How to Monitor who Deleted DNS Records

It is always good idea to have some sort of monitoring on your servers and be able to retrace steps and find out what happened and who has done it. This is is regarding security event 4662 – to make sure that you have log track who deleted DNS record on your server.

Here are the steps to create GPO:

  1. Run gpmc.msc → Edit “Default Domain Policy” → Computer Configuration → Policies → Windows Settings → Security Settings → Local Policies → Audit Policy → go to “Properties” of Audit directory service access → Define → Success.
  2. Computer Configuration → Policies → Windows Settings → Security Settings → Event Log → in “Properties” of below mentioned policies define:
    • Maximum security log size to 1gb
    • Retention method for security log to Overwrite events as needed.
  3. Open ADSI Edit → Connect to Default naming context → Expand DomainDNS object with the name of your domain → System → Right сlick MicrosoftDNS → Properties → Security (Tab) → Advanced (Button) → Auditing (Tab) → Add Principal “Everyone” → Type “Success” → Applies to “This object and all descendant objects” → Permissions → Select the following check boxes: Write all properties, Delete, Delete subtree → Click “OK”.

Here are steps to test it out:

  1. Open DNS Manager → Expand your server name → Forward Lookup Zone → Right click the zone you want to audit → Properties → Security (Tab) → Advanced (Button) → Auditing (Tab) → Add Principal “Everyone” → Type “Success” → Applies to “This object and all descendant objects” → Permissions → Select the following check boxes: Write all properties, Delete, Delete Subtree → Click “OK”.
  2. Look for Event ID 4662 with Object Type: dnsNode in your Security Event log in order to track DNS records deletion.

From this point on you have place to go and you can review the security logs and see if someone deleted your DNS record and you have start point to investigate this event.

🙂