Security Considerations for Windows2000 Dynamic DNS

Windows2000 Domain name resolution is based on dynamic DNS, the implementation of dynamic DNS is based on RFC 2136. Under Windows 2000, dynamic DNS is integrated with DHCP, WINS, and Active Directory (AD). There are three ways to implement DNS under Windows 2000 domains: integrated with Active Directory, primary DNS integrated with Active directories, secondary DNS that is not integrated with active directories, primary DNS that is not integrated with active directories, and secondary DNS that is not integrated with active directories. When DNS completes integration into the Active Directory, we can take advantage of the three important security features in the WINDOWS2000 network: Secure dynamic updates, secure zone transfers, access control lists for zone and resource records.

First, security dynamic update

One of the most important security features in Dynamic DNS (DDNS) is security updates. One of the primary considerations when implementing security updates is the ownership of records consisting of DNS entries. Ownership is determined by the configuration of DHCP and support for the client.

There are two DNS records related to the client: a record and PTR record, a record resolves the name to the address, and the PTR record resolves the address to the name. Address refers to the IP address of a client, the name refers to a customer's fully qualified domain name, should be the computer name plus the domain name of the network.

In a Windows 2000 environment, client DNS records are registered when a client requests an IP through DHCP. Depending on the settings, the client, DHCP server, or both can update the customer's A and PTR records, who registers the record, and who has ownership of the record.

The following is an option to define the customer's A and PTR record ownership in the Windows2000 network.

1. Windows2000 Native mode

In a Windows2000 environment, both the DHCP server and the DHCP client can register records through DNS. This Windows2000 environment is defined as "native mode" when the network is composed only of Windows2000 servers and clients.

When a client is a Windows2000 client, the default configuration is to dynamically update its own a record when the customer registers on the network, while the DHCP server updates the customer's PTR record. Therefore, the ownership of a record belongs to the client, and the ownership of the PTR record belongs to the DHCP server.

The second possible configuration is for the DHCP server to update forward and reverse lookup, in which case the DHCP server owns all both A and PTR records.

The third possible configuration is that the DHCP server is configured to not perform dynamic updates, in which case the client updates A and PTR records, as well as ownership of the records.

2. Windows2000 Promiscuous Mode

In a promiscuous mode environment, DHCP clients cannot register under DNS. The so-called promiscuous mode is the network in addition to Windows2000 server, the client has WindowsNT4.0 or WINDOWS98 customers.

Previous clients, such as WindowsNT4.0 and windows9x, cannot be registered directly through DNS. Because only the DHCP server can register records through DNS, the only option in a promiscuous environment is for the DHCP server to register A and PTR records, in which case the server has ownership of forward and reverse lookup records.

3. Secure dynamic Update

In a Windows2000 network, secure dynamic updates are available only if the Active Directory is integrated with the DNS zone. What does a secure dynamic update mean? In Windows2000, it means using the ACL of the Active Directory to make user and group permissions to modify the DNS zone and/or its resource records. To allow updating of DNS zones and/or its resource records, dynamic updates also use secure channels and authentication, in addition to ACLs.

WINDOWS2000 supports secure dynamic updates using the IETF-drafted "GSS Algorithm for TSIG" (GSS-TSIG) algorithm. This algorithm uses Kerberos V5 as a priority authentication protocol, and GSS-API is defined in RFC2078.