Preventing Windows Computers from Trying to Update Your Zones
8.7.1 Problem
You want to prevent computers running Windows 2000 and XP from trying to dynamically update your zones.
8.7.2 Solution
On the Windows computer, go to Start
If you prefer to monkey around with the Registry, you can accomplish the same thing for all interfaces by adding a REG_DWORD value called DisableDynamicUpdate, with a value of 1, to the Registry key HKEY_LOCAL_MACHINESystemCurrentControlSetServicesTcpipParameters Interfaces.
8.7.3 Discussion
Computers running Windows 2000 and XP, by default, try to register their name-to-address and address-to-name mappings using dynamic update. (Well, that's not completely true: DHCP clients register their name-to-address mappings, but their DHCP servers normally add the address-to-name mappings.) Of course, unless you expressly allow such updates by adding an allow-update substatement to your zone statements, your name server will deny those updates. However, you may get sick of seeing errors like these in syslog:
Jun 5 13:56:07 ns1 named[50684]: error: client 192.168.0.254#3181: update foo. example/IN' denied
These messages are logged to the security category, and you certainly don't want to discard all security-related messages, so it's important to know how to stop the updates at their source.
In BIND 9.3.0, those messages are in the update-security category, so you can send those messages to the null channel without missing more important security-relevant messages.
8.7.4 See Also
Section 8.8, in case you want to do something productive with those dynamic updates.