How to Monitor Deletions of DNS Records

Native Auditing vs. Netwrix Auditor for Windows Server
{{ firstError }}
We care about security of your data. Privacy Policy
Native Auditing Netwrix Auditor for Windows Server
Native Auditing
Netwrix Auditor for Windows Server
Steps
  1. Run gpmc.msc → Edit "Default Domain Policy" → Computer Configuration → Policies → Windows Settings → Security Settings → Local Policies → Audit Policy → go to "Properties" of Audit directory service access → Define → Success.
  2. Computer Configuration → Policies → Windows Settings → Security Settings → Event Log → in "Properties" of below mentioned policies define:
    • Maximum security log size to 1gb
    • Retention method for security log to Overwrite events as needed.
  3. Open ADSI Edit → Connect to Default naming context → Expand DomainDNS object with the name of your domain → System → Right сlick MicrosoftDNS → Properties → Security (Tab) → Advanced (Button) → Auditing (Tab) → Add Principal "Everyone" → Type "Success" → Applies to "This object and all descendant objects" → Permissions → Select the following check boxes: Write all properties, Delete, Delete subtree → Click "OK".
  4. Open DNS Manager → Expand your servername → Forward Lookup Zone → Right click the zone you want to audit → Properties → Security (Tab) → Advanced (Button) → Auditing (Tab) → Add Principal "Everyone" → Type "Success" → Applies to "This object and all descendant objects" → Permissions → Select the following check boxes: Write all properties, Delete, Delete Subtree → Click "OK".
  5. Look for Event ID 4662 with Object Type: dnsNode in your Security Event log in order to track DNS records deletion.
Microsoft Windows security event 4662: An operation was performed on an object
  1. Run Netwrix Auditor → Navigate to "Reports" → Expand the "Windows Server" section → Go to "Windows Server Changes" → Select "DNS Resource Record Changes" → Click "View".


If you want to get this report by email regularly, simply choose the "Subscribe" option and define the schedule and recipients.

Netwrix Auditor DNS Resource Record Changes Report: shows changes to DNS resource records, including their creation and deletion
Learn more about Netwrix Auditor for Windows Server

Track Deletions of DNS Records to Avoid Service Unavailability

Accidental or malicious deletion of DNS records is one important cause of IT service unavailability. For instance, if a DNS record is deleted from a domain controller, users might not be able to log in, and the deletion of SharePoint DNS records can make internal corporate resources unavailable. Ongoing monitoring of DNS record deletions enables IT administrators to quickly spot such incidents so they can remediate changes that might lead to system downtime, authentication errors and failed access attempts.

Netwrix Auditor for Windows Server provides key details on activity across your Windows servers, including the deletion of DNS records. It provides detailed information on every change, including when it occurred, who made it and what exactly was changed. The application also notifies IT staff by sending them email alerts on every deletion of DNS records. And you can store your complete audit trail securely in the cost-effective two-tiered (file-based + SQL database) AuditArchive for more than 10 years.

Related How-tos
How to Detect Who Installed What Software on Your Windows Server How to Detect Who Created a Scheduled Task on Windows Server How to Detect Modifications to Startup Items in the Windows Registry How to Get Local Group Members Report with or without PowerShell How to Get Server Inventory across Your Network How to List All User Accounts on a Windows System