Dynamic update enables DNS client computer to register and dynamically update their resource records with a DNS server whenever changes occur. This reduces the need for manual administration of zone records, especially for clients that frequently move or change locations and use DHCP to obtain an IP address.
The DNS Client and Server services support the use of dynamic updates, as described in Request for Comments (RFC) 2136, “Dynamic Updates in the Domain Name System.” The DNS Server service allows dynamic update to be enabled or disabled on a per-zone basis at each authoritative server configured to load either a standard primary or AD-integrated zone.
The dynamic update can happen on RRs (Resource Records) or sets of RRs (RRSets) in a DNS forward and/or reverse lookup zone.
The overall format of an UPDATE message sent by a DNS client machine is shown below:
Header |
Zone (specifies the zone to be updated) |
Prerequisite (RRs or RRsets which must (not) preexist) |
Update (RRs or RRsets to be added or deleted) |
Additional Data (additional data) |
Ethernet II, Src: Microsof_01:03:1e (00:15:5d:01:03:1e), Dst: Microsof_01:03:12 (00:15:5d:01:03:12)
Internet Protocol, Src: 192.168.1.134 (192.168.1.134), Dst: 192.168.1.2 (192.168.1.2)
User Datagram Protocol, Src Port: 61777 (61777), Dst Port: domain (53)
Domain Name System (query)
Transaction ID: 0x4fce
Flags: 0x2800 (Dynamic update)
0… …. …. …. = Response: Message is a query
.010 1… …. …. = Opcode: Dynamic update (5)
…. ..0. …. …. = Truncated: Message is not truncated
…. …0 …. …. = Recursion desired: Don’t do query recursively
…. …. .0.. …. = Z: reserved (0)
…. …. …0 …. = Non-authenticated data: Unacceptable
Zones: 1
Prerequisites: 1
Updates: 2
Additional RRs: 0
Zone
r2.com: type SOA, class IN
Prerequisites
win7.r2.com: type CNAME, class NONE
Name: win7.r2.com
Type: CNAME (Canonical name for an alias)
Class: NONE (0x00fe)
Time to live: 0 time
Data length: 0
Updates
win7.r2.com: type A, class ANY
Name: win7.r2.com
Type: A (Host address)
Class: ANY (0x00ff)
Time to live: 0 time
Data length: 0
win7.r2.com: type A, class IN, addr 192.168.1.134
Name: win7.r2.com
Type: A (Host address)
Class: IN (0x0001)
Time to live: 20 minutes
Data length: 4
Addr: 192.168.1.134 (192.168.1.134)
A DNS client update message instructs the DNS server to check and do certain things in the specified zone, on specific resource records based on the settings in the prerequisites and updates section. Such updates are said to be atomic, that is, all prerequisites must be satisfied for the update operation to be carried out.
Prerequisite resource records contain a set of resource record prerequisites that must be satisfied at the time the update message is received by the authoritative DNS server. There are five possible sets of values that can be expressed (as in RFC 2136):
- Resource record set exists (value independent). At least one resource record with a specified name and type (in the zone and class specified by the Zone Section) must exist.
- Resource record set exists (value dependent). A set of resource records with a specified name and type exists and has the same members with the same data as the resource record set specified in this section.
- Resource record set does not exist. No resource records with a specified name and type (in the zone and class denoted by the Zone section) exist. Name is in use. At least one resource record with a specified name (in the zone and class specified by the Zone section) exists. This prerequisite is not satisfied by empty nonterminals.
- Name is not in use. No resource record of any type is owned by a specified name. This prerequisite is satisfied by empty nonterminals.
The authoritative DNS server determines whether the prerequisites have been fulfilled. If they have, the authoritative DNS server performs the requested updates. If the prerequisites have not been fulfilled, the update fails. In either case, the authoritative DNS server replies to the client, indicating whether or not the update was successful.
A sample prerequisites section might look like:
Prerequisites
win7.r2.com: type CNAME, class NONE
Name: win7.r2.com
Type: CNAME (Canonical name for an alias)
Class: NONE (0x00fe)
Time to live: 0 time
Data length: 0
RRset Exists |
RRset Exists |
RRset Does |
Name Is |
Name Is |
|
Name |
<RR Name> |
<RR Name> |
<RR Name> |
<RR Name> |
<RR Name> |
Type |
<RR Type> |
<RR Type> |
<RR Type> |
ANY |
ANY |
Class |
ANY |
<Zone Class> |
NONE |
ANY |
NONE |
TTL |
0 |
0 |
0 |
0 |
0 |
RDLENGTH |
0 |
<RDATA Length> |
0 |
0 |
0 |
RDATA |
<Empty> |
<IP/Name(PTR)> |
<Empty> |
<Empty> |
<Empty> |
With the help of the table above the requiremets of the prerequisites section can be determent easily.
The update portion of the update message is just processed in case a cname resource record with the name win7 doesn’t exist in the zone r2.com.
The updates section contains the resource records that are to be added and/or deleted from the zone. Four operations are available to be performed during the update:
Add resource records to a resource records set.
Delete a resource records set.
Delete all resource records sets from a name.
Delete a resource record from a resource records set.
Updates
win7.r2.com: type A, class ANY
Name: win7.r2.com
Type: A (Host address)
Class: ANY (0x00ff)
Time to live: 0 time
Data length: 0
win7.r2.com: type A, class IN, addr 192.168.1.134
Name: win7.r2.com
Type: A (Host address)
Class: IN (0x0001)
Time to live: 20 minutes
Data length: 4
Addr: 192.168.1.134 (192.168.1.134)
Add to an RRset |
Delete an RRset |
Delete All RRsets for a name |
Delete an RR from an RRset |
|
Name |
<RR Name> |
<RR Name> |
<RR Name> |
<RR Name> |
Type |
<RR Type> |
<RR Type> |
ANY |
<RR Type> |
Class |
<Zone Class> |
ANY |
ANY |
NONE |
TTL |
<RR TTL> |
0 |
0 |
0 |
RDLENGTH |
<RDATA Length> |
0 |
0 |
<RDATA Length> |
RDATA |
<IP/Name(PTR)> |
<Empty> |
<Empty> |
<IP/Name(PTR)> |
In the example above the DNS server is requested to remove the host A resource record for the name win7 from the zone r2.com. This is done by setting the TTL and RDLENGTH value to 0. In the next step the same name is registered with the specified IP address as a host A resource record in the zone r2.com again.
Deleting the host A record for the name win7 in front of registering it again prevents that multiple IP addresses are bound to a single host A record, in case the client machine gets assigned a different IP address.
The windows DNS Servers support both secure and non-secure dynamic updates. The secure dynamic updates leverage the Active Directory infrastructure to ensure security.
Read more at : https://technet.microsoft.com/en-us/library/cc771255.aspx
[This post has been authored by Markus Rösner from Windows Germany Team.]