Announcement

Collapse
No announcement yet.

protect dns record

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • protect dns record

    I have a situation when a new pc was named with the name of the web server (Web server has static address). and access to web server was lost because all requests to it were redirected to the new computer.

    Why this happend and how to prevent this?

    Thanks.
    "When you hit a wrong note it's the next note that makes it good or bad". Miles Davis

  • #2
    Re: protect dns record

    If this is a an AD domain then:
    - Configure AD integrated DNS zones and allow only secure dynamic updates
    - Configure AD to not allow non-administrative users to join computers to the domain (http://forums.petri.com/showpost.php...78&postcount=2)
    - Educate your admins to not create duplicate computer accounts.
    Regards,
    Jeremy

    Network Consultant/Engineer
    Baltimore - Washington area and beyond
    www.gma-cpa.com

    Comment


    • #3
      Re: protect dns record

      If your webserver is not a member of the domain and the computer is a member, this may be challanging to prevent. If both systems are joined to the same domain, then the domain would not accept duplicate computer accounts. If the webserver's name is different than the computer name, but you were using an alais for the webserver, again, it may be challanging to prevent this unless you create a bogus computer name for the alais in your domain.

      In addition, following the suggestions that JeremyW outlined will help mitigate this issue from occuring in the future.
      JM @ IT Training & Consulting
      http://www.itgeared.com

      Comment


      • #4
        Re: protect dns record

        Jeremy and JM Thanks.
        The zone was configured for non secured and secured updated.
        The added machine was not joined to domain.
        This explaines why DNS record was "updated" with dynamic address.

        Does it make sense to completly protect a record from change to set Security to System as Read and uncheck all other...?
        Last edited by mla; 13th January 2012, 02:21. Reason: added
        "When you hit a wrong note it's the next note that makes it good or bad". Miles Davis

        Comment


        • #5
          Re: protect dns record

          I wouldnt change the ACL on the DNS record. I would recommend that you configure the zone to allow secure updates only. This will ensure that when a domain member creates a record, the aCL is updated accordingly so that the computer that created the record has ownership.

          Additionally, for your webservers and other important network hosts, you can always convert those DNS records to "static" records. That way, they will remain in place, not be at risk at being removed by "Aging and Scavenging", and no system will be able to update the record.
          JM @ IT Training & Consulting
          http://www.itgeared.com

          Comment


          • #6
            Re: protect dns record

            JM,
            basically when adding host with static IP and DNS the record is added dynamically and shows timestamp.
            When you say easy convert to static, do you mean to recreate a record manually?
            Thx.
            Last edited by mla; 13th January 2012, 04:32.
            "When you hit a wrong note it's the next note that makes it good or bad". Miles Davis

            Comment


            • #7
              Re: protect dns record

              The record is considered dynamic when the zone accepts dynamic updates and the host sends a Dynamic DNS update. The record gets created and a timestamp is applied. The timestamp is there so that if you enable Aging and Scavenging on the DNS servers and zone, you can purge old records that do not get updated.

              If there is a timestamp, the record is dynamic, not static, even though it belongs to a computer with a static IP. The host's IP configuration has nothing to do whether a DNS record is static or dynamic. If the host creates the record, it is dynamic. If you create the record manually, it is static.

              How to convert the record. just delete it and create a new one manually.

              If the record has a timestamp and if you ever enable aging and scavenging, the record will be purged if not updated by the host (according to the scavenging settings). I think its a good idea to have static records in DNS for those hosts such as servers providing important network services. However, that is just my opinion. If all works as expected, dynamic records remain intact because the host routinely updates the record's timestamp.
              JM @ IT Training & Consulting
              http://www.itgeared.com

              Comment


              • #8
                Re: protect dns record

                JM,
                let me shake your hand for your time and ability to explain things in such GREAT manner...
                "When you hit a wrong note it's the next note that makes it good or bad". Miles Davis

                Comment


                • #9
                  Re: protect dns record

                  Originally posted by JeremyW View Post
                  If this is a an AD domain then:
                  - Configure AD integrated DNS zones and allow only secure dynamic updates
                  - Configure AD to not allow non-administrative users to join computers to the domain (http://forums.petri.com/showpost.php...78&postcount=2)
                  - Educate your admins to not create duplicate computer accounts.

                  Jeremey,
                  plz explain the info in the link you provided above:

                  "By default any authenticated user has a right to join up to 10 computers to a domain. This is enfoced not via ACL, but rather via User Right in conjunction with ms-DS-MachineAccountQuota attribute on the head of the domain object (take a look with adsiedit or any other LDAP editor)."

                  What does it mean "any authenticated" and "up to 10"?
                  A delegated user or Admin doesn't have a limit.
                  "When you hit a wrong note it's the next note that makes it good or bad". Miles Davis

                  Comment


                  • #10
                    Re: protect dns record

                    Correct. But by default any user that is not delegated the privilege is able to join up to 10 computers to the domain. Changing the ms-DS-MachineAccountQuota to 0 will ensure only admins and users that are explicitly delegated this privilege will be able to join computers to the domain.
                    Regards,
                    Jeremy

                    Network Consultant/Engineer
                    Baltimore - Washington area and beyond
                    www.gma-cpa.com

                    Comment


                    • #11
                      Re: protect dns record

                      so regular AD user Bob, brings his laptop, connects to corporate LAN, types Domain Name, enter his user name and password when prompted and that is it...
                      the laptop is computer domain member?
                      I cannot believe
                      If it is true what is the goal of creating this hole?
                      "When you hit a wrong note it's the next note that makes it good or bad". Miles Davis

                      Comment


                      • #12
                        Re: protect dns record

                        @mla- I appreciate it. I hope the information has helped you. If I may add to JeremyW's suggestion, I would agree with that recommendation as well. I have never been too fond of allowing users to join computers to the domain.

                        Modifying the ms-DS-MachineAccountQuota attribute will prevent users from joining workstations to the domain, by default. However, if you (as an administrator) create an computer object in the domain, you could give permission (via the wizard while you create the computer) to the user to join the computer to the domain, so this action still allows for control and provides the user with the ability to join the domain.

                        Additionally, if you have a group of desktop support staff, you could just delegate the permission of joining and managing computer objects at the OU level. You would create a security group that contains the users you want to give that permission to, then use the delegation wizard (by right clicking the OU) and assign permissions to that security group. This will allow that group to create computer accounts in the target OU and join the computers to the domain.

                        This is a high level, but the details are readily available.
                        JM @ IT Training & Consulting
                        http://www.itgeared.com

                        Comment


                        • #13
                          Re: protect dns record

                          Originally posted by mla View Post
                          so regular AD user Bob, brings his laptop, connects to corporate LAN, types Domain Name, enter his user name and password when prompted and that is it...
                          the laptop is computer domain member?
                          I cannot believe
                          If it is true what is the goal of creating this hole?
                          I've wondered why Microsoft designed it this way too.
                          But it's not as big a hole as you think. Essentially, when a user joins a computer to the domain they are giving the domain administrative privileges over the computer. It's subjecting itself to the policies and configurations of the domain.

                          The headaches come from administering and controlling the environment when you have objects in it that you don't know where added.
                          Regards,
                          Jeremy

                          Network Consultant/Engineer
                          Baltimore - Washington area and beyond
                          www.gma-cpa.com

                          Comment

                          Working...
                          X