helpful.

Thanks in advance.


Can there coexist a static and a dynamically created A record for the same host

A name can resolve to multiple IP addresses, that is have multiple A or AAAA records. Clients will get the whole set of them when querying for the name.

How the IP addresses are provisioned is kind of irrelevant to the above, except that in "dynamic" cases, often an update is in fact a replacement, that is: "please resolve X to address Y now, after having removed all existing IP addresses for it".

So it all depends how your dynamic stuff is working. If it is additive, then you can have a mix.

If yes, how would the DNS resolution happen for such cases? Can DNS query resolve to the incorrect dynamic A record instead of the static A record?

If there are multiple A records, they are all returned. The client has no way to know from where they come (dynamic or static).

Can this be avoided by having a secure dynamic dns configuration instead of a insecure ddns updates? If so how could secure DDNS prevent such scenario.

Yes, and also making only a subzone of your zone open to dynamic updates, not the whole zone.

Related

enabling ssl connection from wordpress to mysql
Increase memory usage on NFS Server
Add to route table destnation using this syntax *.mycompany.net
Intuitive Reason that Quantifier Order Matters
Proving that free modules are flat (without appealing projective modules)
How can I pick a random point on the surface of a sphere with equal distribution?
Show that $x^4 + 8$ is irreducible over Z
The divergent sum of alternating factorials
How does equality $\mathfrak{m}^\mathfrak{m} = 2^\mathfrak{m}$ in $\sf{ZF}$ relate to the axiom of choice?
Do 3 consecutive primes always form a triangle?
Limit of a Wiener integral
order of a sylow p-subgroup