Security Concerns with Windows DNS

I am working in an environment where we manage hundreds of client servers in
our network. We currently use an old version of Cisco DNS, all static.
This causes repetitive logon error messages in our DC error logs because
although the resource record subdomains are permitted to be dynamic and the
resource records are being accepted there, the servers do not successfully
register their A records because we do not permit dynamic entries for
security reasons. The servers we manage are all stand alone servers for
now, but our internal operations AD domain uses the same DNS servers and is
a parent DNS domain for all our customer server subdomains.

I suggested windows DNS as a replacement at least for the parent domain with
AD integration and dynamic updates to eliminate the windows error messages
and other potential problems. My chief engineer is adamently opposed to
windows DNS or dynamic updates because of security concerns. When I
explained that in the windows view clients update themselves, especially
the domain controllers he considered that an enormous security risk. Has
anyone actually done a realistic security review of the 2003 windows DNS
setup with AD dynamic updates compared with say unix Bind without them? Am
I correct in saying that the dynamic updates within AD if accepting secure
only are authenticated by the machine accounts using Kerberos and are
therefore very low risk? He is convinced that we could lose our SOA record
by having an enemy NS impersonate our primary name server record in for our
SOA and register a false address. Is this realistically possible with AD
integrated DNS and secure updates only selected?

Also, because of some of our management apps we use CNAME records
extensively. I have seen where you can have the clients dynamically update
related alias records via a selection when you create them initally. If
the records get scavanged from a client being not connected for a
significant period of time, for instance a traveling computer, when the
client reconnects & reregisters will we have to manually recreate the CNAME
record?

Thanks.
.

Relevant Pages

  • Re: Network logins take too long!
    ... Have you been at one of these client machines when one of the longer delays ... if you have been changing the DNS configuration, ... "Domain Controller servers are two Dell PowerEdge2950 servers one with ...
    (microsoft.public.windows.server.active_directory)
  • Re: Network logins take too long!
    ... please post an unedited ipconfig /all from the servers and a problem client. ... This posting is provided "AS IS" with no warranties, ... Make sure that the clients use both DNS servers on the NIC, ...
    (microsoft.public.windows.server.active_directory)
  • Re: Almost 30 mins to login to domain
    ... if it is quick check all of your IP configurations on the client, ... If you see DNS errors, ... >> All servers running Windows 2000 Advanced Server ... >> SP3 and some hotfixes ...
    (microsoft.public.windows.server.active_directory)
  • Re: SBS 2003 - FrontPage 2003 can not connect to site on Internet
    ... To make sure that DNS is resolving correctly, ... The forwards are set to the IPS DSN servers. ... > you running FrontPage on a PC inside the SBS network and you are unable to ... It sounds like the client is not installed and running on ...
    (microsoft.public.windows.server.sbs)
  • Re: EventID 5782
    ... DNS update for clients and allow DC netlogon to update SRV records. ... Since Ken has helped you achieve the dynamic updates for netlogon, ... Click DNS tab in DHCP server properties window. ... DHCP server won't update client records in DNS anymore. ...
    (microsoft.public.windows.server.dns)
Loading