- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
Problem DNS Server Dynamic Update Record Injection
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
10-10-2018 01:21 AM
Dear All,
Kindly your advice regarding solution for problem DNS Server Dynamic Update Record Injection, we found this problem when vendor IT Security conduct Vulnerability assessment / Penetration test before Infoblox Production / GO Live and we have take action to solved this problem as below :
1. We configure IP AD in Data Management - DNS - Members - Click member - Click edit - Updated - Override - Set of ACEs and configure the IP AD ( example 1.1.1.1 )
After we configure we got result from Vendor IT Security PASSED / FIXED for problem DNS Server Dynamic Update Record Injection. But we found issue in syslog as below :
2018-10-10 10:24:43 ICT daemon ERROR named [17289] client 1.2.2.2: update'core-c.corp.xxxx.co.id/IN' denied
2018-10-10 10:24:43 ICT daemon ERROR named [17289] client 1.3.3.4: update'core-c.corp.xxxx.co.id/IN' denied
So, we should put other IP ( 1.2.2.2 and 1.3.3.4 ) to solved this problem but customer complaint is not flexible.
My Question :
1. Any others solution to solved for problem DNS Server Dynamic Update Record Injection ? Please advice.
Thanks in advance,
Re: Problem DNS Server Dynamic Update Record Injection
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
10-12-2018 11:33 PM
Hello,
I believe that you are looking for a solution in which instead of setting up Allow ACE’s for each IP address of the Clients that need to perform the DDNS Updates, you are looking for a simpler and more secure option.
You could consider one of the following two options depending on your Environment.
If Infoblox is serving DHCP, you can consider using the Infoblox DHCP Server to do the DDNS Updates on behalf of your Clients. This form of DDNS Updates are secure as when the DHCP Server sends the update to DNS Server (both being part of the same Grid), they authenticate the updates between them using TSIG (transaction signatures) based on an internal TSIG key.
If you wish for your Domain Controllers or other DHCP Servers or Clients to do the update instead, you could consider using TSIG Keys or GSS-TSIG updates.
You can refer to “Enabling DNS Servers to Accept DDNS Updates” and “Accepting GSS-TSIG Updates” sections of the NIOS Administrator Guide for the configurations.
Hope this helps.
Regards.
Re: Problem DNS Server Dynamic Update Record Injection
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
10-15-2018 07:04 AM
Hi Braj,
Thanks for respond, i will discuss first with our team and also with customer regarding your advice
Thank You,
Regards,