Score:1

Is it possible to have both static and a dynamic A record created for the same host on an internal DNS server?

ru flag

I am working on a case study related to risks from insecure dynamic DNS updates. Suppose there is an internal DNS configured that has a mix of static and dynamically created addresses. Consider a Windows AD integrated DNS environment.

I need some help on few of the queries below

  1. Can there coexist a static and a dynamically created A record for the same host - referring to different IP addresses on the DNS server? (eg. Dynamic A record created by a new system introduced on the network with same hostname)
  2. If yes, how would the DNS resolution happen for such cases? Can DNS query resolve to the incorrect dynamic A record instead of the static A record?
  3. Can this be avoided by having a secure dynamic dns configuration instead of a insecure ddns updates? If so how could secure DDNS prevent such scenario.

Any assistance on this matter wil be quite helpful.

Thanks in advance.

Score:2
cn flag

Can there coexist a static and a dynamically created A record for the same host

A name can resolve to multiple IP addresses, that is have multiple A or AAAA records. Clients will get the whole set of them when querying for the name.

How the IP addresses are provisioned is kind of irrelevant to the above, except that in "dynamic" cases, often an update is in fact a replacement, that is: "please resolve X to address Y now, after having removed all existing IP addresses for it".

So it all depends how your dynamic stuff is working. If it is additive, then you can have a mix.

If yes, how would the DNS resolution happen for such cases? Can DNS query resolve to the incorrect dynamic A record instead of the static A record?

If there are multiple A records, they are all returned. The client has no way to know from where they come (dynamic or static).

Can this be avoided by having a secure dynamic dns configuration instead of a insecure ddns updates? If so how could secure DDNS prevent such scenario.

Yes, and also making only a subzone of your zone open to dynamic updates, not the whole zone.

ru flag
Thanks for the quick response, i have a follow up. Agreed Dynamic IP addresses not the concern here. Concern is on the implementation of insecure DDNS updates. Suppose there is a static DNS record xyz : 1.1.1.1 : A and now a new host is introduced in the network with same hostname xyz, when this tries to register its DNS record dynamically, what happens? 1. Does it create a another DNS entry this one being dynamic? 2. Does it update the existing static DNS record with the new IP address? 3. Does it decline creating new record? Consider windows AD integrated DNS for the scenario
Patrick Mevzek avatar
cn flag
All 3 points are implementation specific, so that can vary and you specify it is Windows AD integrated DNS on which I have 0 knowledge, sorry. You should put the details of your comment in your main question, and specifically the platform it would help people giving more precise answer, mine is just a generic one.
ru flag
Got it. Really thank you to take out time and respond to the thread. i have updated the environment now.
Tommiie avatar
bw flag
I believe that you can configure it so that only the DHCP server can send dynamic updates to DNS instead of the clients sending the dynamic DNS update after receiving an update from the DHCP server. This also prevents issues as only your trusted DHCP servers can send updates and not every single client computer in the network.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.