DNS DHCP Best Practices: Risks of “Always Update” vs “Update on Client Request” in Windows Server Environments


2 views

In Windows Server 2012 environments, the interaction between DHCP and DNS services presents three distinct configuration options for dynamic record updates:

1. "Dynamically update DNS A and PTR records only if requested by the DHCP clients" (Default)
2. "Always dynamically update DNS A and PTR records"
3. "Dynamically update DNS A and PTR records for DHCP clients that do not request updates"

While the "Always update" option might seem convenient, it introduces several potential issues:

  • Security Risks: Allows non-secure dynamic updates which could lead to DNS pollution
  • Record Ownership: DHCP server becomes the owner of records rather than the client devices
  • Client Override: Ignores client preferences which may be set for specific reasons

Here's how to check and modify these settings using PowerShell:

# Get current DHCP server DNS registration settings
Get-DhcpServerv4DnsSetting -ComputerName "YourDHCPServer"

# Set to update only when requested by clients (recommended)
Set-DhcpServerv4DnsSetting -ComputerName "YourDHCPServer" 
    -DynamicUpdates "OnClientRequest" 
    -DeleteDnsRROnLeaseExpiry $true

The third option ("for clients that do not request updates") specifically handles:

  • Windows NT 4.0 clients
  • Non-Windows clients without dynamic update capability
  • Devices with manual network configurations

Consider this problematic situation when using "Always update":

1. ClientA (192.168.1.100) registers host.example.com
2. Lease expires
3. ClientB gets same IP and DHCP updates records
4. Now host.example.com points to ClientB without explicit permission

For most environments, the default setting provides optimal balance between:

  • Security (respecting client update preferences)
  • Maintainability (clear record ownership)
  • Compatibility (works with modern and legacy systems)

Implement additional security with this DNSSEC configuration:

# Enable secure dynamic updates (requires AD-integrated zones)
Set-DnsServerPrimaryZone -Name "example.com" -DynamicUpdate Secure

In Windows Server 2012 (and later versions), the DNS tab under DHCP Scope Properties presents three options for dynamic DNS updates:

// Conceptual representation of update options
enum DNSUpdateOption {
  CLIENT_REQUESTED,       // Default
  ALWAYS_UPDATE,
  UPDATE_NONREQUESTING_CLIENTS
};

Selecting Always dynamically update DNS A and PTR records forces the DHCP server to:

  • Process updates regardless of client capabilities
  • Bypass client-side update requests
  • Assume ownership of all records (unless configured otherwise)

Example PowerShell command to configure this setting:

Set-DhcpServerv4DnsSetting -DynamicUpdates "Always" -DeleteDnsRRonLeaseExpiry $true

The three options produce distinct DNS update patterns:

Option Windows 10 Client Legacy Client (NT 4.0)
Client-requested Client updates A record, DHCP updates PTR No updates unless 3rd option enabled
Always update DHCP updates both records DHCP updates both records
Update non-requesting Same as client-requested DHCP updates both records

The "Always Update" approach introduces several architectural considerations:

// Potential issues in DHCP DNS updates
if (alwaysUpdateEnabled) {
  dnsConflictRisk = checkDuplicateRegistrations();
  securityContext = evaluateCredentialDelegation();
  adminOverhead = calculateManagementImpact();
}

For most Active Directory environments, Microsoft recommends:

  1. Use client-requested updates for modern Windows clients
  2. Enable "Update non-requesting clients" for legacy systems
  3. Configure DNS scavenging appropriately

Example DNS scavening configuration:

dnscmd /config /ScavengingInterval 168
dnscmd /config /DefaultAgingState 1
dnscmd /config /DefaultNoRefreshInterval 168
dnscmd /config /DefaultRefreshInterval 168