Preventing Windows Computers from Trying to Update Your Zones

8.7.1 Problem

You want to prevent computers running Windows 2000 and XP from trying to dynamically update your zones.

8.7.2 Solution

On the Windows computer, go to Start Settings Network and Dial-up Connections. For each network interface, right-click on the name of the interface and choose Properties. In the Properties window, double-click on Internet Protocol (TCP/IP). In the Internet Protocol (TCP/IP) Properties window, click on Advanced.... Finally, in the Advanced TCP/IP Settings window, click on the DNS tab. Uncheck Register this connection's addresses in DNS and click OK.

If you prefer to monkey around with the Registry, you can accomplish the same thing for all interfaces by adding a REG_DWORD value called DisableDynamicUpdate, with a value of 1, to the Registry key HKEY_LOCAL_MACHINESystemCurrentControlSetServicesTcpipParameters Interfaces.

8.7.3 Discussion

Computers running Windows 2000 and XP, by default, try to register their name-to-address and address-to-name mappings using dynamic update. (Well, that's not completely true: DHCP clients register their name-to-address mappings, but their DHCP servers normally add the address-to-name mappings.) Of course, unless you expressly allow such updates by adding an allow-update substatement to your zone statements, your name server will deny those updates. However, you may get sick of seeing errors like these in syslog:

Jun 5 13:56:07 ns1 named[50684]: error: client 192.168.0.254#3181: update foo. example/IN' denied

These messages are logged to the security category, and you certainly don't want to discard all security-related messages, so it's important to know how to stop the updates at their source.

In BIND 9.3.0, those messages are in the update-security category, so you can send those messages to the null channel without missing more important security-relevant messages.

8.7.4 See Also

Section 8.8, in case you want to do something productive with those dynamic updates.

Категории