Add DNS records from .NET app

Question

I am working on a webapp that we acquired from another company. When you "sign up", the server is supposed to create a DNS alias using WMI. It was crashing with a "Generic Error", which was later cured by adding the following tag to the Web.config file:

identity impersonate="true" userName="administrator" password="theadminpass"

This worked, but for some reason it has since broken, and obviously I don't like it from a security perspective. I have used the WMI management tool to give root\microsoftdns full wide-open permissions to admin, network service, network, and aspnet, with no success.

Anyways, I want to know if there is a way other than using WMI to reliably and securely add DNS records from within a .NET web interface.

Answer 1

If you are using IIS 6.1 and upwards you can set the identity of the worker process within the application pool. I have found that to be more reliable that using idenity impersonation, it is definately more secure than having the username and password in a configuration file (although you can use aspnet_regiis.exe to encrypt portions of the config).

As for an althernative to WMI you could try DnDns although I am not expirienced with creating DNS entries.

Answer 2

(I'm assuming you're using Microsoft's DNS server)

You could set the permissions on the DNS zone so that the user the application pool is running as can create entries.

Answer 3

Getting the WMI and DCOM permissions setup correctly to successfully update MS DNS over WMI can be difficult. It seems MS is making this harder with each hotfix. John Howard has a blog entry on TechNet that deals with this for with Hyper-V remote sessions. You basically need to do the same for MS DNS + set the update permissions in DNS.

Alternatively you may want to consider using Simple DNS Plus as the DNS server - this is much simpler to update remotely either with the .NET API or over HTTP directly.