Preventing Windows Computers from Trying to Update Your Zones

8.7.1 Problem

You want to prevent computers running Windows 2000 and XP from trying to dynamically update your zones.

8.7.2 Solution

On the Windows computer, go to Start figs/u2192.gif Settings figs/u2192.gif Network and Dial-up Connections. For each network interface, right-click on the name of the interface and choose Properties. In the Properties window, double-click on Internet Protocol (TCP/IP). In the Internet Protocol (TCP/IP) Properties window, click on Advanced.... Finally, in the Advanced TCP/IP Settings window, click on the DNS tab. Uncheck Register this connection's addresses in DNS and click OK.

If you prefer to monkey around with the Registry, you can accomplish the same thing for all interfaces by adding a REG_DWORD value called DisableDynamicUpdate, with a value of 1, to the Registry key HKEY_LOCAL_MACHINESystemCurrentControlSetServicesTcpipParameters Interfaces.

8.7.3 Discussion

Computers running Windows 2000 and XP, by default, try to register their name-to-address and address-to-name mappings using dynamic update. (Well, that's not completely true: DHCP clients register their name-to-address mappings, but their DHCP servers normally add the address-to-name mappings.) Of course, unless you expressly allow such updates by adding an allow-update substatement to your zone statements, your name server will deny those updates. However, you may get sick of seeing errors like these in syslog:

Jun 5 13:56:07 ns1 named[50684]: error: client 192.168.0.254#3181: update foo.
example/IN' denied

These messages are logged to the security category, and you certainly don't want to discard all security-related messages, so it's important to know how to stop the updates at their source.

In BIND 9.3.0, those messages are in the update-security category, so you can send those messages to the null channel without missing more important security-relevant messages.

8.7.4 See Also

Section 8.8, in case you want to do something productive with those dynamic updates.

Getting Started

Zone Data

BIND Name Server Configuration

Electronic Mail

BIND Name Server Operations

Delegation and Registration

Security

Interoperability and Upgrading

Resolvers and Programming

Logging and Troubleshooting

IPv6



DNS & BIND Cookbook
DNS & BIND Cookbook
ISBN: 0596004109
EAN: 2147483647
Year: 2005
Pages: 220
Authors: Cricket Liu

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net