Recipe13.18.Preventing Windows Clients from Attempting Dynamic Updates

Recipe 13.18. Preventing Windows Clients from Attempting Dynamic Updates

Problem

You've disabled dynamic updates entirely on your name servers for security reasons and want to ensure that clients don't waste processing cycles by sending dynamic updates to your servers.

Solution

Using a graphical user interface

To disable dynamic updates for a specific interface such as Local Area Connection, do the following:

1. For Windows 2000, click Start Start

   Double-click on Local Area Connection and click Properties.

2. Double-click on Internet Protocol (TCP/IP) and click Advanced.

3. Select the DNS tab and clear the checkbox labeled Register this connection's address in DNS.

To disable dynamic updates globally for all interfaces on a client, do the following:

1. Open Registry Editor (regedit.exe).

2. In the left pane, navigate to the following key: HKLM\CurrentControlSet\Services\Tcpip\Parameters.

3. From the menu, select Edit OK.

4. Double-click on DisableDynamicUpdate and assign it a value of 1.

5. Close Registry Editor and reboot the client computer.

On Windows Server 2003, you can also use Group Policy to disable dynamic updates on Windows XP and 2003 clients:

1. Open the Active Directory Users and Computers (ADUC) snap-in.

2. In the left pane, right-click on the domain or OU that contains the computer objects for your client computers and select Properties.

3. Select the Group Policy tab, select the appropriate Group Policy Object (GPO), and click Edit.

4. In the left pane of the Group Policy Editor, select Computer Configuration

   Double-click on the policy named Dynamic Update.

5. Change the policy setting to Disabled.

Using a command-line interface

The following command disables dynamic updates on a client configured with a static IP address and sets the name server address to 10.0.0.1:

> netsh interface ip set dns "Local Area Connection" static 10.0.0.1 register=none

To disable dynamic updates on a client machine that uses DHCP to acquire an IP address, use the following command:

> netsh interface ip set dns "Local Area Connection" dhcp register=none

And the following command globally disables dynamic updates for all interfaces on the client:

> reg /add HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v DisableDynamicUpdates /t REG_DWORD /d 1

Reboot the system to make this change take effect.

Using VBScript

The following VBScript automates the same registry change as outlined in the previous reg command:

set objWSHShell = CreateObject("WScript.Shell") strRegKey = "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\" objWSHShell.RegWrite strRegKey & "DisableDynamicUpdates", 1

Discussion

Disabling dynamic updates on clients will prevent them from attempting to register their A and PTR records with the name server. Note that when you set the DisableDynamicUpdates registry value to 1 on the client, the checkbox labeled "Register this connection's addresses in DNS," located on the DNS tab of the TCP/IP Advanced Properties page for each connection, is unaffected. If you later change your mind and want your client to attempt dynamic updates, change the registry value to 0 and reboot your machine.

See Also

MS KB 246804 (How to enable or disable dynamic DNS registrations in Windows 2000 and in Windows Server 2003) and MS KB 294785 (New Group Policies for DNS in Windows Server 2003)