Auditing DNS Record Entries (or deletions)

  • Article

I got an unusual request from a customer today. She is in an environment where everyone is currently a domain admin (not a good thing). Although they are taking my advice and moving to a least priviliged scenario, things are sometimes slow in federations. In any event, she suspects that other administrators are deleting DNS records from the Active Directory zone. My first question is "Why would someone do this?" but politics rule, so I know better than to even ask it.

If you look at the DNS Server and DNS Zones, and even the records themselves, you'll notice that object auditing is turned on for these resources by default. It should follow, therefore, that as long as Object Access auditing is turned on for the DNS server, creations, deletions or other changes would be recorded in the security event log. 

It turns out that enabling Object Access auditing doesn't not correspond to DNS zone records being included in the security logs. Instead, you must enable "Audit Directory Service Access" on the machines where DNS is running. Once working, you will see the following events in the Security log for creating a new DNS record:

Event Type: Success Audit
Event Source: Security
Event Category: Directory Service Access
Event ID: 566
Date: 8/23/2006
Time: 4:03:05 PM
User: [guilty party]
Computer: [dns server]
Description:
Object Operation:
Object Server: DS
Operation Type: Object Access
Object Type: dnsZone
Object Name: DC=[zone].com,CN=MicrosoftDNS,CN=System,DC=[zone],DC=com
Handle ID: -
Primary User Name: [machine]$
Primary Domain: [domain name]
Primary Logon ID: (0x0,0x3E7)
Client User Name: administrator
Client Domain: [domain]
Client Logon ID: (0x0,0x706012D)
Accesses: Create Child

Properties:
Create Child
dnsNode

  Additional Info: DC=Testing2,DC=[zone].com,cn=MicrosoftDNS,cn=System,DC=[zone],DC=com
Additional Info2: DC=Testing2,DC=[zone].com,CN=MicrosoftDNS,CN=System,DC=[zone],DC=com
Access Mask: 0x1

And for deleting a record:

Event Type: Success Audit
Event Source: Security
Event Category: Directory Service Access
Event ID: 566
Date: 8/23/2006
Time: 7:28:30 PM
User: [perp]
Computer: [dns server]
Description:
Object Operation:
Object Server: DS
Operation Type: Object Access
Object Type: dnsNode
Object Name: DC=Test,DC=zone.com,CN=MicrosoftDNS,CN=System,DC=zone,DC=com
Handle ID: -
Primary User Name: [computer name]$
Primary Domain: [Domain]
Primary Logon ID: (0x0,0x3E7)
Client User Name: administrator
Client Domain: [domain]
Client Logon ID: (0x0,0x729EE07)
Accesses: Write Property

Properties:
Write Property
Default property set
dnsRecord
dNSTombstoned
dnsNode

  Additional Info:
Additional Info2:
Access Mask: 0x20

As a reminder, setting directory access auditing will create a storm of events in your security log. In most production environments, you can expect thousands of "noise" events for every malicious DNS deletion, so this probably needs to be used sparingly.