Auditing your DNS Records with PowerShell
This blog is all about DNS. I’m sure most of the IT people will know what DNS is. Especially if you’re an Infrastructure guy i’m sure you know what i’m talking. I’ve been to a client who had a massive number of DNS records & I’ve been tasked to remediate stale DNS records. My initial thought’s were how do i find stale records & how do i convience customer what i found are stale records. In this process i thought the following will be helpful in convincing customer.
- Discover.
- Test.
- Remediate.
1.Discover
Initial step is to discover the DNS records that are in the organization. In order to do that i harnessed the power of Powershell. In this extraction we are mainly focused on “Name Server” records in DNS zones in the organization because by testing NS records we are able to say if the record is valid or invalid. Usually there will be DNS servers in every organization. So i will be running the script on each server to get the DNS zones and NS records associated to the zones.
$DNS = Get-DnsServerZone -computerName "Server Name"
$Array = @()
$Count = $DNS.count
$i = 1
So the above command will query the DNS zones in DNS Server and I created a empty array to store all the records which will be extracted into a csv file.
Foreach ($obj in $DNS)
{
Write-Progress -Activity "Getting info for $obj.Zonename" -Status "$i of $count" -PercentComplete ($i/$count*100)
$ResourceRecords = Get-DnsServerResourceRecord -ComputerName "Server Name" -ZoneName $($obj.Zonename) -RRType NS
Above will give us all the DNS zones in the DNS server and it will store the value in a variable. As we had so many zones in the DNS records, i thought it will be helpfull to visualize how many zones are there and their information. I’m able to achieve it via “Write-progress” cmdlet which i found usefull.
2.Test
Now in this phase i decided to test the name server records that i extracted and stored in the variable “ResourceRecords” This is a vital part in the script. In this part Power Shell cmdlet will try to resolve every Name Server record that it extracted in the above. If the cmdlet is able to resolve the name server record then it’s valid otherwise it’s an invalid record.
Foreach ($zone in $Resourcerecords)
{
Try
{
$ns = Resolve-DnsName -Name $($zone.RecordData).NameServer
$record = New-Object psobject
$record | Add-Member -Type NoteProperty -Name "Name" -Value $ns.Name
}
Catch
{
$error[0].Exception.Message
$record | Add-Member -Type NoteProperty -Name "Name" -Value $($error[0].exception.Message)
}
$record | Add-Member -Type NoteProperty -Name "ZoneName" -Value $obj.ZoneName
$record | Add-Member -Type NoteProperty -Name "zoneType" -Value $obj.ZoneType
$record | Add-Member -Type NoteProperty -Name "ReverseLookupZone" -Value $obj.Isreverselookupzone
$record | Add-Member -Type NoteProperty -Name "Hostname" -Value $Zone.Hostname
$record | Add-Member -Type NoteProperty -Name "RecordData" -Value $($zone.recorddata).Nameserver
$record | Add-Member -Type NoteProperty -Name "IPAddress" -Value $ns.Ipaddress
$array += $record
} #end of $zone foreach loop
$i++
}
$array
#End of Script
With the Array variable, you can save the records to a csv file. I haven’t included the “csv file” storage part in the script as the csv file storage spot will vary to the users who run the script.
3.Remediate
We achieved the most difficult part of the task which is extracting the records and finding a valid record. I haven’t included how to purge name server records in the script as DNS records are vital for every organization and it wouldn’t be wise purging them without proper process and approval from client. Once the records are peer reviewed by the client you can always import the reviewed csv file to a variable and can use the following powershell cmdlet to remove the records.
Remove-dnsserverresourcerecord -Name "Hostname of the record" -RRtype "NS" -recorddata "name of name server record" -zonename "zone name" -computername "Server name"
Note:- Above script is compatible with Windows Server from 2012. This won’t work on windows server 2008.
In this Blog I shared with you my Powershell scripts to solve stale DNS records
Chiru
