DNS DHCP IPAM

Reply
Highlighted

Problem DNS Server Dynamic Update Record Injection

Authority
Posts: 19
414     0

Dear All,

 

 

Kindly your advice regarding solution for problem DNS Server Dynamic Update Record Injection, we found this problem when vendor IT Security conduct Vulnerability assessment / Penetration test before Infoblox  Production / GO Live and we have take action to solved this problem  as below :

 

1. We configure IP AD in Data Management - DNS - Members - Click member - Click edit - Updated - Override - Set of ACEs and configure  the IP AD ( example 1.1.1.1 )

 

After we configure we got result from Vendor IT Security PASSED  / FIXED  for problem DNS Server Dynamic Update Record Injection. But we found  issue  in syslog as below :

 

2018-10-10 10:24:43 ICT daemon ERROR named [17289] client 1.2.2.2: update'core-c.corp.xxxx.co.id/IN' denied

 

 

2018-10-10 10:24:43 ICT daemon ERROR named [17289] client 1.3.3.4: update'core-c.corp.xxxx.co.id/IN' denied

 

So, we should put other IP ( 1.2.2.2 and 1.3.3.4 )  to solved this problem but customer complaint is not flexible.

 

 

My Question :

 

1. Any others solution  to solved for problem DNS Server Dynamic Update Record Injection ? Please advice.

 

 

Thanks in advance,

 

 

 

 

 

 

Re: Problem DNS Server Dynamic Update Record Injection

braj
Techie
Posts: 14
415     0

Hello,

I believe that you are looking for a solution in which instead of setting up Allow ACE’s for each IP address of the Clients that need to perform the DDNS Updates, you are looking for a simpler and more secure option.

 

You could consider one of the following two options depending on your Environment.

 

If Infoblox is serving DHCP, you can consider using the Infoblox DHCP Server to do the DDNS Updates on behalf of your Clients. This form of DDNS Updates are secure as when the DHCP Server sends the update to DNS Server (both being part of the same Grid), they authenticate the updates between them using TSIG (transaction signatures) based on an internal TSIG key.

 

If you wish for your Domain Controllers or other DHCP Servers or Clients to do the update instead, you could consider using TSIG Keys or GSS-TSIG updates.

 

You can refer to “Enabling DNS Servers to Accept DDNS Updates” and “Accepting GSS-TSIG Updates” sections of the NIOS Administrator Guide for the configurations.

 

Hope this helps.

 

Regards.

Re: Problem DNS Server Dynamic Update Record Injection

Authority
Posts: 19
415     0

Hi Braj,

 

Thanks for respond, i will discuss first with our team and also with customer regarding your advice Smiley Happy

 

 

Thank You,

 

Regards,

Showing results for 
Search instead for 
Do you mean 

Recommended for You

Demo: Infoblox IPAM plug-in integration with OpenStack Newton