Issue with Dynamic DNS updates with TSIG from 3rd party dhcp

Posts: 8
6611     0

I am running the newest version of nios

We recently moved our windows DNS to infoblox and we are running with GSS-TSIG DNS update only and it works just fine, but...


Today we had an issue with a DNS record that got dynamically updated with a wrong IP address.

we found out that the update was made by a domain joined windows dhcp server which had the IPv4 DNS options to "Dynamically update DNS A and PTR records for DHCP clients that do not request updates".


the dns record update was initiated by a unauthorized pc which had the same name as the DNS record that got updated.


Is it possible to secure critical dns entries against overwrites without losing the posiblity of dynamic dns updates?




Terje Persson | Technical University of Denmark

Re: Issue with Dynamic DNS updates with TSIG from 3rd party dhcp

Posts: 86
6612     0

Well, if you move DHCP to Infoblox and get us to do the update then this problem goes away because we also update the A and PTR with an associated TXT record which is a hash of the client's MAC and hardware identifier (thus becoming the DHCID) so that any future updates to that specific client's records can only be made from that client itself. 


I recall there was an interesting solution note recently that proved exactly what you just discovered the hard way - that GSS TSIG validation for the zone means that any user that is part of the domain can still add/change records in that zone. I'll try to dig up that solution note...

Re: Issue with Dynamic DNS updates with TSIG from 3rd party dhcp

Posts: 27
6612     0


if you intend to protect a small set of resource records,

one way to do this is to use Infoblox Hosts instead of A records for these resources and set a MAC address for these Hosts (00:00:00:00:00:00 will work as well)

This way, you can still run DDNS while having some static/protected RR

Showing results for 
Search instead for 
Did you mean: 

Recommended for You