DHCP Security breach

  • Thread starter Thread starter boomboom999
  • Start date Start date
B

boomboom999

Hello,

I have an Active Directory integrated zone cofigured for secure
updates.
I am evaluating risks of permitting our DHCP server (Windows 2003-based
one) to register A and PTR records on behalf of workstations (Windows
XP).

If I understand correctly this option will compromise the whole idea of
the Secure DNS updates.

As the DHCP protocol is not secured at all, DHCP has absolutely no
means to validate who is requesting a DNS name update. So why Microsoft
does not mention these risks of allowing DNS updates via DHCP servers.
With a little effort, I can hijack any workstation's name.

Any ideas on how to secure DNS updates via DHCP?
 
Hello,

I have an Active Directory integrated zone cofigured for secure
updates.
I am evaluating risks of permitting our DHCP server (Windows
2003-based one) to register A and PTR records on behalf of
workstations (Windows XP).

If I understand correctly this option will compromise the whole idea
of the Secure DNS updates.

As the DHCP protocol is not secured at all, DHCP has absolutely no
means to validate who is requesting a DNS name update. So why
Microsoft does not mention these risks of allowing DNS updates via
DHCP servers. With a little effort, I can hijack any workstation's
name.

Any ideas on how to secure DNS updates via DHCP?
Click to expand...

Your DHCP server can only be as secure as your network, if they can get past
your firewall to get an address assigned by your DHCP server, the DHCP
service is the least of your problems.
If you will assign a dedicated user account with a non-expiring password on
the Advanced tab of the DHCP server properties sheet for DHCP to use to
authenticate with DNS, DHCP will be able to make secure updates.
 
Kevin said:
Your DHCP server can only be as secure as your network, if they can get past
your firewall to get an address assigned by your DHCP server, the DHCP
service is the least of your problems.
Click to expand...

Yeah, but that is not a solution. I am looking for secure DNS updates
because I cannot fully trust my client workstations. The "real" secure
DNS updates are secured by Kerberos authentication. This Kerberos
authentication serves to prevent name hijacking.

I do not understand why Microsoft mislead customers saying that DNS
updates made by DHCP can be secured. They are not secure at all.


Here is an explanation from MS KB:

http://support.microsoft.com/kb/816592/en-us

<<
Caution The secure dynamic updates functionality can be compromised if
the following conditions are true:

· You run a DHCP server on a Windows Server 2003-based domain
controller

· The DHCP server is configured to perform registration of DNS
records on behalf of its clients.

To avoid this issue, deploy DHCP servers and domain controllers on
separate computers, or configure the DHCP server to use a dedicated
user account for dynamic updates. For more information, see the "Using
DNS servers with DHCP" topic in Windows Server 2003 Help.
This is a misleading statement. The secure updates are compromised
every time you decide to allow DHCP updating DNS records.
 
implement IPSEC

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
Your DHCP server can only be as secure as your network, if they can get
past
your firewall to get an address assigned by your DHCP server, the DHCP
service is the least of your problems.
Click to expand...

Yeah, but that is not a solution. I am looking for secure DNS updates
because I cannot fully trust my client workstations. The "real" secure
DNS updates are secured by Kerberos authentication. This Kerberos
authentication serves to prevent name hijacking.

I do not understand why Microsoft mislead customers saying that DNS
updates made by DHCP can be secured. They are not secure at all.


Here is an explanation from MS KB:

http://support.microsoft.com/kb/816592/en-us

<<
Caution The secure dynamic updates functionality can be compromised if
the following conditions are true:

· You run a DHCP server on a Windows Server 2003-based domain
controller

· The DHCP server is configured to perform registration of DNS
records on behalf of its clients.

To avoid this issue, deploy DHCP servers and domain controllers on
separate computers, or configure the DHCP server to use a dedicated
user account for dynamic updates. For more information, see the "Using
DNS servers with DHCP" topic in Windows Server 2003 Help.
This is a misleading statement. The secure updates are compromised
every time you decide to allow DHCP updating DNS records.
 
Back
Top