🔒 Secure Bits 💡
What is the 𝗗𝗻𝘀𝗨𝗽𝗱𝗮𝘁𝗲𝗣𝗿𝗼𝘅𝘆 group in Active Directory?
It’s designed for very specific use cases — like when you have multiple DHCP servers that need to update the same DNS records.
💡 𝗛𝗼𝘄 𝗶𝘁 𝘄𝗼𝗿𝗸𝘀:
When a DHCP server registers a DNS record on behalf of a client, it becomes the owner of that record. But if another DHCP server tries to modify it, it’s blocked — because it doesn’t own the record.
To “fix” this, Microsoft introduced the DnsUpdateProxy group, which allows records to be created 𝘄𝗶𝘁𝗵 𝘄𝗲𝗮𝗸𝗲𝗻𝗲𝗱 𝗔𝗖𝗟𝘀:
1️⃣ The first authenticated client to modify the record becomes the new owner.
2️⃣ If the updater is a member of DnsUpdateProxy, ownership and the loose ACLs persist.
⚠️ 𝗪𝗵𝘆 𝘁𝗵𝗶𝘀 𝗶𝘀 𝗿𝗶𝘀𝗸𝘆:
With weakened ACL on the record, any authenticated client can potentially abuse it. And if DHCP is running on Domain Controllers, critical DNS records could be exposed.
𝗔 𝘀𝗮𝗳𝗲𝗿 𝗮𝗹𝘁𝗲𝗿𝗻𝗮𝘁𝗶𝘃𝗲:
🔹 Use Dynamic DNS Update Credentials — create a standard domain user
🔹 Configure all DHCP servers to use this account
🔹 (Note: gMSAs are not supported)
🔹 Avoid putting DHCP roles on Domain Controllers
🔹 Avoid using the DnsUpdateProxy group altogether
💬 Are you using DnsUpdateProxy group in your environment?
