so we're a University campus, and in DNS Manager, all the students phones, tables, etc, are registering their A records in DNS. We don't want them to. Ideally, we'd just have domain joined devices registering/updating their DNS records.
We've done the following:
- DNS: Right click on domain in fwd lookup zone > Properties > Changed "Dynamic Updates" to "Secure only." (it was previously "Nonsecure and secure")
- DHCP: Right click the respective DHCP Scope > Properties > DNS Tab > UNCHECK "Enable DNS dynamic updates according to the settings below"
- DNS: Delete all records from the student subnets (from every DNS server)
It seemed like it was working for a little while, but then every hour, on the hour, I start to see old records repopulate Windows DNS Manager.
What are we missing? The main push for this was, we had a DNS Squatting issue, where a student's phone's hostname was the same as one of our servers, which prevented end users from accessing that server via the DNS name. Temporary mitigation was to create a CNAME for it, as it appears Dynamic Updates don't update CNAMEs, but we'd ideally like to prevent all non-domain joined devices from registering in DNS.
Thanks in advance.
Something else you should do/need to do is to configure scavenging on one of the DC\DNS servers and on the DNS zone(s). This will clean up old, stale A records automatically. Note that you only need to enable scavenging on one of your DC/DNS servers, as the AD zone is integrated the DNS zone will be replicated to all other DC\DNS servers so any changes you make will be replicated as part of AD replication to all other DC\DNS servers. There's no need to enable scavenging on more than one DC\DNS server and doing so isn't helpful.
Also note that because the DNS zone is AD integrated, any manual clean up you perform only needs to be done on one DC\DNS server. Again, because the zone is AD integrated any DNS records you cleanup on one DC\DNS server will be replicated to all other DC\DNS servers.
After doing what I mentioned in the comments, checking this morning, there are only DNS updates from the student subnets from workstations that are joined to the domain. No DNS updates from phones, tablets, personal devices, etc.
So to recap, we did the following:
But, in addition to all that, we also did the following:
After doing the first three items, we sorted the DHCP leases by Lease Expiration. This showed new leases. We then checked DNS and saw that any new leases that were clearly a non-domain devices (users-iphone.domain.com, bigdicksipad.domain.com [yup...college students...]), were NOT Dynamically Updating DNS.
So the first two of the first three actions we took actually worked. The issue we were having was that, after 15 or so minutes after the hour, every hour, 1400 new DNS records from the student subnets were getting repopulated into DNS and THAT'S what we couldn't figure out.
On a whim, we noticed that NEW, valid lease records' Owners were the devices themselves (domainworkstation01$), but RENEWED or OLD lease records were owned by either the DHCP server itself, or the domain account handling dynamic dns updates mentioned in a comment above (DHCP > Server > IPv4 (right click > Properties) > Advanced > Credentials...), or SYSTEM.
While those leases are fine, and will eventually drop off after expiration, what we found was that, while they were in DHCP, DHCP would create records based off those. What we did then was delete all the DHCP lease records in DHCP on the student subnet scopes, and then deleted the DNS records.
After checking this morning, I can see that only domain joined devices have DNS records on those student subnets (staff connecting to them).
Whew.
Thanks everyone for your input.