Preventing DNS Registration of Secondary IP Addresses in Windows 2008

Posted on December 30, 2012

logo_windowsServer2008If you added secondary IP addresses to a network interface in Windows 2000 and Windows 2003 only the primary IP address was registered in DNS. This was long the default behavior and many admins do not realize that the behavior was changed in Windows 2008 until they begin adding secondary IP addresses on a single network adapter. Why on a single adapter? Well when you add an IP adapter to different interfaces on a server and you do not want one of them registered in DNS you simply uncheck the box labelled "Register this connection's addresses in DNS". This is pretty straight forward and easy to spot when you notice the second IP address registered in DNS.


But I still run into admins only recently noticing that the behavior is different in Windows 2008 when assigning multiple IP addresses to the same interface. Part of this is due to some enterprises only now moving to Windows 2008. This is not uncommon as some vendor software was not compatible for a long time, or some critical LOB software was not supported and it took a few years to migrate to another platform. Part of this may simply be that the need never arose before, or maybe that it is the first time they do this in a firewalled environment. Whatever the case this is problematic when they do not understand why this is happening.

In Windows 2008 all IP addresses on an interface are registered in DNS. This is problematic in a DMZ environment for example since querying for the server by name results in any one of the IP addresses being resolved when only one IP is likely defined on the firewall(s). Listing all the IP addresses in the ACL is usually undesirable, and you presumably have multiple IP addresses because you want to configure different services on each one, thereby wanting different firewall rules for different IP pairs. Microsoft has made a hotfix available along with a netsh command to allow you to change this behavior on a per-IP basis.  The command existed before the hotfix but did not actually work. Now it does.

To use the command open an elevated privilege command prompt and use the following syntax:

Netsh int ipv4 add address <Interface Name> <ip address> skipassource=true

This command will assign the secondary IP address (defined by <ip address>) to the interface <Interface name>, and skipassource=true will dictate that the address will NOT be registered in DNS. If the command does not work (it will appear to work but a DNS entry will be created anyway) install the following hotfix found at the Microsoft web site.



Posted by Peter

Comments (0) Trackbacks (0)

Sorry, the comment form is closed at this time.

Trackbacks are disabled.

Website Security Test