This is my first post of year 2016. Was busy with couple of things. Anyways, I hope this post finds you in good health and spirit. I do lot of Windows training and one obvious question in every class is “what is dynamic updates in DNS and how it works ?” So, let’s discuss this much-queried topic.What is Dynamic update ?
You must have observed that whenever a new computer joins domain a corresponding record is created in DNS. Also if there is any update in IP or Name of domain computer, it gets updated in DNS. The process which works to register or update records in DNS is called dynamic update. While configuring DNS you get two option related to dynamic updates:
- Secure only
- Nonsecure and secure
Actually there are 3 options, I don’t want discuss 3rd option as its very tough to understand. Lol. 3rd option is “None” which you choose if you want to disable dynamic updates.
Secure updates means that update will be done only for domain members while nonsecure is to update for any computer (even if they are not part of domain).
How Dynamic update works ?
The service responsible for dynamic update is “DNS Client service” and it works in event of:
- Change of IP address statically.
- IP address lease change or renewal by the DHCP server.
- The ipconfig /registerdns command is used to manually force a refresh of the client name registration in DNS.
- At startup time, when the computer is turned on.
- A member server is promoted to a domain controller.
So, in occurrence of any event described above, DNS client service will initiate dynamic update. For the purpose it will first send an SOA query to find authoritative server for the zone. Once primary DNS server will receive this query it will respond it. DNS client will send update message to authoritative server and latter will process it to perform the change.
In case primary server fails to perform update operation, DNS client will try other authoritative DNS server.
There are couple of things I will like to put in account.
- Client has to update itself after “refresh interval” which is 7 days by default. If it won’t update within “No-refresh interval” then it will be deleted (scavenged). If you don’t have idea of refresh, no-refresh and scavenging interval, I have another post for it. You can read it here: https://vinitpandey.wordpress.com/2015/08/19/aging-and-scavenging-dns/
- TTL for dynamic update is 15 mins and can be altered.
- Dynamic update doesn’t work over VPN and RAS and it doesn’t attempt dynamic update of top-level domain (TLD) zones. However, these are default behavior and you can change it via registry or policy.
Okay, so I hope now you understand Dynamic DNS updates concepts.
Today I read something interesting. Microsoft is building completely automated datacenter on ocean bed. Name of project is “Project Natick”. You can find more about it here:
I will see you soon with some other technical stuff and by then take good care of yourself. Bye.
2 thoughts on “How DNS dynamic update works?”
Can you elaborate on this statement: “Dynamic update doesn’t work over VPN and RAS and it doesn’t attempt dynamic update of top-level domain (TLD) zones. However, these are default behavior and you can change it via registry or policy.” What registry / policy changes the default behavior of dynamic updates over VPN?
Dynamic update by default doesn’t work when machine is connected over VPN and RAS. Also it doesn’t update top level domain and root domain. It can only make changes to its authoritative zone.
To enable client to update top level authoritative domain, here are the policy details : http://dns-info.blogspot.com/2009/01/update-top-level-domain-zones-group.html
Here are registry settings: https://www.windows-security.org/a63d2e63f38ebad5892f3a666dde6bd4/update-top-level-domain-zones
However this is old blogs and I haven’t checked it yet for latest OS.