DNS update overiding static entry

[disturbedone]

I have a school network with W2K3 DCs which handle DHCP and DNS. There are static DNS entries for servers etc.

A WiFi client has named itself, unknowingly, the same as one of the servers and when it gets DHCP it updates the DNS record with its new IP address meaning that the server is no longer resolved correctly.

Using the MAC I worked out that the client is an Apple device. It is a student's personal device and connects to the WiFi network.

DNS lookup zone is set to ADI and dynamic updates are secure-only.

Any ideas how to stop this? In this instance it is purely accidental but it could cause all sorts of problems if someone did this maliciously by naming it the same as certain servers.

 

[TechyMcSe2k]

Grab the MAC address of the device in the DHCP Control Panel under leases

Then make a reservation based on that MAC and give it invalid IP and DNS entries to to go nowhere.

http://www.samtechconsulting.com

_______________________________________
Great knowledge can be obtained by mastering the Google algorithm.

 

[jknichols]

Grab the MAC address of the device in the DHCP Control Panel under leases

Then make a reservation based on that MAC and give it invalid IP and DNS entries to to go nowhere.

That's fine for the specific device in question, but how do you solve the problem of any random device connecting to the network with a name that is already in use?

 

[TechyMcSe2k]

Well that becomes a management issue. also, don't name your servers anything common.
Do not have Public WiFi reference your DNS servers, make them use Public DNS servers. Public WiFi should never reside on a private network. Security holes....AGH

http://www.samtechconsulting.com

_______________________________________
Great knowledge can be obtained by mastering the Google algorithm.

 

[disturbedone]

Reservations becomes a management issue too. Well, in theory it shouldn't happen that offen so I guess it wouldn't be too bad.

The naming convention is poor....btw I didn't do it! They were named after constellations or something nerdy. I prefer to use naming conventions such as DC001A and DC001B (where eg DC means Domain Controller and 001 is the site ID in a multi site environment). Unfortunately they were named before I arrived.

As for public DNS it's not really possible. It's not eg a hotspot in a cafe. This is a school environment (but could be business in theory) where staff and students are able to bring personal devices. Staff need internal DNS to be able to access internal services. Students, at the moment, only need Internet so yes they could be sent to public DNS but in the future they may use learning software/resources which may require internal DNS.

I guess it's not perfect. Server names really shouldn't be eg lynx, pegasus, orion etc as they're too common, I agree. But unfortunately changing them at this stage is not easy. I'd never really thought about it until now but it seems odd that there's no way to say "this is a fixed DNS entry, no one can change it, ever, except via a console". Is there really no way to make it "read-only" as such??

 

[TechyMcSe2k]

The proper way, in your scenario, is to utilize a child domain with a different subnet whcih will end up with its own DNS zone. That way when devices register, it is not on your root domain dns. Your network team will need to be involved to help you seperate the traffic.

Create a new child domain:

http://technet.microsoft.com/en-us/library/cc787706(WS.10).aspx

http://www.samtechconsulting.com

_______________________________________
Great knowledge can be obtained by mastering the Google algorithm.