Security Concerning the DNSUpdate Proxy Group

There are some security concerns to be aware of when putting the DNSUpdateProxy Group into action. If you put your DHCP servers in this group, all records updated by those servers are not secure in your DNS database. If your DHCP server is a domain controller (as those in many branch office configurations are), all the service location (SRV), and forward lookup (A) records registered when starting the Netlogon service will not be secure.What can you do to address these concerns?

1. Do not put any of your domain controllers in the DNSUpdateProxy Group.

2. If you choose to use the DNSUpdateProxy Group, don't install DHCP on a domain controller.

Securing the Use of the DNSUpdateProxy Group

Previous versions of Windows posed some serious concerns when dealing with DHCP's dynamic updating of DNS records. For example, if you were using an Active Directory integrated DNS zone configured for secure updates only, you were unable to use the DNSUpdateProxy Group, because DHCP servers that are members of the DNSUpdateProxy Group register all client records without ownership.

To address some of these issues, a new DNS dynamic update credentials manager was created. The interface is shown in Figure 3.40.

Figure 3.40 Configuring Credentials for Use with Dynamic Updating

Figure 3.40 Configuring Credentials for Use with Dynamic Updating

You first need to create a dedicated user account in Active Directory whose credentials will be used by DHCP servers to perform dynamic updates. Then, to configure each DHCP server to use the account, perform the following steps:

1. In the left console pane of the DHCP MMC, right-click the server node and select Properties.

2. Click the Advanced tab.

3. Under DNS dynamic updates registration credentials, click the Credentials button.

4. Enter the user name, domain, and password for the account you created for this purpose, and click OK.

Do this for all DHCP servers that will use these credentials. The credentials supplied in the DNS dynamic update credentials dialog box are used by DHCP servers that are members of the DNSUpdateProxy group to register client records in DNS. This prevents the registration of nonsecure records in DNS. The same account can be used on all your DHCP servers, thus eliminating one of the earlier issues described in the section "Security Concerning the DNSUpdateProxy Group," in reference to switching to a new DHCP server after the original one has already registered client records under its ownership. By using the new credentials option, you create a configuration that allows the use of both the DNSUpdateProxy group and Active Directory integrated DNS with secure updates only.


To configure the dynamic DNS update credentials, you can use the graphical user interface (GUI) shown in Figure 3.40 or you can use the netsh command line utility within the servers context using the set dnscredentials parameter.

Was this article helpful?

+1 0
The Ultimate Computer Repair Guide

The Ultimate Computer Repair Guide

Read how to maintain and repair any desktop and laptop computer. This Ebook has articles with photos and videos that show detailed step by step pc repair and maintenance procedures. There are many links to online videos that explain how you can build, maintain, speed up, clean, and repair your computer yourself. Put the money that you were going to pay the PC Tech in your own pocket.

Get My Free Ebook


  • Gerontius
    How to use dnsupdateproxy group?
    7 years ago
  • reagan
    When use dnsupdate proxy group?
    3 years ago

Post a comment