How to limit dynamic DNS updates

security domain-name-system windows-server-2008-r2 dynamic-dns

Windows DNS entries have ACLs. Check and/or set them.

enter image description here

Generally speaking, dynamically updated hostnames/A records allow anyone to update them, but static ones do not, but either way, this behavior is configurable.

When creating a new A record/hostname entry, you have the option to either allow any authenticated user to modify the record or not:

enter image description here

And it sounds like "not" is what you'd prefer. Lucky for you, that's the default.

In fact, the default settings work pretty well, in that they won't allow just anyone to poison the DNS records, or take over a domain controller's A record in the DNS table by simply renaming their machine and performing a dynamic DNS update. So unless your DNS environment is has been explicitly configured in a particularly poor and very specific way, you and your boss don't have anything to worry about.

But don't take my word for it... check the ACLs yourself, and try to hijack a domain controller's (or whatever else's) DNS records with an unauthenticated client.

Related

Our IP was listed by Spamhaus - how can we prevent this from happening again?
ERROR: The partition with /var/lib/mysql is too full!
Change list of allowed logon computers from batch file
Migrate Windows Server 2008 to a new hard disk
How to give user permissions on ubuntu server?
For setting locale in Ubuntu, what does the LANGUAGE environment variable mean?
Where to put the SSH login info in rsync command?
How to extract the last two (or any number) directories from a path with sed?
Creating bootable Fedora USB with persistent storage
VMWare ESXi 3.5 "Could not power on VM: No space left on device"
Apache / PHP server delaying for a minute before responding
Cant find my harddrives in ubuntu installation?