How to Track DNS record changes

1.Enable Directory Service Access auditing in your default Domain Policy:

a) Edit the Domain Security Policy
b) Navigate to Local Policies -> Audit Policy
c) Define ‘Audit directory service access’ for success and failure
d) Refresh the policy on all Domain Controllers

2. Enable auditing on the DNS zone:

a) Open ADSIEdit (Start, Run, adsiedit.msc)
b) Right-click ADSI Edit, and connect to the DC=DomainDnsZones,DC=<domain>,DC=<top level domain> container.
c) Expand MicrosoftDNS, and navigate to the location of the DNS zone
d) Right-click the zone and choose Properties
e) On the Security tab, click the Advanced button
f) Select the Auditing tab, and click Add
g) Under User or Group, type in Everyone
h) On the Object tab, select Success and Failure for access types Write All Properties, Read All Properties, Delete, and Delete Subtree

3. When a record is deleted from DNS, Event ID 566 will be logged in the Security Event Log

Also, more troubleshooting.

You might like to trace which account was used to update DNS records via audit feature , and find out the source host. Here is the workaround:

1. Enable Directory Service Access auditing in your default Domain Policy:
a) Edit the Domain Security Policy
b) Navigate to Local Policies -> Audit Policy
c) Define ‘Audit directory service access’ for success and failure
d) Refresh the policy on all Domain Controllers

2. Enable auditing on the DNS zone:
a) Open ADSIEdit (Start, Run, adsiedit.msc)
b) Right-click ADSI Edit, and connect to the DC=DomainDnsZones,DC=<domain>,DC=<top level domain> container
c) Expand MicrosoftDNS, and navigate to the location of the DNS zone
d) Right-click the zone and choose Properties
e) On the Security tab, click the Advanced button
f) Select the Auditing tab, and click Add
g) Under User or Group, type in Everyone
h) On the Object tab, select Success and Failure for access types Write All Properties, Read All Properties, Delete, and Delete Subtree

3. When a record is changed from DNS, Event ID such as 566 will be logged in the Security Event Log on the related DC.

Good Luck

Leave a Reply

Your email address will not be published.