9

What are the practical risks of enabling the unsecure DNS updates on Windows?

As far as I found enabling the unsecure DNS updates is a requirement for enabling DHCP Linux clients from registering their names with a FQDN.

I do want to know that are the practical risks involved in this in order to evaluate if that's ok to have these enabled or not.

As far as I know a machine would not be able to takeover another reserved name which would be the only real concern that I now.

Obviously it would be the DDOS but considering that we are talking about intranet here, I doubt this could be a real risk.

Do you have it enable on your domain or not? Did you ever had to disable it due to having some problems with it?

sorin
  • 8,016
  • 24
  • 79
  • 103

1 Answers1

10

Insecure

You should basically never, ever allow non-secure updates. Personally I don't even like that the DNS server even allows you to turn off secure updates. This allows anyone on your network (like a hacker) to register DNS records with no Active Directory authentication required. This would allow the attacker to "spoof" a DNS name on your network and redirect people to another server than the one they thought they were going to.

Another example of when this setting can ruin your day accidentally rather than maliciously... someone turned secure updates off... all of the HP ILOs (out of band management) on all the machines on the network were suddenly able to start dynamically registering their own DNS records... but the ILOs were named the same as the servers, so they overwrote the host servers' DNS records!

Disabling secure updates is a terrible idea. Just don't.

For a possible solution for getting your Linux clients to leverage DHCP in order to register DNS records securely, this might help: Register A records for my Linux box on my Windows 2008 DNS/DHCP server

Community
  • 1
Ryan Ries
  • 55,481
  • 10
  • 142
  • 199
  • Yeah, happened to me once where someone plugged in a computer with the same name as a server and because my predecessor had turned off all forms of security, the DNS entry of the server got replaced by that random PC, thus all user requests to the server ending up on that PC!!! – ETL Oct 29 '15 at 15:49
  • @ETL have you mentioned that this "server" was problably offline for a long and that's why another machine was able to take its name. I doubt this can happen while the machine is up. – sorin Oct 29 '15 at 15:51
  • @sorin - server was definitely up. A linux server with, if I recall correctly, a static DNS entry (which was also not locked for editing) – ETL Oct 29 '15 at 17:25
  • I am working on on implementing the solution from the linked post, I hope it will work. – sorin Oct 29 '15 at 17:31