Delegating DNS record write permissions

With application owners having an increased closeness to infrastructure teams, delegating permissions to certain objects becomes natural. IT guru Rick Vanover highlights one trend to take the burden off of a network team.

For many environments, using Active Directory-integrated DNS zones is the way to go. Further, I’m a big fan of using the DNS CNAME record to configure application-related topics such as making ODBC database connections. One of the hitching points in the Windows DNS world is that DNS permissions are tied to Active Directory permissions. In larger organizations, your Windows Active Directory administrator may not be your application administrator.

A practice that I’m going forward with is assigning permissions to a DNS record. This is effectively going to allow an application owner or an IT service owner to be able to change the DNS record. Let me explain this so you can get some perspective of the controls in place. This practice would be for the following situations only:

  • A CNAME or Alias record only for static entries. This would exclude dynamic entries such as a computer account.
  • Only in DNS zones for non-Active Directory domains
  • Have firm policy that requires how DNS records are changed in delegated configurations. For example, prohibit application owners from running the DNS console to change the delegated domain records. Instead, provide a script running DNSCMD or other command to change the DNS record and send an email to management and others as a record of the activity.
An example of this type of DNS object is shown below in Figure A. Figure A

Figure A

Click image to enlarge.

Notice how the delegated.rwvdev.intra domain has the sole record, DB-Application-Prod.delegated.rwvdev.intra. This record’s security configuration is shown in the image. Here, Windows Active Directory accounts can be added the write permission to change a record. The next question is how to determine when a DNS record changed; look no further than the DNS timestamp field.

What is your take on adding permissions for DNS domains under specific requirements such as this? Why engage network administrators for application changes? Share your comments below.