2

I was writing a Powershell script for my network when I came across some alarming information in our DNS. Bear in mind we still use Powershell v2, not v3. So I have to query DNS via the Get-WMI command. I wrote a query to get all A records from one of our DNS servers. The exact command I used was:

get-wmiobject -computer OURDNS -Namespace roo\MicrosoftDNS -class MicrosoftDNS_AType

This command worked, but it gave me a very alarming root hint:

Caption:
ContainerName: ..RootHints
Description:
DnsServerName: OURDNS.ourdomain.com
DomainName: biz.
InstallDate:
IP Address: 195.22.26.253
Name:
OwnerName: hmksreiuojy.biz
....

I did a whois on that domain. The IP address is correct. It's flagged as a malware site. Based on the raw data above, any client who resolves a .biz domain name will be directed to that site. This is....bad.

Now I need to get rid of this. But I can't find it anywhere on my DNS server. The DNS snap-in doesn't have any reference to this hostname or IP. The server properties page doesn't list this host or IP in Root Hints or Forwarders. It's not in the Conditional Forwarders container. Nor is it in the file c:\windows\system32\dns\cache.dns.

So where is WMI getting this entry? And how do I get rid of it?

Michael Cornn
  • 269
  • 3
  • 16
  • One useful note: I ran htis query on our other two DCs (we have 3 DCs, all of which have AD-Integrated DNS zones), and neither of them have this entry. I don't know what to make of that. – Michael Cornn Feb 24 '14 at 19:43

1 Answers1

0

Does it appear in ADSIEdit? It seems like you should be able to remove it from there. Try this: https://msmvps.com/blogs/acefekay/archive/2009/09/02/using-adsi-edit-to-resolve-conflicting-or-duplicate-ad-integrated-dns-zones.aspx

Edit: I know the article is not exactly your case, but it does show how to get to the DNS section and gives some background info, etc.

You can access it here: Default Naming Context -> domain -> System -> MicrosoftDNS

Philosophene
  • 202
  • 1
  • 12
  • Thanks for the advice. I couldn't find these root hints anywhere in ADSIEdit. One useful note: I ran htis query on our other two DCs (we have 3 DCs, all of which have AD-Integrated DNS zones), and neither of them have this entry. I don't know what to make of that. – Michael Cornn Feb 24 '14 at 19:42
  • Did you run ADSIEdit against the server in question or just against the domain? – Philosophene Feb 24 '14 at 20:25
  • 1
    I think what you are seeing is a dump of cached lookups. You might clear you DNS cache using DNS Manager (not ipconfig) and see if you still get the same entries. – Philosophene Feb 24 '14 at 20:32