DHCP security breach

[boomboom999]

Hello,

I have an Active Directory integrated DNS zone cofigured for secure
updates.
I am evaluating risks of permitting our DHCP server (Windows 2003-based

one) to register A and PTR records on behalf of workstations (Windows
XP).


If I understand correctly this option will compromise the whole idea of

the Secure DNS updates.


As the DHCP protocol is not secured at all, DHCP has absolutely no
means to validate who is requesting a DNS name update. So why Microsoft

does not mention these risks of allowing DNS updates via DHCP servers.
With a little effort, I can hijack any workstation's name.


Any ideas on how to secure DNS updates via DHCP?

 

[Roger Abell [MVP]]

Hi,
I do not believe you are taking the entire scope of the underlying
technologies into account. Specifcially, if a machine "touches" its
DNS records, for example a DC, then it is owner of those, and
future attempts to update them by other principals will fail. Hence,
your claim that you can hijack any DNS name is a little overstated.
Nevertheless, yes, what you indicate is so, for names temporarily
not in DNS, that a malicious client could usurp them via DHCP.
Of course they could do so themselves directly also if they are
AD joined machines.
DHCP's ability to register DNS records was originally provided
as a means to support backlevel (read Win9x, Unix, etc.) clients.
Use of DHCP reservation-only IP leasing can (laboriously) bring
some mitigation (chasing the issue back to MAC masquerading).
Important names ought be registered by their owning machine (or
defined statically) so that the ACL on the DNS objects in AD are
used to effectively prevent name hijacking.

 

[boomboom999]

Roger,

I agree with you that theoretically I can preserve integrity of
important DNS records by preventing DHCP from rewriting them. But in
practice, what can I do?

Microsoft recommends to run DHCP under a low privilege account.
I am wondering why Microsoft omits in their docs any recommendations on
ACL that this account must have on DNS zones.

Suppose, I have one zone with 4000 workstations and 300 servers. The
DHCP server acts under a specific AD account. I do not want to tweak
ACLs on every single record in my DNS zone.

What permissions should I give to the DHCP account on my DNS zone?

May be something like this?

Domain Computers = Create child objects
CREATOR/OWNER = Full Control

 

[Ray]

1. Don't give your user's the right to change their computer names.

2. Use 802.1x or a similar authentication scheme that forces them to
authenticate to the network before they receive an IP address. This will
prevent non-domain computers from getting on your network at all, possibly
with a conflicting name.

Ray

 

[Roger Abell [MVP]]

So you are saying that your servers are using DHCP and also
requesting DHCP to handle the DNS registrations ??
I get the impression you are looking to find a bulletproof approach
for using this capability in I believe unintended, and ill-advised, ways.
Have your servers handle their own DNS registrations.
That will automatically make each the allowed principal for updating
their own RRs in DNS.
Then, consider whether you really do need DNS resolution for the
clients - which usually is more of a management convenience except
in environments that encourage non-server-based collaboration.
Again, if a name is not yet present then any authenticated machine
could claim it anyway, so the issue the DHCP might be made to do
this is not that great except relative to non-domain and/or non-MS
DHCP client machines on your network. Your changing the account
used by DHCP or the ACLing on the DNS nodes in AD would not
alter the issue you have posted about. If DHCP is able to adjust the
RRs in DNS, then it still would if you have that behavior configured.
If you did not want that behavior change the DHCP configuration.

In short, you have a point in your inital post, but it implies choosing
not to do a number of more reasonable things in how you config.
so I guess I am not clear what you are attempting to accomplish
as outlined in your follow-up posting.

 

[Jorge de Almeida Pinto [MVP]]

all authenticated users can create RRs in DNS zones.

so if you configure your DHCP with a SIMPLE user account (not special) only
that account will be able to update the RRs (and all other security
principals in the ACL, which are admins and the DCs)

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx