Guest PaulHarrison Posted August 25, 2022 Posted August 25, 2022 The other day a client asked everyone in operations who added some odd DNS records, everyone on the admin team denied making any changes, no one in engineering did it either. They determined the user that made the new record but then got curious, what if folks had added many other records but no one had noticed? I decided to generate a list of who had created DNS records to cross-reference with the list of folks we expected. Auditing is like backups, enabling it is a higher priority after a big mistake. Fortunately, with DNS we can figure out a few neat things without digging through auditing logs. When a user creates a DNS record that user is made the owner of that record as we can see here by looking through dnsmgmt.msc at a record George created in the resources.contoso.com zone. Of course, we can do the same thing through PowerShell: (Get-Acl 'AD:\DC=MyFavoriteDNSRecord,DC=resources.contoso.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=resources,DC=contoso,DC=com').Owner Disclaimer The sample scripts are not supported under any Microsoft standard support program or service. The sample scripts are provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample scripts and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages. Now that I have a one-liner to determine the owner of a single record, I want to summarize the creator of every record in the environment to see if there are folks creating records that we don’t know about. To do this we need to get every zone, then every record in every zone, then get the owner. $ComputerName = 'resources.contoso.com' $Zones = Get-DnsServerZone -ComputerName $ComputerName | Where-Object { $_.IsDsintegrated } #get all zones I care about $DNSRecords = $Zones | Get-DnsServerResourceRecord -ComputerName $ComputerName #get every DNS record $RecordAndOwner = $DNSRecords | ForEach-Object { [pscustomobject]@{ Record = $_ Owner = (Get-Acl $('AD:\' + $_.DistinguishedName)).Owner } } Great, now I have a bunch of useful information, but if we just look at it without any special effort it is too ugly to do anything useful with. Here is the beginning of what I got in my lab: PS C:\> $RecordAndOwner Record Owner ------ ----- DnsServerResourceRecord NT AUTHORITY\SYSTEM DnsServerResourceRecord NT AUTHORITY\SYSTEM DnsServerResourceRecord NT AUTHORITY\SYSTEM DnsServerResourceRecord NT AUTHORITY\SYSTEM DnsServerResourceRecord NT AUTHORITY\SYSTEM DnsServerResourceRecord NT AUTHORITY\SYSTEM DnsServerResourceRecord RESOURCES\RESOURCESDC2$ DnsServerResourceRecord NT AUTHORITY\SYSTEM DnsServerResourceRecord NT AUTHORITY\SYSTEM DnsServerResourceRecord NT AUTHORITY\SYSTEM DnsServerResourceRecord NT AUTHORITY\SYSTEM DnsServerResourceRecord NT AUTHORITY\SYSTEM DnsServerResourceRecord NT AUTHORITY\SYSTEM DnsServerResourceRecord NT AUTHORITY\SYSTEM DnsServerResourceRecord NT AUTHORITY\SYSTEM DnsServerResourceRecord NT AUTHORITY\SYSTEM …Then there were way more records, but this doesn’t tell us much, so we need a better way of reviewing it. Here is a more useful summary: $RecordAndOwner | Group-Object owner | Select-Object count, name | Sort-Object name Count Name ----- ---- 61 NT AUTHORITY\SYSTEM 1 RESOURCES\ATA1$ 4 RESOURCES\BillG 1 RESOURCES\DEMOSERVER$ 1 RESOURCES\EARS$ 2 RESOURCES\george 1 RESOURCES\NEW2019$ 1 RESOURCES\OLD2012R2$ 1 RESOURCES\OLD2016$ 1 RESOURCES\RESOURCESCA$ 2 RESOURCES\RESOURCESDC2$ 1 RESOURCES\RESOURCESWORKST$ Unfortunately, this still shows all the computers showing the records that they registered and I don’t really care about those. Here I narrow it down to more useful insights by removing the records created by computers. $RecordAndOwner | Group-Object owner | Where-Object { $_.Name -notlike '*$' } | Select-Object count, name | Sort-Object name Count Name ----- ---- 61 NT AUTHORITY\SYSTEM 4 RESOURCES\BillG 2 RESOURCES\george Now I have a list of every user account that is an owner of a DNS record and how many they are the owner of. Wait a second… who is this BillG guy making changes? Let’s investigate what he has been doing. ($RecordAndOwner | Where-Object { $_.owner -eq 'resources\billg' }).Record HostName RecordType Type Timestamp TimeToLive RecordData -------- ---------- ---- --------- ---------- ---------- asdf2 A 1 0 01:00:00 3.3.3.3 asdf2 A 1 0 01:00:00 2.2.2.2 asdf2 A 1 0 01:00:00 1.1.1.1 asdf3 CNAME 5 0 01:00:00 asdf2.resources.contoso.com . It looks like BillG is creating records that aren’t very useful. Based on this I can go talk to BillG to determine what he is up to, maybe he forgot that he was in production when he was testing. Here is everything we did: $ComputerName = 'resources.contoso.com' $Zones = Get-DnsServerZone -ComputerName $ComputerName | Where-Object { $_.IsDsintegrated } #get all zones I care about $DNSRecords = $Zones | Get-DnsServerResourceRecord -ComputerName $ComputerName #get every DNS record $RecordAndOwner = $DNSRecords | ForEach-Object { [pscustomobject]@{ Record = $_ Owner = (Get-Acl $('AD:\' + $_.DistinguishedName)).Owner } } $RecordAndOwner #List all the owners... wait, that is too much stuff and too hard to read #List everyone that has created a DNS record and how many records they have created (only checks owner, but owner is the creator by default) $RecordAndOwner | Group-Object owner | Select-Object count, name | Sort-Object name #Omit records created by servers $RecordAndOwner | Group-Object owner | Where-Object { $_.Name -notlike '*$' } | Select-Object count, name | Sort-Object name #Investigate which records BillG has created ($RecordAndOwner | Where-Object { $_.owner -eq 'resources\billg' }).Record Once again, a difficult manual task became nearly trivial with a few lines of PowerShell. We reviewed tens of thousands of DNS records in just a few minutes. In this case we got away without the need for auditing, however configuring proper DNS auditing before you need it is very important. Properly configuring DNS auditing is outside the scope of this article, so I’ve referenced valuable articles from a colleague. Have fun scripting! Additional reading: Who Moved the DNS Cheese? Auditing for AD-Integrated DNS Zone and Record Deletions - Microsoft Tech Community How to Save the DNS Cheese. Protect AD-Integrated DNS Zones from Accidental Deletions - Microsoft Tech Community Continue reading... Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.