Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 02. Protocols / DNS

Response

DNS response is cleanup plus abuse-path removal. We remove malicious records, restore WPAD protections, remove DNS plugin DLL configuration, restrict who can write DNS nodes, and review directory changes against DNS containers.

List suspicious records

Get-DnsServerResourceRecord -ComputerName dc01.ootw.local -ZoneName ootw.local |
  Where-Object {
    $_.HostName -match 'wpad|fileshare|sql|proxy|intranet|backup' -or
    $_.RecordData.IPv4Address -eq '10.10.10.100'
  }

Delete attacker A record

Remove-DnsServerResourceRecord -ComputerName dc01.ootw.local -ZoneName ootw.local -Name fileshare -RRType A -Force

Delete attacker CNAME record

Remove-DnsServerResourceRecord -ComputerName dc01.ootw.local -ZoneName ootw.local -Name intranet -RRType CNAME -Force

Delete with dnscmd

dnscmd /recorddelete ootw.local fileshare A 10.10.10.100 /f
dnscmd /recorddelete ootw.local wpad A 10.10.10.100 /f

Verify deletion

dig @10.10.10.200 fileshare.ootw.local A +short
dig @10.10.10.200 wpad.ootw.local A +short
nslookup fileshare.ootw.local 10.10.10.200

Restore WPAD query block list

Set-DnsServerGlobalQueryBlockList -Enable $true -ComputerName dc01.ootw.local
Set-DnsServerGlobalQueryBlockList -List wpad,isatap -ComputerName dc01.ootw.local
Get-DnsServerGlobalQueryBlockList -ComputerName dc01.ootw.local

Remove DNS plugin DLL configuration

reg query HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters
reg delete HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters /v ServerLevelPluginDll /f
sc.exe query dns
sc.exe stop dns
sc.exe start dns
sc.exe query dns

Review DnsAdmins membership

Get-ADGroupMember "DnsAdmins"
Remove-ADGroupMember "DnsAdmins" -Members "student" -Confirm:$false

Review ADIDNS object changes

Get-ADObject -SearchBase "DC=DomainDnsZones,DC=ootw,DC=local" -LDAPFilter "(objectClass=dnsNode)" -Properties whenChanged,whenCreated,distinguishedName |
  Sort-Object whenChanged -Descending |
  Select-Object -First 50 whenChanged,whenCreated,distinguishedName

Event hunting

Get-WinEvent -LogName "Microsoft-Windows-DNSServer/Audit" -ErrorAction SilentlyContinue |
  Select-Object -First 50 TimeCreated,Id,ProviderName,Message

Get-WinEvent -FilterHashtable @{LogName="Security"; Id=5136} |
  Where-Object {$_.Message -match "DomainDnsZones|ForestDnsZones|dnsNode|dnsRecord"} |
  Select-Object -First 50 TimeCreated,Id,Message

Hardening

Keep secure dynamic updates only.
Restrict who can create DNS records in AD-integrated zones.
Keep WPAD and ISATAP in the global query block list unless there is a documented business exception.
Keep DnsAdmins empty or tightly controlled.
Audit changes under DomainDnsZones and ForestDnsZones.
Disable LLMNR, NBT-NS, mDNS, and WPAD where they are not required.
Require SMB signing, LDAP signing, LDAP channel binding, and EPA on ADCS web enrollment to reduce DNS-to-relay impact.