How to Monitor Deletions of DNS Records
Native Auditing vs. Netwrix Auditor for Windows Server
- Run gpmc.msc → Edit "Default Domain Policy" → Computer Configuration → Policies → Windows Settings → Security Settings → Local Policies → Audit Policy → go to "Properties" of Audit directory service access → Define → Success.
- Computer Configuration → Policies → Windows Settings → Security Settings → Event Log → in "Properties" of below mentioned policies define:
- Maximum security log size to 1gb
- Retention method for security log to Overwrite events as needed.
- Open ADSI Edit → Connect to Default naming context → Expand DomainDNS object with the name of your domain → System → Right сlick MicrosoftDNS → Properties → Security (Tab) → Advanced (Button) → Auditing (Tab) → Add Principal "Everyone" → Type "Success" → Applies to "This object and all descendant objects" → Permissions → Select the following check boxes: Write all properties, Delete, Delete subtree → Click "OK".
- Open DNS Manager → Expand your servername → Forward Lookup Zone → Right click the zone you want to audit → Properties → Security (Tab) → Advanced (Button) → Auditing (Tab) → Add Principal "Everyone" → Type "Success" → Applies to "This object and all descendant objects" → Permissions → Select the following check boxes: Write all properties, Delete, Delete Subtree → Click "OK".
- Look for Event ID 4662 with Object Type: dnsNode in your Security Event log in order to track DNS records deletion.
- Run Netwrix Auditor → Managed Objects → Windows Server and then click "Run" to gather logs (log gathering is performed automatically on specified schedule; here you may need to click "Run" button manually in order to avoid waiting the next scheduled data collection). Check e-mail received.
- You can also view the DNS changes by navigating to Netwrix Auditor → Reports → Windows Server → Windows Server Changes → "DNS Resource Records Changes" report → View.
Track deletions of DNS records to avoid service unavailability
Accidental or malicious deletion of DNS records is one important cause of IT service unavailability. For instance, if a DNS record is deleted from a domain controller, users might not be able to log in, and the deletion of SharePoint DNS records can make internal corporate resources unavailable. Ongoing monitoring of DNS record deletions enables IT administrators to quickly spot such incidents so they can remediate changes that might put system configurations and data at risk, and avoid authentication errors, failed access attempts and system downtime.
Netwrix Auditor for Windows Server provides key details on activity in your Windows–based OS, including the deletion of DNS records. It provides detailed information on every change, such as when it occurred, who made it and what exactly was changed, and also notifies IT staff by sending them email alerts on every deletion of DNS records. In addition, the application automatically collects, consolidates and archives all logs, so you can audit events, user logons, remote desktop sessions and much more.