DNS Scavenging

Scenarios: Say you have setup DNS scavenging but are curious to find what records are going to be deleted in advance and which records actually got deleted after scavenging is complete

Advance Notification – Before Scavenging

## Defining Variables
$datafile = "C:\Scripts\DNS_Records_Before_Scavenging\DNS_Records_Before_Scavenging.csv"
$numOfDays = 10 ## This value can be different depending how scavenging is setup in your environment
$setDate = (Get-Date).AddDays(- $numOfDays)
$dc = "Domain Controller or DNS server name on which scavenging is setup"
$zone = "abc.net"
$recordType = "A"

## Check data file, delete if exists already.

if (Test-Path -Path $datafile){
Remove-Item $datafile

## Checking all DNS records timestamp, extract the one which are going to be scavanged.

$Array1 = $null
$Array1 = @()

$records = Get-DnsServerResourceRecord -ComputerName $dc -ZoneName $zone -RRType $recordType
foreach ($record in $records){
$MyObj = "" | Select-Object "HostName", "IPAddress", "TimeStamp"
    if ($record.timestamp -lt $setDate -and $record.timestamp -ne $null ){

    $MyObj.HostName = $record.Hostname
    $MyObj.IPAddress = $record.RecordData.IPv4Address.IPAddressToString
    $MyObj.TimeStamp = $record.timestamp

    $Array1 += $MyObj
    $MyObj = $null
$Array1 | export-csv $datafile -NoTypeInformation

## send Mail

Send-MailMessage -From "Scavanging@abc.com" -To "xyz1@abc.com" , "xyz2@abc.com" -Subject "A records which are going to get scavenged" -Body "Attached CSV contain all A records in $zone which are going to get scavenged." -Attachments "C:\Scripts\DNS_Records_Before_Scavenging\DNS_Records_Before_Scavenging.csv"

Scavenged DNS records

$recordfile = "C:\Scripts\DNS_Scavenged_Data\Scavenged_Records.csv"
if (Test-Path ($recordfile))
    Remove-Item $recordfile

# After scavenging cycle, Event ID 2501 gets logged and contains the number of records which got deleted.

$2501 = Get-WinEvent -LogName "DNS Server" | Where-Object {$_.Id -eq "2501"} | Select-Object -First 1 -Property *
$2501Date = $2501.TimeCreated
$2501Message = $2501.Message
[Int]$2501ScavangedRecords = $2501Message.Split("=")[4].Trim(" ").Split(".")[0] ## This will help us in filtering events containing scavenged record info

# Every scavenged record is logged in event ID 521.

$MyArray = $null
$MyArray = @()

$521Events = Get-WinEvent -LogName "Microsoft-Windows-DNSServer/Audit" | Where-Object {$_.id -eq "521"} | Select-Object -First "$2501ScavangedRecords"
foreach ($521Event in $521Events){
$MyObj = "" | Select-Object "SystemRecord", "Zone", "Time"

$521RecordName = $521Event.Message.Split(",")[1].Split(" ")[2].Trim()
$521Zone = $521Event.Message.Split(",")[2].Split(" ")[-1].Trim(".")
$521Time = $521Event.TimeCreated

$MyObj.SystemRecord = $521RecordName
$MyObj.Zone = $521Zone
$MyObj.Time = $521Time

$MyArray += $MyObj
$MyObj = $null

$MyArray | export-csv $recordfile -NoTypeInformation

# Email Variables and Email Function.

Send-MailMessage -From "Scavanging@abc.com" -To "xyz1@abc.com" , "xyz2@abc.com" -Subject "A records which were scavenged in last scavenging cycle" -Body "Attached CSV contain all A records in $zone which were scavenged in last scavenging cycle" -Attachments "C:\Scripts\DNS_Scavenged_Data\Scavenged_Records.csv"

These scripts can be set as scheduled tasks first before scavenging process runs and second, after.


Leave a Reply

Your email address will not be published.