Microsoft Windows operating systems support a feature that dynamically updates the mappings of domain names to associated IP addresses assigned to hosts by DHCP servers. This automatic updating, called Dynamic DNS Updates service, reduces the administrative overhead associated with manually administering DNS records of network hosts.

While this service can reduce administrative overhead, it also can, and does, have deleterious effects on the larger Internet by leaking traffic regarding private IP addresses that should never leave the local area network.

You do not need to disable dynamic DNS updates if:

• you use a static IP address; or
• you use DHCP to get a global IP address

However, if you have configured your host to act as a DHCP client/server and you make use of the private IP address space (including 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16) specified in RFC1918, you should turn off the dynamic DNS update feature. Only if you know with certainty that the updates get sent only to a local DNS server should you run the Dynamic DNS Updates service. Most home users who use DSL/Cable routers as DHCP/NAT servers to facilitate multiple host connections to the Internet should turn off dynamic DNS updates.

``So what if my host leaks a few packets to the global Internet? Why should I bother turning it off?'' The reason is that inconsistent configuration between your home hosts and your local DNS servers can, and often does, cause leakage of DNS updates for private IP addresses to the global Internet. This leakage causes the following problems:

• To the Internet. Private DNS updates, outside of their local network scope, have no purpose when broadcast over the Internet and act purely as traffic pollution, and a waste of network resources. We observed that this type of traffic consumes significant bandwidth, peaking at 15Mbps at one site that hosts a F-root server. This issue is not a regional problem, but rather a global phenomenon.
• To DNS Servers. Large amounts of private DNS updates flow to root name servers, imposing costly loads and performance impact on the the entire domain name system. The AS112 project was launched to shield DNS root servers from this spurious traffic. But setup and maintenance of AS112 servers demands significant engineering and human resources.
• To End Users. Private DNS updates leave a window wide open into a user's private realm. Hosts sending these updates leak information about the time they reboot or connect to the Internet, and regularly inform the outside world about their presence and status. Furthermore, users run the risk of their private and perhaps proprietary data -- names, IP addresses, numbers of nodes on internal networks -- becoming visible to third parties, who can use the information for hacking or social engineering attacks. Since it is perfectly legal to announce the AS112 block (192.175.48.0/24) from any location, access to such private user information is granted to everyone with a BGP router.

Unfortunately, most users have no knowledge of their own misbehaving hosts broadcasting private information to the world. The default configuration not only wastes global Internet resources but also introduces a multitude of security, privacy and intellectual property concerns.

How private DNS updates leak to the global Internet

Leakage of private DNS updates is caused by inconsistent configuration between DNS servers and DHCP client/server entities. The following list illustrates a typical example of how a private DNS update leaks out to the global Internet.

1. From DHCP Client to Broadcast: DHCP Request
2. From DHCP Srv to DHCP Client: DHCP ACK: 192.168.0.2
3. From DHCP Client to Local DNS Server: Query: SOA? hostname.example.com
4. From Local DNS Server to DHCP Client Response: SOA dns.example.com
5. From DHCP Client to dns.example.com: Update:A hostname.example.com
6. From DHCP Client to Local DNS Server: Query:SOA? 2.0.168.192.in-addr.arpa
7. From Local DNS Server to DHCP Client: Response:SOA prisoner.iana.org
8. From DHCP Client to prisoner: Update:PTR 2.0.168.192.in-addr.arpa. (This step causes leakage of a private DNS update to the global network.)

In the first two steps above, a DHCP client requests and obtains a private IP address from a DHCP server. Next, the DHCP client tries to update the forward mapping (type A RR) from the domain name (hostname.example.com in the example) to its newly obtained IP address. The DHCP client first sends a query to its local domain name server (LDNS) and asks for the authoritative server for the zone of its domain name (step 3). Once the DHCP client receives a response (step 4), it sends the update to the indicated server (step 5). Similarly, steps 6-8 update the inverse mapping from the IP address to the domain name (type PTR RR). In the correct setup, the LDNS should point the DHCP client to a domain name server (could be itself) inside the internal network. However, in many cases when the DHCP and DNS configurations have inconsistencies, the LDNS may direct the DHCP client to a place outside the local scope, resulting in leakage of private DNS updates to the global network. In the example shown above, the LDNS is not configured with a local zone for 168.192.in-addr.arpa. The LDNS thus iteratively sends the SOA request, starting with a root DNS server, and eventually returns the prisoner.iana.org (an AS112 server) as an authoritative server to the client (step 7). The DHCP client then sends the update for the reverse mapping to the prisoner.iana.org server (step 8).

How to turn off the Dynamic DNS Updates service

Over 97% of DNS updates that leak onto the global Internet come from Microsoft Windows™ operating systems (see companion paper on The Windows of Private DNS Updates). The following steps only illustrate how to turn off dynamic DNS updates on Microsoft Windows™ systems. For Linux or FreeBSD systems that use ISC's DHCP client and server software, the dynamic DNS update feature gets set to off by default and requires manual intervention to turn on the service.

Both DHCP clients and servers can generate DNS updates.

To turn off DNS updates on Windows 2000/XP/2003 configured with DHCP clients (refer to Figure 1):

1. Open the control panel by selecting Network Connections from the Start menu.
2. Select a network connection and right-click the mouse and select Properties from the drop-down menu.
3. In the box for "This connection uses the following items", pick the item Internet Protocol(TCP/IP) , then click the Properties button below.
4. In the pop-up window titled "Internet Protocol(TCP/IP) Properties", click the Advanced button.
5. A window titled "Advanced TCP/IP Settings" will appear. Click the DNS tab at the top. This presents the setup information related to DNS. To disable dynamic DNS updates for this network connectio, uncheck the box for Register this connection's address in DNS .
6. Repeat steps 2 through 5 for each network connection (network card) you have installed on the machine.

Click on the image below for a larger view of the screenshot. (1280 x 960 pixels)

To turn off DNS updates on Window Server 2000 running DHCP Server (refer to Figure 2 below):

Microsoft Windows Server 2003™ automatically sends DNS updates to each of its DHCP clients. To turn this feature off, follow the steps below:

1. Open the "Manage Your Server" window which you can launch from the "Administrator Tools" in the Start menus.
2. Select "Manage this DHCP server" to open the main window for DHCP management.
3. To disable DNS updates, right click on the appropriate address scope. Select Properties in the menu.
4. A window titled "Scope [x.x.x.x] Localdhcp Properties" will pop up. Click the DNS tab at the top of the window. This reveals the setup information related to DNS updates. Uncheck the box for Enable DNS dynamic updates according to the setting below , which will disable dynamic DNS update for this scope.
5. Repeat steps 3 and 4 to disable dynamic DNS updates for each appropriate address scope.

Click on the image below for a larger view of the screenshot. (1280 x 1024 pixels)