Disabling Windows 2000 Dynamic DNS Updates

Windows 2000 supports dynamic Domain Name System (DNS) updates as defined in RFC2136. Dynamic DNS update is enabled by default for Windows 2000 DNS clients. This behavior is distributed - there is not a single policy setting or registry hack to control dynamic dns update. Dynamic DNS updates are performed by:

Windows 2000 workstation's and W2K server's DHCP client service

The DHCP Client service in W2K Pro and server performs dynamic DNS updates for adapters. The updates to DNS occur whether the adapter is configured by DHCP or is manually or statically configured.


To disable forward lookup (hostname A records) and reverse lookup records (PTR registrations) for all adapters use the following registry hack.
Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Name: DisableDynamicUpdate
Type: REG_DWORD
Value:
1 Disable dynamic update registration
0 Enable dynamic update registration

DisableDynamicUpdate can only be set in the registry and the registry setting overrides the checkbox Register this connection's addresses in DNS found on the DNS tab of each network interface's TCP/IP advanced properties which is an individual adapter setting.


To enable forward lookup (hostname A records) but not reverse lookup records (PTR registrations) for all adapters use the following registry hack :
Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Name: DisableReverseAddressRegistrations
Type: REG_DWORD
Value:
1 Do not register PTR records
0 Register PTR records

DisableReverseAddressRegistrations disables DNS dynamic update registration of PTR records for the client. PTR records, pronounced pointer, associate an IP address with a computer name. This registry setting reduces unnecessary network traffic and eliminates event log errors that record unsuccessful attempts to register PTR records in environments where the primary DNS server that is authoritative for the reverse lookup zone cannot or is configured not to perform dynamic updates.


To disable forward lookup (hostname A records) and reverse lookup records (PTR registrations) performed for a specific adapter :
Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\interface-name
Name: DisableDynamicUpdate
Type: REG_DWORD
Value:
1 Disables dynamic update registration
0 Enables dynamic update registration

For an adapter to use dynamic update, dynamic update must be enabled at the system level and at the adapter level. Disable at the system level and this setting is ineffective. A potential gotcha is the adapter and system settings are in conflict.

To enable forward lookup (hostname A records) but not reverse lookup records (PTR registrations) for a specific adapter :
there is no method to do this.

DNS records are re-registered dynamically every 24 hours by default. To modify the refresh interval for all adapters, use the following hack :
Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Name: DefaultRegistrationRefreshInterval
Type: REG_DWORD
Value: 0x0 - 0xFFFFFFFF seconds default=0x15180 (86,400 seconds = 24 hours)
This specifies the time interval between DNS dynamic update registration refreshes.

The default TTL (Time To Live) value used for dynamic registrations is 20 minutes. To modify the refresh interval for all adapters, use the following hack :
Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Name: DefaultRegistrationTTL
Type: REG_DWORD
Value: 0x0 - 0xFFFFFFFF seconds default=0x4B0 (1,200 seconds = 20 minutes)

 DefaultRegistrationTTL specifies the default TTL value set in the header of outgoing DNS dynamic update registrations. The TTL value controls how long a packet that has not reached its destination can remain on the network before it is discarded. A small value for DefaultRegistrationTTL causes cached entries to expire sooner, which increases DNS traffic but decreases the risk of stale entries. Long retention times are useful for computers that renew their DHCP leases infrequently.

MaxNumberOfAddressesToRegister controls the maximum number of IP addresses that can be registered in DNS for an adapter. Having multiple addresses on an adapter is common for web servers. By default, only the first IP address for an adapter is dynamically registered. To modify the number of IP addresses dynamically registered for an adapter, use the following registry hack :
Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\interface-name\MaxNumberOfAddressesToRegister
Name: MaxNumberOfAddressesToRegister
Type: REG_DWORD
Value: 0x0 - 0xFFFFFFFF default=0x1

To prevent an address being registered for the adapter, set MaxNumberOfAddressesToRegister to 0.

UpdateSecurityLevel determines whether the DNS client uses secure dynamic update or standard dynamic update. Under secure dynamic update, the authoritative name server accepts updates only from authorized clients and servers. Non-secure dynamic DNS registrations are used by default. To force secure registrations, use the following registry hack :
Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Name: UpdateSecurityLevel
Type: REG_DWORD
Value:
0x0 Send secure dynamic updates only when non-secure dynamic updates are refused
0x10 Send only non-secure dynamic updates
0x100 Send only secure dynamic updates

 

This registry hack is designed for zones that do NOT use secure dynamic update. It prevents unauthorized users from changing the IP address registration of a client computer. DisableReplaceAddressesInConflicts prevents a DNS client from overwriting an existing resource record when it discovers an address conflict during dynamic update. An address conflict occurs when the DNS client discovers that an existing A record associates its DNS name with the IP address of a different computer. By default, the DNS client tries to replace the original registration with a record associating the DNS name to its own IP address. However, you can use this registry hack to direct DNS back out of the registration process. An error in Event Viewer is not logged. :
Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Name: DisableReplaceAddressesInConflicts
Type: REG_DWORD
Value:
0 The DNS client overwrites the existing hostname A record with an hostname A record for its own IP address.
1 The DNS client backs out of the registration process. No error is written to the Event Viewer log.

 

Windows 2000 servers supporting W2K DNS server service

The DNS Server service registers forward lookup ( hostname A ) records for all the adapters it is listening on if it is authoritative (SOA) for a given name. When a server running the DNS Service has multiple adapters, unwanted addresses can be published automatically. Common scenarios include disconnected or unused network adapters publishing AutoNet addresses and private or DMZ interfaces publishing unreachable addresses. If the Network Load Balancing (NLB) service is installed on a DNS server, both the virtual network adapter address and the dedicated network adapter address will be registered by the DNS Server service. The adapters on which the DNS server is listening on can be changed by using the DNS snap-in. In Server properties, click the Adapters tab. In circumstances in which the list of IP addresses the DNS server listens to and serves is different from the list of IP addresses published (registered by the DNS Server service), use the following registry hack :
Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Services\DNS\Parameters
Name: PublishAddresses
Type: REG_SZ

This specifies the IP addresses you want to publish for the computer. The DNS server creates hostname A records only for the address in this list. If this entry does not appear in the registry, or if its value is blank, the DNS server creates an hostname A record for each of the computer's IP addresses. This entry is designed for computers with multiple IP addresses, when you prefer to publish only a subset of the available addresses. Typically, this is used to prevent the DNS server from returning a private network address in response to a query when the computer has a corporate network address. DNS reads its registry entries only when it starts. You can change entries while the DNS server is running by using the DNS console. If you change entries by editing the registry, the changes are not effective until you restart the DNS server service.

 

Windows 2000 domain controllers have Netlogon service

To disable all registrations performed by Netlogon:

Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
Name: UseDynamicDns
Type: REG_DWORD
Value:
0 Netlogon does not use DNS dynamic updates. Records specified in the Netlogon.dns file must be registered manually in DNS
1 Netlogon uses DNS dynamic updates to register the names identifying this domain controller

You would consider disabling Netlogon's use of DNS dynamic updates if your DNS servers do not support DNS dynamic updates or to eliminate the network traffic associated with periodic registration of Net Logon's DNS records. This value is not effective unless you delete %SYSTEMROOT%\system32\config\netlogon.dnbyou and then restart the Netlogon service.

 Netlogon A registrations

By default, Netlogon on a DC registers SRV, domain A, and GC ( Global Catalog ) A records every hour. SRV records are mapped to a FQDN and hostname A records are mapped to an IP address. Registration of domain A records for all adapters by Netlogon and subsequent re-registration every hour (by default) can be problematic if clients resolve the domain name to an unreachable IP address. The following registry key enables/disables the registration of hostname A records by Netlogon for a domain controller. The domain A records are not required by Windows 2000, but are registered for the benefit of LDAP implementations that do not support SRV records. Note that this registry key disables all hostname A record registrations performed by Netlogon, which includes the gc._msdcs.DnsForestName records. Registration of gc._msdcs.DnsForestName records is required and must be performed manually if the RegisterDnsARecords registry key is set to disabled.

Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
Name: RegisterDnsARecords
Type: REG_DWORD
Value:

0 Does not register DNS A records. LDAP implementations that do not support SRV records will not be able to locate the LDAP server on this domain controller.
1 Registers DNS hostname A records

You might consider setting this value to 0 if DNS does not complete its dynamic updates because it cannot update hostname A records. DNS stops updating when an update attempt does not succeed.

Windows 2000 workstation RAS clients
To configure individual RAS connection settings, use Advanced TCP/IP properties checkbox.
 


Credit: the above suggestion (plus many others) are available at: http://is-it-true.org

 


Client List
Partners
Press Releases
Client Comments
Past Projects
Information Request


Net Health Check
Net Performance Review
Vulnerability Assessment
Banking I/T Assessment
NetSentry Monitoring
Frame Relay Analysis
VoIP Readiness
Custom Services
NetDocs Documentation
On-Site Training


NetLogger
NetSpector
Technical Reference






 

 


About NPI | Contact Us | Services | Tools | Site Map | Reseller Programs
Professional Ethics | Privacy
Copyright 1993-2006 Network Partners, Inc. All rights reserved