Who is adding a bunch of DNS records to my environment?


The different day a shopper requested everybody in operations who added some odd DNS records, everybody on the admin staff denied making any adjustments, nobody in engineering did it both. They decided the consumer that made the brand new report however then obtained curious, what if people had added many different records however nobody had observed?  

I made a decision to generate a checklist of who had created DNS records to cross-reference with the checklist of people we anticipated.  

Auditing is like backups, enabling it is a greater precedence after a large mistake. Fortunately, with DNS we are able to work out a few neat issues with out digging via auditing logs.  

 

When a consumer creates a DNS report that consumer is made the proprietor of that report as we are able to see right here by wanting via dnsmgmt.msc at a report George created within the assets.contoso.com zone. 

Pic1.pngMedia-image” tabindex=”0″ li-bypass-lightbox-when-linked=”true” li-use-hover-links=”false”/>

 

Of course, we are able to do the identical factor via PowerShell:

 

(Get-Acl 'AD:DC=MyFavoriteDNSRecord,DC=assets.contoso.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=assets,DC=contoso,DC=com').Owner 

 

Picture2.pngMedia-image” tabindex=”0″ li-bypass-lightbox-when-linked=”true” li-use-hover-links=”false”/>

 

Disclaimer

The pattern scripts usually are not supported underneath any Microsoft normal help program or service. The pattern scripts are supplied AS IS with out guarantee of any variety. Microsoft additional disclaims all implied warranties together with, with out limitation, any implied warranties of merchantability or of health for a specific goal. The complete danger arising out of the use or efficiency of the pattern scripts and documentation stays with you. In no occasion shall Microsoft, its authors, or anybody else concerned within the creation, manufacturing, or supply of the scripts be answerable for any damages in anyway (together with, with out limitation, damages for loss of Business earnings, Business interruption, loss of Business data, or different pecuniary loss) arising out of the use of or incapacity to use the pattern scripts or documentation, even when Microsoft has been suggested of the likelihood of such damages.

 

Now that I’ve a one-liner to decide the proprietor of a single report, I need to summarize the creator of each report within the setting to see if there are people creating records that we don’t learn about. To do that we want to get each zone, then each report in each zone, then get the proprietor.

 

    $LaptopName="resources.contoso.com"
    $Zones = Get-DnsServerZone -LaptopName $LaptopName | Where-Object { $_.IsDsintegrated } #get all zones I care about
    $DNSRecords = $Zones | Get-DnsServerResourceRecord -LaptopName $LaptopName #get each DNS report
        
    $RecordAndOwner = $DNSRecords | ForEach-Object {
        [pscustomobject]@{
            Record = $_
            Owner  = (Get-Acl $('AD:' + $_.DistinguishedName)).Owner
        }
    } 

 

 

Great, now I’ve a bunch of helpful data, but when we simply take a look at it with none particular effort it is too ugly to do something helpful with. Here is the start of what I obtained in my lab:

 

PS C:> $RecordAndOwner

Record                  Owner                     
------                  -----                     
DnsServerResourceRecord NT AUTHORITYSYSTEM       
DnsServerResourceRecord NT AUTHORITYSYSTEM       
DnsServerResourceRecord NT AUTHORITYSYSTEM       
DnsServerResourceRecord NT AUTHORITYSYSTEM       
DnsServerResourceRecord NT AUTHORITYSYSTEM       
DnsServerResourceRecord NT AUTHORITYSYSTEM       
DnsServerResourceRecord RESOURCESRESOURCESDC2$   
DnsServerResourceRecord NT AUTHORITYSYSTEM       
DnsServerResourceRecord NT AUTHORITYSYSTEM       
DnsServerResourceRecord NT AUTHORITYSYSTEM       
DnsServerResourceRecord NT AUTHORITYSYSTEM       
DnsServerResourceRecord NT AUTHORITYSYSTEM       
DnsServerResourceRecord NT AUTHORITYSYSTEM       
DnsServerResourceRecord NT AUTHORITYSYSTEM       
DnsServerResourceRecord NT AUTHORITYSYSTEM       
DnsServerResourceRecord NT AUTHORITYSYSTEM        

 

 

…Then there have been far more records, however this doesn’t inform us a lot, so we want a higher method of reviewing it.

 

Here is a extra helpful abstract:

 

$RecordAndOwner | Group-Object proprietor | Select-Object depend, title | Sort-Object title
Count Name                      
----- ----                      
   61 NT AUTHORITYSYSTEM       
    1 RESOURCESATA1$           
    4 RESOURCESBillG           
    1 RESOURCESDEMOSERVER$     
    1 RESOURCESEARS$           
    2 RESOURCESgeorge          
    1 RESOURCESNEW2019$        
    1 RESOURCESOLD2012R2$      
    1 RESOURCESOLD2016$        
    1 RESOURCESRESOURCESCA$    
    2 RESOURCESRESOURCESDC2$   
    1 RESOURCESRESOURCESWORKST$ 

 

 

Unfortunately, this nonetheless exhibits all of the computer systems exhibiting the records that they registered and I don’t actually care about these.

Here I slender it down to extra helpful insights by eradicating the records created by computer systems.

 

$RecordAndOwner | Group-Object proprietor | Where-Object { $_.Name -notlike '*$' } | Select-Object depend, title | Sort-Object title

Count Name               
----- ----               
   61 NT AUTHORITYSYSTEM
    4 RESOURCESBillG    
    2 RESOURCESgeorge 

 

 

 

Now I’ve a checklist of each consumer account that is an proprietor of a DNS report and what number of they’re the proprietor of. Wait a second… who is this BillG man making adjustments? Let’s examine what he has been doing.

 

($RecordAndOwner | Where-Object { $_.proprietor -eq 'resourcesbillg' }).Record

HostName                  RecordType Type       Timestamp            TimeToDwell      RecordKnowledge                                        
--------                  ---------- ----       ---------            ----------      ----------                                        
asdf2                     A          1          0                    01:00:00        3.3.3.3                                           
asdf2                     A          1          0                    01:00:00        2.2.2.2                                           
asdf2                     A          1          0                    01:00:00        1.1.1.1                                           
asdf3                     CNAME      5          0                    01:00:00        asdf2.assets.contoso.com .                      

 

 

It seems to be like BillG is creating records that aren’t very helpful. Based on this I can go discuss to BillG to decide what he is up to, perhaps he forgot that he was in manufacturing when he was testing.

 

Here is every little thing we did:

 

$LaptopName="resources.contoso.com"
$Zones = Get-DnsServerZone -LaptopName $LaptopName | Where-Object { $_.IsDsintegrated } #get all zones I care about
$DNSRecords = $Zones | Get-DnsServerResourceRecord -LaptopName $LaptopName #get each DNS report
        
$RecordAndOwner = $DNSRecords | ForEach-Object {
    [pscustomobject]@{
        Record = $_
        Owner  = (Get-Acl $('AD:' + $_.DistinguishedName)).Owner
    }
}
        
$RecordAndOwner #List all of the homeowners... wait, that is an excessive amount of stuff and too exhausting to learn
        
#List everybody that has created a DNS report and what number of records they've created (solely checks proprietor, however proprietor is the creator by default)
$RecordAndOwner | Group-Object proprietor | Select-Object depend, title | Sort-Object title
        
#Omit records created by servers
$RecordAndOwner | Group-Object proprietor | Where-Object { $_.Name -notlike '*$' } | Select-Object depend, title | Sort-Object title
        
#Investigate which records BillG has created 
($RecordAndOwner | Where-Object { $_.proprietor -eq 'resourcesbillg' }).Record 

 

 

Once once more, a troublesome handbook process grew to become practically trivial with a few traces of PowerShell. We reviewed tens of 1000’s of DNS records in simply a couple of minutes.

In this case we obtained away with out the necessity for auditing, nonetheless configuring correct DNS auditing earlier than you want it is essential. Properly configuring DNS auditing is exterior the scope of this text, so I’ve referenced helpful articles from a colleague.

 

Have enjoyable scripting!

 

 

Additional studying:

Leave a Comment