Allow Only Secure Dynamic Updates

Applies To: Windows Server 2008

Domain Name System (DNS) client computers can use dynamic update to register and dynamically update their resource records with a DNS server whenever changes occur. This reduces the need for manual administration of zone records, especially for clients that frequently move or change locations and use Dynamic Host Configuration Protocol (DHCP) to obtain an IP address.

Dynamic updates can be secure or nonsecure. DNS update security is available only for zones that are integrated into Active Directory Domain Services (AD DS). After you integrate a zone with the directory, access control list (ACL) editing features are available in DNS Manager so that you can add or remove users or groups from the ACL for a specified zone or resource record.

You can use this procedure to allow only secure dynamic updates using either the DNS Manager snap-in or the dnscmd command-line tool.

Membership in Administrators, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

Allowing only secure dynamic updates

  • Using the Windows interface

  • Using a command line

To allow only secure dynamic updates using the Windows interface

  1. Open DNS Manager. To open DNS Manager, click Start, point to Administrative Tools, and then click DNS.

  2. In the console tree, right-click the applicable zone, and then click Properties.

  3. On the General tab, verify that the zone type is Active Directory-integrated.

  4. In Dynamic Updates, click secure only.

Additional considerations

  • Secure dynamic update is supported only for Active Directory–integrated zones.

  • Dynamic update is a Request for Comments (RFC)–compliant extension to the DNS standard. The DNS update process is defined in RFC 2136, "Dynamic Updates in the Domain Name System (DNS UPDATE)," and in RFC 3645, “Generic Security Service Algorithm for Secret Key Transaction Authentication for DNS (GSS-TSIG)”

To allow only secure dynamic updates using a command line

  1. Open a command prompt. To open an elevated Command Prompt window, click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.

  2. At the command prompt, type the following command, and then press ENTER:

    dnscmd <ServerName> /Config {<ZoneName>|..AllZones} /AllowUpdate 2
    
Parameter Description

dnscmd

The command-line tool for managing DNS servers.

<ServerName>

Required. Specifies the DNS host name of the DNS server. You can also type the IP address of the DNS server. To specify the DNS server on the local computer, you can also type a period (.)

/Config

Required. Configures the specified zone.

<ZoneName>|..AllZones

Required. Specifies the fully qualified domain name (FQDN) of the zone. To configure all zones that are hosted on the specified DNS server to allow dynamic updates, type ..AllZones.

/AllowUpdate

Required. Enables the zone to perform dynamic updates.

2

Required. Configures the server to allow secure update. If you exclude the 2, the zone will be set to perform standard dynamic updates only.

To view the complete syntax for this command, at a command prompt, type the following command, and then press ENTER:

dnscmd /Config /help 

Additional considerations

  • Dynamic update is an RFC-compliant extension to the DNS standard. The DNS update process is defined in RFC 2136, "Dynamic Updates in the Domain Name System (DNS UPDATE)."

  • By default, the DNS server allows a zone transfer only to authoritative DNS servers that are listed in the name server (NS) resource records for the zone.

Additional references