We are running a 2008R2 domain. Our DCs are also DHCP/DNS(ADI) servers. The DCs are also member of the DNSUpdateProxy group. We do not have an account being used for passing Dynamic Update credentials. I read something from Ace Fekay that said this is not recommended for DCs, with DNS/DHCP to be in the DNSUpdateProxyGroup, but the DCs are obviously not using DHCP and the security on their records looks fine.
We are set to allow both non-secure and secure updates because we have some access points and some HP ILOs(Integrated Lights-Out clients) that are not on the domain and using dhcp. I know that allowing non-secure updates is a huge risk, but trying to get details about the risk. We are also set to "Always dynamically update DNS records" & "Dynamically Update DNS records for clients that do not request updates." Almost all of our servers(the main risks we care about) are not using DHCP, except for the ILOs. We are not using NAP. Here are the questions.
1. DNS Spoofing with Windows computer - If someone brings in a windows computer with the same computername as one of our critical servers(obviously it will be off the domain) can it grab an IP address and update the record of the critical server? - I was thinking it would detect the naming conflict.
2. DNS spoofing with Linux computer - If someone brings in a Linux computer with the same computername as a critical server, can it grab the IP address for a critical server that has a static address?
I am trying to find some real world scenarios to get approval to switch to "secure-only" updates The biggest risk from doing that is that we have trouble finding all the DDNS records. Then some expire and we lose connectivity to those resources until we get it fixed. If anyone can throw some realistic disaster scenarios at me, I would appreciate it.
Thanks,
Dan Heim