I have a standalone DNS server configured for "Secure and Non-Secure" dynamic updates. I also have the DHCP role installed on the same server.
How do I ensure that only the DHCP server can update records in DNS? I don't want to allow clients to update DNS records directly. I'm hoping that combined with the "Name Protection" setting in the DHCP server, at the very least the no one can maliciously overwrite an existing dynamic record.
This should be sufficient since I've configured my switch for 802.1x as well as DHCP snooping to allow only trusted DHCP assigned IP addresses on the VLAN. I'm trying to avoid Active Directory for this network.
First remove unsecure mode.
As in secure mode just ad joined machine can update their record. (and the dhcp service under the dhcpproxy acl) update the dns.
Second point, to answer your question, check that acl; to be sure its set.
Took from that answer: How to limit dynamic DNS updates
I can't find this setting documented anywhere, but last week I found this key on a test server I manage.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters\AllowUpdateIf this key exists and it has a value of 0, dynamic updates from clients are refused. I am not sure if how it would affect updates from a DHCP service on the same server, but you could try it out and see if it may be an alternative to the firewall block.