DNS DHCP IPAM

Reply

Problem DNS Server Dynamic Update Record Injection
wibowo25
Authority
Posts: 20

‎10-10-2018 01:21 AM

3541     0

Dear All,

 

 

Kindly your advice regarding solution for problem DNS Server Dynamic Update Record Injection, we found this problem when vendor IT Security conduct Vulnerability assessment / Penetration test before Infoblox  Production / GO Live and we have take action to solved this problem  as below :

 

1. We configure IP AD in Data Management - DNS - Members - Click member - Click edit - Updated - Override - Set of ACEs and configure  the IP AD ( example 1.1.1.1 )

 

After we configure we got result from Vendor IT Security PASSED  / FIXED  for problem DNS Server Dynamic Update Record Injection. But we found  issue  in syslog as below :

 

2018-10-10 10:24:43 ICT daemon ERROR named [17289] client 1.2.2.2: update'core-c.corp.xxxx.co.id/IN' denied

 

 

2018-10-10 10:24:43 ICT daemon ERROR named [17289] client 1.3.3.4: update'core-c.corp.xxxx.co.id/IN' denied

 

So, we should put other IP ( 1.2.2.2 and 1.3.3.4 )  to solved this problem but customer complaint is not flexible.

 

 

My Question :

 

1. Any others solution  to solved for problem DNS Server Dynamic Update Record Injection ? Please advice.

 

 

Thanks in advance,

 

 

 

 

 

 

Reply
0 Kudos

Re: Problem DNS Server Dynamic Update Record Injection
braj
Moderator
Moderator
Posts: 45

‎10-12-2018 11:33 PM

3541     0

Hello,

I believe that you are looking for a solution in which instead of setting up Allow ACE’s for each IP address of the Clients that need to perform the DDNS Updates, you are looking for a simpler and more secure option.

 

You could consider one of the following two options depending on your Environment.

 

If Infoblox is serving DHCP, you can consider using the Infoblox DHCP Server to do the DDNS Updates on behalf of your Clients. This form of DDNS Updates are secure as when the DHCP Server sends the update to DNS Server (both being part of the same Grid), they authenticate the updates between them using TSIG (transaction signatures) based on an internal TSIG key.

 

If you wish for your Domain Controllers or other DHCP Servers or Clients to do the update instead, you could consider using TSIG Keys or GSS-TSIG updates.

 

You can refer to “Enabling DNS Servers to Accept DDNS Updates” and “Accepting GSS-TSIG Updates” sections of the NIOS Administrator Guide for the configurations.

 

Hope this helps.

 

Regards.

Reply
0 Kudos

Re: Problem DNS Server Dynamic Update Record Injection
wibowo25
Authority
Posts: 20

‎10-15-2018 07:04 AM

3541     0

Hi Braj,

 

Thanks for respond, i will discuss first with our team and also with customer regarding your advice Smiley Happy

 

 

Thank You,

 

Regards,

Reply
0 Kudos
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Recommended for You

Latest Annoucements

Infoblox Experts Community

You have reached the maximum number of topics allowed as a visitor. Please Login or Join the community to continue to read.

Join for free

TOPICS REMAINING

Register for unlimited browsing. Registration is FREE.

Join Community