Dynamic DNS (DDNS) in Windows Server 2003 offers you the convenience of clients and servers updating their own DNS records. (If you use DHCP, the DHCP server is capable of updating its clients’ resource records within DDNS for them.) Obviously, DDNS saves you considerable time because you don’t have to manually create and maintain your clients’ DNS records.
The drawback to DDNS is that it can leave your network more vulnerable to attack if you haven’t secured it properly. For example, a hacker can “hijack” users’ connections simply by configuring a host computer to insert a resource record with the same IP address as one of your file or application servers. DDNS would then redirect users to this bogus server—enabling the hacker to then capture each user’s activity.
You can avoid this security breach by securing DDNS. To do so, configure your DNS servers to store their zone information in Active Directory. (You can configure this option only if you host DNS on your domain controllers, which is a Microsoft recommended best practice for implementing DNS.) You should also configure your zones to permit only secure dynamic updates. This setting enables only those computers that have successfully authenticated to your domain to update their DDNS records, which makes it much more difficult for a hacker to insert or update a DNS resource record.