I was creating a secure baseline build for our organization’s Windows Server 2003 member and application servers and at the time I was working on locking down unneeded services. Messenger service? Yea, let’s disable that. Alerter service? Disable. DHCP Client service? These are member servers which are statically configured so no need for that. Disable it.
Oops…guess we do need that service after all. As you know – better than I did – DNS client registration is handled by the DHCP Client service. We corrected my mistake and enabled the DHCP Client service in our secure baseline. That error was on me. It seemed like a somewhat odd service to put that function under but I can understand it. I suppose I could complain that the function was hidden but it’s kinda like me complaining that I can’t find my 4-year old son when we’re playing hide-and-go-seek. I mean, the curtain didn’t look that lumpy 10 seconds ago. Microsoft has done a good job documenting the role of the DHCP Client service in registering A and PTR resource records (and AAAA if the IPv6 interface is installed and enabled). I should have seen the lumpy curtain.
However, this time Microsoft has flipped the script. Now I’m hiding from my son – not like I normally do – where I hide in plain sight so he can find me. No, this time I’m doing the best I can to make sure that my 4-year old can’t find me. And it seems that this is the type of hide-and-go-seek that Microsoft is playing with their administrators. So what are they hiding?
Starting with Windows Vista, DNS client registration is no longer done by the DHCP Client service. It is now performed by the DNS Client service. Ta da! There it is.
To be fair to Microsoft, like every game of hide-and-seek (at least every fair game), the person’s hiding somewhere in the house and can be found. And this info can be found as well.
For Vista, search this article for DNS Registration Behavior.
“The DNS Client service in Windows Vista uses DNS dynamic update and attempts to register the following records:
- A records for all IPv4 addresses assigned to the interfaces that are configured with a DNS server
- Pointer (PTR) records for IPv4 addresses assigned to interfaces that are configured with a DNS server
- AAAA records for all global IPv6 addresses assigned to interfaces that are configured with a DNS server
- PTR records for IPv6 addresses assigned to interfaces that are configured with a DNS server”
For 2008 and 2008 R2, it can be found in the second paragraph of Understanding Dynamic Updates.
“By default, the DNS Client service dynamically updates host (A) resource records in DNS when the service is configured for TCP/IP.”
Spread the word! Together we can end this game of hide-and-go-seek.
In the future I’ll isolate the DNS Client service into its own process and see if I can’t get Netmon to pick up the process name in the trace. You can easily repro this yourself if you don’t feel like waiting. Just disable the DHCP Client service, start your network capture, cycle the DNS Client service, and watch the packets flow.