Share via

How to Monitor Deletion of DNS Records

  • Article

Why It Is Important

Accidental or malicious deletion of DNS records is one important cause of IT service unavailability. For instance, if a DNS record is deleted from a domain controller, users might not be able to log in, and the deletion of SharePoint DNS records can make internal corporate resources unavailable. Ongoing monitoring of DNS record deletions enables IT administrators to quickly spot such incidents so they can remediate changes that might lead to system downtime, authentication errors and failed access attempts.

Native Auditing

1. Run GPMC.msc → Create a new policy and assign it to the needed OU → Computer Configuration → Policies → Windows Settings → Security Settings → Local Policies → Audit Policy → go to "Properties" of Audit directory service access → Define → Success.

2. Computer Configuration → Policies → Windows Settings → Security Settings → Event Log → in "Properties" of below-mentioned policies define:
2.1 Maximum security log size to 4gb
2.2 Retention method for security log to Overwrite events as needed.

3. Open ADSI Edit → Connect to Default naming context → Expand DomainDNS object with the name of your domain → System → Right-сlick MicrosoftDNS → Properties → Security (Tab) → Advanced (Button) → Auditing (Tab) → Add Principal "Everyone" → Type "Success" → Applies to "This object and all descendant objects" → Permissions → Select the following check boxes: Write all properties, Delete, Delete subtree → Click "OK".

4. Open DNS Manager → Expand your servername → Forward Lookup Zone → Right-click the zone you want to audit → Properties → Security (Tab) → Advanced (Button) → Auditing (Tab) → Add Principal "Everyone" → Type "Success" → Applies to "This object and all descendant objects" → Permissions → Select the following check boxes: Write all properties, Delete, Delete Subtree → Click "OK".

5. Look for Event ID 4662 with Object Type: dnsNode in your Security Event log in order to track DNS records deletion.

https://img.netwrix.com/landings/howtofriday/native_dns_deleted-4.png

6. Real Life Use CaseView

Credits: Originally posted - https://www.netwrix.com/how_to_monitor_deletions_of_dns_records.html