ISC transitional and No TXT record do the same thing?

allwynmascar · ‎02-04-2019

Hi Guys,

So in the end, as far as practicality goes, are both these methods doing the same thing right?

Does ISC transitional protect against any specific DNS attacks? Like a client or a tool using nsupate?

— ISC Transitional: Select this check box to enable less stringent handling of DDNS updates. Specifically, the NIOS appliance enables you to add or modify A or AAAA records whether or not TXT records exist. It checks whether a TXT record exists and then processes the update. If the appliance does not find a TXT record, it adds the record.

— No TXT Record: Select this check box to disable TXT record checking. Specifically, A or AAAA records are added, modified, or deleted whether or not the TXT records match. No TXT records are added, and existing TXT records are ignored.

Thanks.

JLeveillee · ‎02-04-2019

There are 4 modes used to protect DNS records when updated by DHCP.

ISC

Check TXT Only

ISC Transitional

No Checking

They are listed in order, with most secure at the top. As you said, the bottom two have no checking involved. If you want to move from No Checking to ISC or Check TXT Only, you must first go through ISC Transitional. When you enable ISC Transitional, DHCP will begin creating matching TXT records for all DHCP hosts. You must do this for at minimum the duration of your DHCP lease. If you DHCP leases expire after 12 hours for example, you would use ISC Transitional for at least 12 hours to ensure that all active DHCP leases are upated with matching TXT records. In practicality, the duration depends on your environment. Taking user vacations and other factors into account, it probably makes more sense to run for 1-2 weeks to ensure all DHCP hosts have a TXT record. After that time, you can then move to Check TXT Only or ISC.

If you move directly from No Checking to Check TXT Only or ISC, none of your DHCP hosts will be registered in DNS if a TXT record does not exist.

paulr · ‎02-05-2019

@allwynmascar wrote:

Does ISC transitional protect against any specific DNS attacks? Like a client or a tool using nsupate?

If a client is using nsupdate there is no checking of TXT records, they can update DNS independently of TXT records. The only thing that checks for the existence of TXT records is the ISC DHCP server.

So it is still very important to use an ACL to specify who can perform DDNS updates (allow-update). Infoblox automatically adds the DHCP servers to this ACL, but you might want to add domain controllers if it's an AD zone, and maybe some specific servers like SQL servers that are running in a cluster, but definitely do not allow clients or Windows servers to update DNS directly.

Paul Roberts
PCN (UK) Ltd

All opinions expressed are my own and not representative of PCN Inc./PCN (UK) Ltd. E&OE

allwynmascar · ‎03-07-2019

And if I have laptops with wifi and lan cards then in that case ISC transitional would be required right, so that both the wifi and lan cards can have a TXT record created.

TTiscareno · ‎03-07-2019

@allwynmascar wrote:

And if I have laptops with wifi and lan cards then in that case ISC transitional would be required right, so that both the wifi and lan cards can have a TXT record created.

This would work; however, this is intended as a temporary setting and using it as a primary configuration defeats the primary purpose of the TXT record handling feature. What would be better is to separate out the zones that wireless clients operate on so that they can have their own separate configurations and allow you to take full advantage of the benefits that the TXT record handling feature provides.

Regards,

Tony

THE GAME HAS CHANGED

NIOS DNS DHCP IPAM

ISC transitional and No TXT record do the same thing?

Re: ISC transitional and No TXT record do the same thing?

Re: ISC transitional and No TXT record do the same thing?

Re: ISC transitional and No TXT record do the same thing?

Re: ISC transitional and No TXT record do the same thing?