DNS forensics can be cumbersome in every sense of the task. Windows Server 2008 has a new feature that gives a quick view to some records but has a big shortcoming with other records.

In the course of reading Michael Kassner’s post DNS: Painful Reminders of How Important It Is, I echo all his comments and want to follow up with one feature that can slightly assist in this area. Many organizations are forced to use a Windows DNS environment for Active Directory-Integrated DNS zones. One new feature for Windows Server 2008 that makes the forensics of troubleshooting much quicker is a timestamp field for each zone.Windows Server 2008’s DNS engine has a nice feature that shows a timestamp for objects that are created directly by Active Directory (AD). Figure A below shows a zone with AD objects:

Figure A

The one unfortunate fact is that non AD-integrated records have a static timestamp. Therefore, any user-added record or zones will only be listed as static in the timestamp field. The best way to provide an audit trail of entries is still the dnscmd command run as a scheduled task. Yet performing an export with dnscmd does not give a specific timestamp of an entry’s creation or modification, making the process to determine when a record incurred a change to be limited to a timeframe from traversing the exported zones. Should you need to go through the fun endeavors of setting up a DNS audit trail, this MSDN blog entry provides a good tour of running the dnscmd command with some advanced parameters that you can run as a scheduled task regularly.