How to prevent hostname theft?

  • Thread starter Thread starter =?ISO-8859-15?Q?J=F6rg_Sch=FCtter?=
  • Start date Start date
?

=?ISO-8859-15?Q?J=F6rg_Sch=FCtter?=

Hello NG

In our network we have dynamic dhcp with automatic registration in dns
(by the client itself or by the dhcp server for "downlevel" clients).
Everything works fine except one case.

Assume we have a server which is called "sapserver01" which's data
(hostname and ip address) is in the db of the dns.
Now there is a client which tries to get a new lease. While trying to
get the ip address it sends its hostname to the dhcp server. The
hostname on this client is (by accident or by purpose) equal to the name
of the sap server (sapserver01). The ip address "behind" the hostname
sapserver01 will now be the one of the client.

How can this be prevented? There is no way in getting rid of the dynamic
dhcp and the dynamic registration.

Joerg
 
In
Jörg Schütter said:
Hello NG

In our network we have dynamic dhcp with automatic registration in dns
(by the client itself or by the dhcp server for "downlevel" clients).
Everything works fine except one case.

Assume we have a server which is called "sapserver01" which's data
(hostname and ip address) is in the db of the dns.
Now there is a client which tries to get a new lease. While trying to
get the ip address it sends its hostname to the dhcp server. The
hostname on this client is (by accident or by purpose) equal to the
name of the sap server (sapserver01). The ip address "behind" the
hostname sapserver01 will now be the one of the client.

How can this be prevented? There is no way in getting rid of the
dynamic dhcp and the dynamic registration.

Joerg
Click to expand...

You can turn off DNS registration in DHCP. Use the DHCP console, right click
on the scope, choose properties, on the DNS tab, uncheck "Automatically
update DHCP client information in DNS"
 
In
Jörg Schütter said:
Hello NG

In our network we have dynamic dhcp with automatic registration in dns
(by the client itself or by the dhcp server for "downlevel" clients).
Everything works fine except one case.

Assume we have a server which is called "sapserver01" which's data
(hostname and ip address) is in the db of the dns.
Now there is a client which tries to get a new lease. While trying to
get the ip address it sends its hostname to the dhcp server. The
hostname on this client is (by accident or by purpose) equal to the
name of the sap server (sapserver01). The ip address "behind" the
hostname sapserver01 will now be the one of the client.

How can this be prevented? There is no way in getting rid of the
dynamic dhcp and the dynamic registration.

Joerg
Click to expand...

In addition to Kevin's response, why would you on purpose have an identical
name? Name uniqueness is very important in a WIndows environment.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
I'm just curious how you got to have two computers with the same name on
your network.
 
Hello Kevin

In

You can turn off DNS registration in DHCP. Use the DHCP console, right click
on the scope, choose properties, on the DNS tab, uncheck "Automatically
update DHCP client information in DNS"
Click to expand...

Sorry for my bad English. My intention was to say that we need the
dynamic dhcp and the automatic registration.

How can we prevent that the dns accepts a transmitted hostname if the
hostname is already statically entered in the database?
 
Hello Ace,

In

In addition to Kevin's response, why would you on purpose have an identical
name? Name uniqueness is very important in a WIndows environment.
Click to expand...

Yes, this it obvious. But the bad guys doesn't care.
 
In
Yes, this it obvious. But the bad guys doesn't care.
Click to expand...

Jörg , that's unfortunate that they don't understand the basics of a
network, that is assuming they are network enginneers.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
In
Sorry for my bad English. My intention was to say that we need the
dynamic dhcp and the automatic registration.

How can we prevent that the dns accepts a transmitted hostname if the
hostname is already statically entered in the database?
Click to expand...



Jörg,

You can disable it on that specific machine in it's NIC properties, IP
properties, Advanced button, DNS tab, uncheck "register this connection" in
the bottom of the page.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
Hello Lanwench,

I'm just curious how you got to have two computers with the same name on
your network.
Click to expand...

They are non-Windows comupters. The first one was a temporary
installation. The IP address of this computer was entered into the dns
database.
A few weeks later the new hardware arived and a maschine with the same
hostname was set up in the labratory (with dynamic dhcp and automatic
dns).
 
In
Jörg Schütter said:
Hello Lanwench,



They are non-Windows comupters. The first one was a temporary
installation. The IP address of this computer was entered into the dns
database.
A few weeks later the new hardware arived and a maschine with the same
hostname was set up in the labratory (with dynamic dhcp and automatic
dns).
Click to expand...

I see. So is the old hardware going to be removed or will both machines
remain on the network?

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
How can we prevent that the dns accepts a transmitted hostname if the
You can disable it on that specific machine in it's NIC properties, IP
properties, Advanced button, DNS tab, uncheck "register this connection" in
the bottom of the page.
Click to expand...

I don't think you can solve the problem that Jorg is trying to prevent.
(BTW, his English is excellent -- much better than my "Scandinavian" <grin>)

Here's the real problem: You can certainly disable dynamic update by the
DHCP server or by any particular client manually or maybe even through a
GPO.

BUT, you can do this for a random client -- especially one installed by an
attacker (malicious) or by mistake (anybody can make one some of the time.)

Possible methods (and problems):

1) Use secure updates -- at least only your machines can do the updates
2) Disable the ability for users to add ("courtesy") computer accounts
to the
domain, so that only Admins, AccountOperators, delegates groups,
etc.
can create computer accounts.
Problem: DHCP is promiscuous so it will service non-domain
machines
3) Disable the DHCP update AND enforce the secure updates plus #2
Problem: We lose the ability to update for legacy clients but
now only
machines the admins installed can update DNS.

#3 (which includes #1 & #2) comes closest.

Can a manually entered A record also have a dynamically registered
alternative?
(I haven't tested this -- one would need to purposely create a name
duplication.)

Ideas anyone?
 
In
Herb Martin said:
I don't think you can solve the problem that Jorg is trying to
prevent. (BTW, his English is excellent -- much better than my
"Scandinavian" <grin>)

Here's the real problem: You can certainly disable dynamic update by
the DHCP server or by any particular client manually or maybe even
through a GPO.

BUT, you can do this for a random client -- especially one installed
by an attacker (malicious) or by mistake (anybody can make one some
of the time.)

Possible methods (and problems):

1) Use secure updates -- at least only your machines can do the
updates 2) Disable the ability for users to add ("courtesy")
computer accounts
to the
domain, so that only Admins, AccountOperators, delegates
groups, etc.
can create computer accounts.
Problem: DHCP is promiscuous so it will service
non-domain machines
3) Disable the DHCP update AND enforce the secure updates plus #2
Problem: We lose the ability to update for legacy
clients but now only
machines the admins installed can update DNS.

#3 (which includes #1 & #2) comes closest.

Can a manually entered A record also have a dynamically registered
alternative?
(I haven't tested this -- one would need to purposely create a name
duplication.)

Ideas anyone?
Click to expand...

I guess the secure update method would be best and maybe in conjunction, use
the DNSUpdateProxy Group so it owns the record and can overwrite the
incorrect name.

317590 - HOW TO Configure DNS Dynamic Update in Windows 2000 and
DNSUpdateProxy Group:
http://support.microsoft.com/?id=317590


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
I guess the secure update method would be best and maybe in conjunction,
use
the DNSUpdateProxy Group so it owns the record and can overwrite the
incorrect name.
Click to expand...

No, that falls back into the problem of a ROGUE machine getting the
DNS server to perform the deed. Roughly equivalent of a burglar talking
the security guard into "opening the door."
 
JS> How can this be prevented?

Method #1:

Do not assign IP addresses to the server via DHCP; prevent unsecured
dynamic updates; enter the DNS data, for the server, into the DNS
database manually; and set appropriate access controls on those data.

Method #2:

Make use of the hierarchical nature of the DNS namespace. Give all of
your server machines domain names that are subdomains of
"servers.schuetter.org.", placing tight controls on who may populate
that portion of the DNS database and how; and give all of your client
machines domain names that are subdomains of
"workstations.schuetter.org.", with looser controls on who may change
that portion of the DNS database.

<URL:http://groups.google.com/[email protected]>
 
Back
Top