Securing DNS with Secure Dynamic Updates

by Chris Sanders [Published on 4 Sept. 2008 / Last Updated on 3 July 2008]

DNS is crucial to the operation of a DNS domain. Using Secure Dynamic Updates is something you can do to make your DNS infrastructure a bit more secure.

The absolute most secure way to manage DNS clients on your network is to manually add each and every one of them into DNS manually. Unfortunately, this just isn’t a viable option on large networks. Because of this, DNS supports a feature called dynamic updates, but this is inherently unsecure. With typical unsecured dynamic updates, any computer can create records on your DNS server which leaves you open to malicious activity.

The more secure form of unsecured dynamic updates is…you guessed it…secure dynamic updates. This feature forces DNS to integrate with Active Directory so that any computer creating records on the DNS server must be a member of the AD domain. This is configurable by right clicking a zone in the DNS management MMC snap-in and going to properties. From there, go select “Secure Only” in the dynamic updates combo box.

See Also

The Author — Chris Sanders

Chris Sanders is a network security analyst for EWA Government Systems Inc. Chris is the author of the book Practical Packet Analysis as well as several technical articles. His personal website at contains a great deal of information, articles, and guides related to network administration, network security, packet analysis, and general information technology.

Featured Links