How to audit DNS A record if someone delete it
HOWTO: Set up DNS auditing for records that disappear from the zone
==============================================
1.Enable Directory Service Access auditing in your default Domain Policy:
- open domain security policy
- navigate to Local Policies -> Audit Policy
- Define "Audit directory service access" for success and failure
- Refresh domain policy on all domain controllers
2. Enable auditing on the zone
- open AdsiEdit
- Navigate to the location of your DNS zone
- Right click the zone to audit and choose properties.
- go to the security tab, click the advanced button
- select the Auditing tab and click Add
- for the user or group, type in Everyone
- On the Object tab, select Success and Failure for the following Access
types:
-- Write All Properties, Read All properties, Delete and Delete Subtree
- OK out of the policy and refresh the policy again.
3. When a record is deleted from DNS the following event is logged in the Security
Event log:
Event ID: 566
Source: Security
Type: Success
Category: Directory Service Access
Description: Will post a message similar to following:
Object Name: DC=recordname,DC=domain,DC=domain,CN=System,DC=dcname,DC=domain
Properties: Write Property
Default property set
dnsRecord
dNSTombstoned
==============================================
執行完上述動作後,如果往後有人刪除A記錄,您將可看到看到下列資訊。
範例
================
事件類型: 稽核成功
事件來源: Security
事件類別目錄: 目錄服務存取
事件識別碼: 566
日期: 2010/3/29
時間: 下午 04:22:01
使用者: HJHROOTadministrator
電腦: W2003RDC03
描述:
物件操作:
物件伺服器: DS
操作類型: Object Access
物件類型: dnsNode
物件名稱: DC=test001,DC=hjhroot.com,CN=MicrosoftDNS,CN=System,DC=hjhroot,DC=com
處理識別碼: -
主要使用者名稱: W2003RDC03$
主網域: HJHROOT
主要登入識別碼: (0x0,0x3E7)
用戶端使用者名稱: administrator
用戶端網域: HJHROOT
用戶端登入識別碼: (0x0,0x537E2)
存取: 寫入屬性
內容:
寫入屬性
Default property set
dnsRecord
dNSTombstoned
dnsNode
其他資訊:
其他資訊 2:
存取遮罩: 0x20
請在 https://go.microsoft.com/fwlink/events.asp 查看說明及支援中心,以取得其他資訊。
================