Key points
- Never run the DHCP server role on the same server as Active Directory Domain Services (AD DS) for security and stability.
- Implement redundancy with failover DHCP servers and secondary DNS servers to ensure network reliability.
- Configure secure dynamic DNS updates using a dedicated service account and enable name protection to prevent record hijacking.
- Harden your DNS by separating authoritative and recursive roles to mitigate spoofing attacks and simplify security controls.
- Establish health targets and monitoring alerts for DHCP scope exhaustion, update failures, and abnormal DNS activity.
- Maintain centralized documentation of all configurations, logs, and inventory to aid troubleshooting and prove compliance.
DHCP and DNS are critical networking protocols that must be operating correctly for your IT infrastructure to function. If they are compromised, hackers can lead successful attacks that can halt productivity, exfiltrate data, and even steal money.
This practical guide explains what you need to do to run DHCP and DNS the right way in Active Directory environments. It provides a starting point for IT teams and managed service providers (MSPs) to implement a robust network configuration that is resistant to spoofing and other cybersecurity threats.
DHCP vs. DNS: How do DHCP and DNS work together?
DHCP and DNS are two separate protocols that help devices communicate and find each other on a network. They are not the same, and perform distinct tasks, but they are interlinked.
- DHCP is the protocol that assigns IP addresses to devices automatically. When a device is connected to your network, the DHCP server will assign it an address from a pool of available addresses, usually defined as a range or scope (for example, 192.168.0.100-192.168.0.200). Alongside providing each client device with a unique IP address, the DHCP server also tells them the subnet, IP address of the gateway, and DNS servers to use.
- DNS is the decentralized naming system that converts IP addresses to human-readable domain names. For example, www.example.com might point to the IP address 10.1.1.1.
Both DHCP and DNS require servers to operate. Client devices are directed to these servers to receive an IP address and perform DNS lookups.
Should DHCP and DNS be on the same server?
DHCP and DNS can be run from the same servers without issue, and in many cases, it makes sense to run DNS on your domain controllers. However, you should not run DHCP on the same server as Active Directory Domain Services (AD DS), and should configure DHCP to use its own dedicated service account.
You should ensure there is a failover DHCP system and secondary DNS servers (i.e., running on another domain controller) for redundancy and reliability.
What you need to effectively implement and maintain secure DHCP and DNS
To plan and implement a robust DHCP and DNS system on your network, you’ll need:
- Current inventory of DHCP scopes, reservations, and failover servers (this can be aided using network inventory tools)
- DNS zone list with documented authoritative and forwarding roles
- Administrative credentials for your Windows domain
- A maintenance window for updating DHCP and DNS configurations
You’ll benefit from a centralized IT documentation platform for storing inventory lists, network details, and server roles to assist future troubleshooting and maintenance.
Tip 1: Establish health targets
You should establish a healthy baseline for what a healthy DHCP and DNS system looks like, including:
- Utilization targets for each DHCP scope (including thresholds for free addresses)
- Lease duration (based on how frequently devices come and go, so that addresses aren’t exhausted)
You can then set appropriate thresholds and configure notifications when these thresholds are breached. You should also implement checks to ensure your DHCP and DNS servers, including failover and secondary servers, are responsive.
Tip 2: Configure secure dynamic DNS updates
Windows servers can handle both DNS and DHCP, and can use dynamic DNS updates to allow the DHCP server to register clients with DNS automatically.
Make sure that you’ve configured a dedicated service account for your DHCP servers to perform dynamic DNS registrations on behalf of clients, to protect against non-secure records, and so that stale records can be cleared. Name protection should also be enabled to prevent existing records from being taken over. The same service credentials can be used across servers.
Document your dynamic DNS configuration, how it is authenticated, and where logs are stored for review.
Tip 3: Harden DNS against spoofing and misuse
DNS spoofing injects falsified DNS records that redirect users to malicious sites that steal information or trick them into performing unintended actions (like transferring money using a fake bank website).
You must implement standard protections against DNS spoofing. Separating authoritative and recursive roles will assist with keeping manageable configurations.
Tip 4: Confirm DNS update behavior and scavenging are working as intended
Validate that dynamic updates are functioning properly using event logs, and that DNS scavenging is correctly removing stale records. Monitor DHCP refresh timestamps so that you can determine whether leases are configured to be long enough.
Summarize and store this information in reports alongside DNS event logs to demonstrate that your system functions as intended. This will assist with future investigations, improvements, and proving compliance.
Tip 5: Monitor, alert, and investigate
Leverage the automation and alerting functionality in your IT monitoring platform to create alerts or automatically generate helpdesk tickets when the following occur:
- DHCP scope exhaustion
- Repeated updated failures
- Abnormal volumes of new A or PTR records (an indicator of spoofing attempts)
By correlating DHCP and DNS logs, you can identify what has happened and maintain a full record of how you troubleshooted and resolved DHCP and DNS issues. You can also automate rogue DHCP server detection if your IT platform supports the required functionality.
NinjaOne brings observability and automation to DHCP and DNS in Active Directory environments
NinjaOne provides a comprehensive IT management platform that unifies remote monitoring and management (RMM), network monitoring, endpoint protection, and documentation. These tools allow you to implement robust DHCP and DNS configurations and ensure the core services that your network requires to operate have continuous oversight.
NinjaOne automation lets you schedule verification tasks to ensure that your DHCP and DNS integration follows best practices, and built-in notification tools can notify technicians immediately of suspicious activity. NinjaOne Documentation also acts as a centralized, access-controlled repository for automatically generated reports, technician notes, and client-facing documents.
Quick-Start Guide
Here are a few key insights:
1. DNS Configuration:
– When setting up network devices, you can configure DNS settings
– In one example from the Active Directory documentation, there’s a mention of setting up DNS settings for a client device:
Set up the DNS settings to point to your Domain Controllers IP address and the Ninja DNS IP (172.20.41.1) as a secondary DNS address
2. Network Management:
– NinjaOne offers Network Management System (NMS) features that can help monitor and manage network devices
– The NMS supports various network device types, including those from Cisco, Dell, HP, and others that support standard MIB-2 protocols
3. Discovery and Monitoring:
– NinjaOne can discover and monitor network devices
– You can set up network discovery jobs and configure credentials for network devices
While this doesn’t provide a step-by-step guide for DHCP and DNS, it suggests that NinjaOne can help you manage and monitor your network infrastructure. For specific DHCP and DNS configuration, you’d likely need to work directly with your domain controllers and network devices.
