DNS response is cleanup plus abuse-path removal. We remove malicious records, restore WPAD protections, remove DNS plugin DLL configuration, restrict who can write DNS nodes, and review directory changes against DNS containers.
List suspicious records
Get-DnsServerResourceRecord -ComputerName dc01.ootw.local -ZoneName ootw.local |
Where-Object {
$_.HostName -match 'wpad|fileshare|sql|proxy|intranet|backup' -or
$_.RecordData.IPv4Address -eq '10.10.10.100'
}
Delete attacker A record
Remove-DnsServerResourceRecord -ComputerName dc01.ootw.local -ZoneName ootw.local -Name fileshare -RRType A -Force
Delete attacker CNAME record
Remove-DnsServerResourceRecord -ComputerName dc01.ootw.local -ZoneName ootw.local -Name intranet -RRType CNAME -Force
Delete with dnscmd
dnscmd /recorddelete ootw.local fileshare A 10.10.10.100 /f
dnscmd /recorddelete ootw.local wpad A 10.10.10.100 /f
Verify deletion
dig @10.10.10.200 fileshare.ootw.local A +short
dig @10.10.10.200 wpad.ootw.local A +short
nslookup fileshare.ootw.local 10.10.10.200
Restore WPAD query block list
Set-DnsServerGlobalQueryBlockList -Enable $true -ComputerName dc01.ootw.local
Set-DnsServerGlobalQueryBlockList -List wpad,isatap -ComputerName dc01.ootw.local
Get-DnsServerGlobalQueryBlockList -ComputerName dc01.ootw.local
Remove DNS plugin DLL configuration
reg query HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters
reg delete HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters /v ServerLevelPluginDll /f
sc.exe query dns
sc.exe stop dns
sc.exe start dns
sc.exe query dns
Review DnsAdmins membership
Get-ADGroupMember "DnsAdmins"
Remove-ADGroupMember "DnsAdmins" -Members "student" -Confirm:$false
Review ADIDNS object changes
Get-ADObject -SearchBase "DC=DomainDnsZones,DC=ootw,DC=local" -LDAPFilter "(objectClass=dnsNode)" -Properties whenChanged,whenCreated,distinguishedName |
Sort-Object whenChanged -Descending |
Select-Object -First 50 whenChanged,whenCreated,distinguishedName
Event hunting
Get-WinEvent -LogName "Microsoft-Windows-DNSServer/Audit" -ErrorAction SilentlyContinue |
Select-Object -First 50 TimeCreated,Id,ProviderName,Message
Get-WinEvent -FilterHashtable @{LogName="Security"; Id=5136} |
Where-Object {$_.Message -match "DomainDnsZones|ForestDnsZones|dnsNode|dnsRecord"} |
Select-Object -First 50 TimeCreated,Id,Message
Hardening
Keep secure dynamic updates only.
Restrict who can create DNS records in AD-integrated zones.
Keep WPAD and ISATAP in the global query block list unless there is a documented business exception.
Keep DnsAdmins empty or tightly controlled.
Audit changes under DomainDnsZones and ForestDnsZones.
Disable LLMNR, NBT-NS, mDNS, and WPAD where they are not required.
Require SMB signing, LDAP signing, LDAP channel binding, and EPA on ADCS web enrollment to reduce DNS-to-relay impact.