Auditing a DNS Zone


1. Introduction


 


One of the main aspects of security is the maintenance and to do that correctly the administrator needs to be able to track changes that are done in the environment. There are a lot of challenges on this area and one of the biggest challenge is to log what needs to be logged without overwhelm the server.


 


When I was working in the platforms team I remember that I received a call from a customer saying that he wants to know who deleted a record on his DNS Zone. First question was:  do you have an audit policy for DNS enable?  He was like: what is that?  After review his environment I saw that the auditing was enabled, but not for the Active Directory Objects (his DNS Zone was integrated to AD).


 


This post will walk through the Auditing configuration of a DNS Zone (AD Integrated) on Windows Server 2003.


 


2. Preparing the Environment


 


There are three steps to prepare the environment:


·         Verify if the Audit Policy called Audit Directory Service Access is enabled and what is the setting.


·         Enabled the Auditing on the DNZ Zone that you want to audit.


·         Use the Event Viewer to find out which object of modified (in this case the example will be an object deletion).


 


3. Configuring the Audit Policy


 


Open the Default Domain Controllers Policy, and check if the policy highlighted below is selected just like that:


 



Figure 1 – Configuring Upload and Download Policy.


 


In my case I changed to audit Success and Failure, but the final configuration will be according to your needs.


 


4. Configuring the DNS Zone


 


Now that we have enabled the Audit Policy to all Domain Controller in the domain, we need to change the DNS Zone. To do that follow the steps below:


 


1) Open ADSIEdit (Start / Run / ADSIEDIT.msc)


2) Right click in the ADSI Edit and click in Connect To…


3) In the Connection Settings window, configure just like show below:


 


 


Figure 2 – Connection Setting.


 



Note: Change the dc= to reflect your domain name.


 


4) After that click OK.


5) Now expand the container until you get to the same node as show below:


 


 


Figure 3 – Configuring the Zone.


 


5) Right click in the name of the zone located under CN=MicrosoftDNS and click in Properties.


6) Click in Security and then Advanced.


7) Click in Auditing and click in Add.


8) Type Everyone and click OK. Add the following type of access:


·         Write All Properties


·         Delete


·         Delete Subtree


 


9) Click OK on all three windows.


 


Now we are ready to log !!


 


5. Testing


 


For testing purpose I delete the record called work01 and here what you should see on the security event log:


 


Event Type:        Success Audit


Event Source:    Security


Event Category:                Directory Service Access


Event ID:              566


Date:                     3/5/2008


Time:                     7:33:51 PM


User:                     CONTOSO\Administrator


Computer:          DCCONT


Description:


Object Operation:


                Object Server:   DS


                Operation Type:               Object Access


                Object Type:      dnsNode


                Object Name:    DC=work01,DC=contoso.msft,CN=MicrosoftDNS,DC=DomainDnsZones,DC=contoso,DC=msft


                Handle ID:          


                Primary User Name:       DCCONT$


                Primary Domain:              CONTOSO


                Primary Logon ID:            (0x0,0x3E7)


                Client User Name:           Administrator


                Client Domain:  CONTOSO


                Client Logon ID:                (0x0,0x19062D)


                Accesses:            Write Property


                                               


                Properties:


                Write Property


                                Default property set


                                                dnsRecord


                                                dNSTombstoned


                dnsNode


 


                Additional Info:


                Additional Info2:             


                Access Mask:     0x20


 


Note the following points in red (from top to down):


·         The event type: the user was able to successfully perform this operation.


·         Category: the object was categorized as a DS Object.


·         User: the name of the user that performed this operation.


·         Object Name: the complete path from where the object was located.


·         dNSTombstoned: this is probably the only one that is not friendly. This attribute is logged whenever an object is deleted. For more information review the DNS-Tombstoned Attribute at MSDN.


 


5. Conclusion


 


This simple action can help you to track changes on your DNS Zone and prevent security compliance issues when auditors approach to review your environment.


 


 



Disclaimer:  This article was originally posted in Portuguese on 09/08/2006 at Microsoft Latam Team Blog.


 


 


 


 

Comments (7)

  1. KomatoZo says:

    I’ve checked: it works if you change audit settings in DNS console =)

  2. Debug logging will not provide details on who changed a zone, only information regarding the fields described in this article http://technet.microsoft.com/en-us/library/cc776361(v=ws.10).aspx

  3. Moy says:

    This is great ! But What is the event id for Windows 2008 / R2  ?

  4. Jimbo says:

    event ID in Win2k8 R2 for this is 4662

  5. JB says:

    What's the differnece between this and seeting up debug logging?

  6. Fernando Silva says:

    Excelent Article Yuri! It saved my life today! hehe

  7. Wei Chao says:

    Thanks to this detailed article, I was able to follow and enable the security event to be logged when add a new Host resource record to my DNS zone on DNS server integrated with AD DS. The security event ID I saw is 5136, it showed the DN of the new resource
    record. But somehow it did not show the IP address, I check around and there is a Hotfix about 5136 missing value, after installing the hot fix, it did not help. Has anyone run into the same issue? Is 5136 the correct event to monitor for adding/changing resource
    records in DNS zone? Thanks for the info and help.