The absolute most secure way to manage DNS clients on your network is to manually add each and every one of them into DNS manually. Unfortunately, this just isn’t a viable option on large networks. Because of this, DNS supports a feature called dynamic updates, but this is inherently unsecure. With typical unsecured dynamic updates, any computer can create records on your DNS server which leaves you open to malicious activity.
The more secure form of unsecured dynamic updates is…you guessed it…secure dynamic updates. This feature forces DNS to integrate with Active Directory so that any computer creating records on the DNS server must be a member of the AD domain. This is configurable by right clicking a zone in the DNS management MMC snap-in and going to properties. From there, go select “Secure Only” in the dynamic updates combo box.
