DNS Scavenging
Uncategorized

DNS Scavenging

Here is a quick overview of how DNS Scavenging works

Each forward and reverse zones are set with aging properties for both no-refresh and refresh intervals usually you want to make these intervals combined equal to the DHCP Lease time. During the no-refresh interval DNS records timestamp will not be updated, however once the refresh interval starts clients the timestamp can update so if defaults are left a computer would have to go a minimum of 14 days before it could be scavenged.

You then need to enable 1 Domain Controller/DNS server to automatically scavenge stale records by default this is set to a 7 day scavenging period. ( Talking with some of the other people it seems to make most sense to always enable this on the PDC, you can find this by running the following cmd NetDOM /query FSMO)

With the default Scavenging period now set on the domain controller we now have a time frame of 15-20 days before any records would be scavenged.

Note that static DNS records are not scavenged unless they have a timestamp (by default they do not)

When do hosts try to renew/refresh their dns records

  • When they’re booted so at startup
  • Anytime there’s a DHCP lease renewal.
  • Every 24 hours.

My recommendation

Since most DHCP servers are left at the default 8 days I would recommend setting the following

No-refresh interval: 4 days

Refresh interval: 4 days

Scavenging Period on the DC: 1 Day

 

 

#Set missing aging on all zones and set a specific server to scavenge the DNS records
$IPofDNS = '192.168.66.21'
$Zones = Get-DnsServerZone | Where-Object {$_.IsAutoCreated -eq $False -and $_.ZoneName -ne 'TrustAnchors'}
$MissingZones = $Zones | Get-DnsServerZoneAging | Where-Object {$_.AgingEnabled -eq $False}
$MissingZones |Set-DnsServerZoneAging -RefreshInterval 4.00:00:00 -NoRefreshInterval 4.00:00:00 -Aging $True -ScavengeServers $IPofDNS



#Find records eligible for DNS Scavenging
$TotalAgingInterval = 8 #No-Refresh period + Refresh period (in Days)
$ServerName = "dc"
$ContainerName = "domain_name"

$MinTimeStamp = [Int](New-TimeSpan -Start $(Get-Date("01/01/1601 00:00")) -End $((Get-Date).AddDays(-$TotalAgingInterval))).TotalHours
Get-WMIObject -Computer $ServerName -Namespace "root\MicrosoftDNS" -Class "MicrosoftDNS_AType" -Filter "ContainerName='$ContainerName' AND TimeStamp<$MinTimeStamp AND TimeStamp<>0" | Select-Object OwnerName, @{n="TimeStamp";e={(Get-Date("01/01/1601")).AddHours($_.TimeStamp)}}

Leave a Reply

Your email address will not be published. Required fields are marked *