DNS – A Geeks World

Use DHCP Scope info to build DNS Reverse Lookup Zones and configure DNS with Powershell

I had a customer with more than 60 DHCP Scopes but all DNS Reverse Lookup Zones were unfortunately not created, configured and/or consisted of a lot of old invalid static records. And in addition both the Primary and Reverse Zones were containing a lot of old Name Servers.

Here is the scripts I ran to fix the issues. Just remove the -whatif to actually make it do stuff.

In this case, our Name Servers had the name standard ADM-V-ADDS…. so the script will remove all other name servers. Obviously, modify to fit your environment!

# Create Reverse Lookup Zones for all DHCP Scopes 
foreach ($scopeid in Get-DhcpServerv4Scope | where subnetmask -eq "255.255.255.0" | select -ExpandProperty scopeid)
{
    Try {
        Add-DnsServerPrimaryZone -NetworkId "$scopeid/24" -ReplicationScope Domain -ErrorAction Stop
        Write-Output "Reverse zone $scopeid created"
        }
    Catch [Microsoft.Management.Infrastructure.CimException]
        {
        Write-Warning "Reverse zone for $scopeid already exists"
        }
}


# Make all Reverse Lookup Zones configured the same way and remove all Static Records (devices will simply re-register themselves). 
Get-DnsServerZone | where ZoneName -like "*.arpa" | where ZoneName -notlike "127.in-*" | where ZoneName -notlike "0.in-addr.arpa" | where ZoneName -notlike "255.in-addr.arpa" | %  {

    $Name = $_.zonename ; 

    Set-DnsServerZoneAging -Name $_.ZoneName -Aging $true -NoRefreshInterval "7.00:00:00" -RefreshInterval "7.00:00:00" -WhatIf
    Set-DnsServerPrimaryZone -Name $_.ZoneName -ReplicationScope Domain -WhatIf
    Set-DnsServerPrimaryZone -Name $_.ZoneName -DynamicUpdate Secure -WhatIf

    Get-DnsServerResourceRecord -ZoneName $_.zonename -RRType "NS" | ? {$_.RecordData.NameServer -notlike "*adm-v-adds*"} | Remove-DnsServerResourceRecord -ZoneName $name -Force -PassThru -Confirm:$false -WhatIf 
    Get-DnsServerResourceRecord -ZoneName $_.zonename -RRType "WINS" | ? {$_.RecordData.NameServer -notlike "*adm-v-adds*"} | Remove-DnsServerResourceRecord -ZoneName $name -Force -PassThru -Confirm:$false -WhatIf
    Get-DnsServerResourceRecord -ZoneName $_.zonename -RRType "WinsR" | ? {$_.RecordData.NameServer -notlike "*adm-v-adds*"} | Remove-DnsServerResourceRecord -ZoneName $name -Force -PassThru -Confirm:$false -WhatIf
    Get-DnsServerResourceRecord -ZoneName $_.zonename -RRType "Ptr" | ? { $_.Timestamp -eq $null } | Remove-DnsServerResourceRecord -ZoneName $name -Force -PassThru -Confirm:$false -WhatIf

}


# Set some settings on the normal Zones too plus fix Name Servers. 
Get-DnsServerZone | where ZoneName -notlike "*.arpa" | where ZoneName -notlike "TrustAnchors" | %  {

    $Name = $_.zonename ; 

    Set-DnsServerZoneAging -Name $_.ZoneName -Aging $true -NoRefreshInterval "7.00:00:00" -RefreshInterval "7.00:00:00" -WhatIf
    Set-DnsServerPrimaryZone -Name $_.ZoneName -ReplicationScope Domain  -WhatIf
    Set-DnsServerPrimaryZone -Name $_.ZoneName -DynamicUpdate Secure  -WhatIf
    Get-DnsServerResourceRecord -ZoneName $_.zonename -RRType "NS" | ? {$_.RecordData.NameServer -notlike "*adm-v-adds*"} | Remove-DnsServerResourceRecord -ZoneName $name -Force -PassThru -Confirm:$false -WhatIf
}

# Create Reverse Lookup Zones for all DHCP Scopes

foreach ($scopeid in Get-DhcpServerv4Scope | where subnetmask -eq "255.255.255.0" | select -ExpandProperty scopeid)

{

Try {

Add-DnsServerPrimaryZone -NetworkId "$scopeid/24" -ReplicationScope Domain -ErrorAction Stop

Write-Output "Reverse zone $scopeid created"

}

Catch [Microsoft.Management.Infrastructure.CimException]

{

Write-Warning "Reverse zone for $scopeid already exists"

}

# Make all Reverse Lookup Zones configured the same way and remove all Static Records (devices will simply re-register themselves).

Get-DnsServerZone | where ZoneName -like "*.arpa" | where ZoneName -notlike "127.in-*" | where ZoneName -notlike "0.in-addr.arpa" | where ZoneName -notlike "255.in-addr.arpa" | % {

$Name = $_.zonename ;

Set-DnsServerZoneAging -Name $_.ZoneName -Aging $true -NoRefreshInterval "7.00:00:00" -RefreshInterval "7.00:00:00" -WhatIf

Set-DnsServerPrimaryZone -Name $_.ZoneName -ReplicationScope Domain -WhatIf

Set-DnsServerPrimaryZone -Name $_.ZoneName -DynamicUpdate Secure -WhatIf

Get-DnsServerResourceRecord -ZoneName $_.zonename -RRType "NS" | ? {$_.RecordData.NameServer -notlike "*adm-v-adds*"} | Remove-DnsServerResourceRecord -ZoneName $name -Force -PassThru -Confirm:$false -WhatIf

Get-DnsServerResourceRecord -ZoneName $_.zonename -RRType "WINS" | ? {$_.RecordData.NameServer -notlike "*adm-v-adds*"} | Remove-DnsServerResourceRecord -ZoneName $name -Force -PassThru -Confirm:$false -WhatIf

Get-DnsServerResourceRecord -ZoneName $_.zonename -RRType "WinsR" | ? {$_.RecordData.NameServer -notlike "*adm-v-adds*"} | Remove-DnsServerResourceRecord -ZoneName $name -Force -PassThru -Confirm:$false -WhatIf

Get-DnsServerResourceRecord -ZoneName $_.zonename -RRType "Ptr" | ? { $_.Timestamp -eq $null } | Remove-DnsServerResourceRecord -ZoneName $name -Force -PassThru -Confirm:$false -WhatIf

}

# Set some settings on the normal Zones too plus fix Name Servers.

Get-DnsServerZone | where ZoneName -notlike "*.arpa" | where ZoneName -notlike "TrustAnchors" | % {

$Name = $_.zonename ;

Set-DnsServerZoneAging -Name $_.ZoneName -Aging $true -NoRefreshInterval "7.00:00:00" -RefreshInterval "7.00:00:00" -WhatIf

Set-DnsServerPrimaryZone -Name $_.ZoneName -ReplicationScope Domain -WhatIf

Set-DnsServerPrimaryZone -Name $_.ZoneName -DynamicUpdate Secure -WhatIf

}

Using Azure DNS for Dynamic DNS with PowerShell

I’ve been using DynDNS and other Free DNS Services for some time, but as they are getting harder and harder to use for free. Like you need to remember to logon and click a button once a month and what not. I figured it was time to migrate to Azure DNS instead. Being able to use PowerShell to handle my DNS together with everything I’ve already automated makes my life so much easier. And as I’ve already got a couple of domains and some Azure subscriptions there was more or less no increased cost for me. As you can see in the picture, Azure DNS Pricing is really cheap.

I’ve used Task Scheduler to scheduled the script below to run at Computer Startup on one of my Hyper-V Hosts at home, and then every hour. That guarantees that if there is a power failure and I get a new IP from my ISP, when the server boots, the external DNS pointers will be updated at once and just to be sure check every hour.

In short, the script checks your External IP and compares that to the IP of the hostname you want updated. If they are not identical, it will logon to Azure and update the hostname with your current IP.
Simple as that.

In my case, I’ve setup a UserName in AzureDNS who has access to just that DNSZone and are using that UserName in the script.

# Author Markus Lassfolk @ TrueSec 
# www.isolation.se   
# with some 'inspiration' from other scripts. 
#
# You need to have AzureRM modules installed to run this script
# https://docs.microsoft.com/en-us/powershell/azure/install-azurerm-ps
# install-module AzureRM 
#
# Set your ZoneInfo and Azure settings 
$ZoneName = "isolation.se"
$HostName = "home" 

$azurelogin ="username@azureAD.onmicrosoft.com"
$azurepassword = "password"
$azureResourceGroup = "ResourceGroup"


# Don't modify below this
#
Import-Module AzureRM 
Import-Module AzureRM.Dns 

function get-myexternalip() {   
    $urls = "http://whatismyip.akamai.com",  
            "http://b10m.swal.org/cgi-bin/whatsmyip.cgi?just-ip",  
            "http://icanhazip.com",  
            "http://www.whatismyip.org/"; 
 
           $RxIP = "(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"; 
           $ip = "Unknown"; 
           Foreach ($address in $urls) { 
               try { 
                    $temp = wget $address; 
                    $www_content = $temp.Content; 
                    if ( $www_content -match $RxIP ) { 
                        $ip = ([regex]($rxip)).match($www_content).Value 
                        break 
                    } 
               } catch { continue } 
           } 
    return $ip 
}
 

# Set the expected IP Address. Obtain this from a DNS query or set it statically.
$EI = [System.Net.Dns]::GetHostAddresses($HostName +"."+ $ZoneName) | Select-Object -ExpandProperty IPAddressToString

# Obtain the IP Address of the Internet connection.
$CheckNetwork = Test-NetConnection -CommonTCPPort HTTP freegeoip.net
if ($CheckNetwork.TcpTestSucceeded -eq $True) { 
    $ExternalIP = get-myexternalip
$IP = $ExternalIP


# If the external IP is not the same as for the HostName 
If ($IP -ne $EI) {

    $accountName = $azurelogin
    $password = ConvertTo-SecureString $azurepassword -AsPlainText -Force
    $credential = New-Object System.Management.Automation.PSCredential($accountName, $password)

    # Login to Azure
    Login-AzureRmAccount -Credential $credential 
    Select-AzureRmSubscription -SubscriptionObject $(Get-AzureRmSubscription)

    # Set IP for the HostName 
    New-AzureRmDnsRecordSet -Name $HostName -RecordType A -ZoneName $ZoneName -ResourceGroupName $azureResourceGroup -Ttl 600 -DnsRecords (New-AzureRmDnsRecordConfig -IPv4Address "$($IP)") -Overwrite -Confirm:$false

}
Else {
    Write-Output "Dynamic address ($IP) and DNS address ($EI) match."
}

}

# Author Markus Lassfolk @ TrueSec

# www.isolation.se

# with some 'inspiration' from other scripts.

# You need to have AzureRM modules installed to run this script

# https://docs.microsoft.com/en-us/powershell/azure/install-azurerm-ps

# install-module AzureRM

# Set your ZoneInfo and Azure settings

$ZoneName = "isolation.se"

$HostName = "home"

$azurelogin ="username@azureAD.onmicrosoft.com"

$azurepassword = "password"

$azureResourceGroup = "ResourceGroup"

# Don't modify below this

Import-Module AzureRM

Import-Module AzureRM.Dns

function get-myexternalip() {

$urls = "http://whatismyip.akamai.com",

"http://b10m.swal.org/cgi-bin/whatsmyip.cgi?just-ip",

"http://icanhazip.com",

"http://www.whatismyip.org/";

$RxIP = "(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})";

$ip = "Unknown";

Foreach ($address in $urls) {

try {

$temp = wget $address;

$www_content = $temp.Content;

if ( $www_content -match $RxIP ) {

$ip = ([regex]($rxip)).match($www_content).Value

break

}

} catch { continue }

}

return $ip

}

# Set the expected IP Address. Obtain this from a DNS query or set it statically.

$EI = [System.Net.Dns]::GetHostAddresses($HostName +"."+ $ZoneName) | Select-Object -ExpandProperty IPAddressToString

# Obtain the IP Address of the Internet connection.

$CheckNetwork = Test-NetConnection -CommonTCPPort HTTP freegeoip.net

if ($CheckNetwork.TcpTestSucceeded -eq $True) {

$ExternalIP = get-myexternalip

$IP = $ExternalIP

# If the external IP is not the same as for the HostName

If ($IP -ne $EI) {

$accountName = $azurelogin

$password = ConvertTo-SecureString $azurepassword -AsPlainText -Force

$credential = New-Object System.Management.Automation.PSCredential($accountName, $password)

# Login to Azure

Select-AzureRmSubscription -SubscriptionObject $(Get-AzureRmSubscription)

# Set IP for the HostName

New-AzureRmDnsRecordSet -Name $HostName -RecordType A -ZoneName $ZoneName -ResourceGroupName $azureResourceGroup -Ttl 600 -DnsRecords (New-AzureRmDnsRecordConfig -IPv4Address "$($IP)") -Overwrite -Confirm:$false

}

Else {

Write-Output "Dynamic address ($IP) and DNS address ($EI) match."

}

You obviously need to migrate an existing or register a new DNS Zone to Azure and use Microsoft’s NameServers for this to work.

Reduce DNS Client Cache in Windows Server 2012 R2

I’m often using Remote Desktop Gateways to connect to various environments, including our Private Cloud. One challenge arises when I change IP-address or network settings on a computer through SCVMM. As the RDGW has cached the DNS entry and IP Address, it takes a while until that information is cleared and I’m able to eastablish a connection. Or to be fair, what I usually do is RDP into the RDGW and does a “ipconfig /flushdns” and then reconnect the first server.
It does work, but wouldn’t it be better if that was kind of done automatically. Well, I guess you could schedule a “ipconfig /flushdns” every X minutes and get the desired result.

A better solution is to reduce the DNS Cache timeout on the RDGW server! I’ve modified mine to cache entries for just 10 seconds, and then do a new DNS query. 10 Seconds might be a bit too aggressive though it works fine for me.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters maxcacheTTL — HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters
maxcacheTTL

Use this registry key to set the DNS Client Cache timeout;

Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters 
Key: MaxCacheTtl
Type: REG_DWORD
Value: 10  (Decimal, in Seconds)
Default: 0x15180 (86,400 seconds = 1 day)

Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters

Key: MaxCacheTtl

Type: REG_DWORD

Value: 10 (Decimal, in Seconds)

Default: 0x15180 (86,400 seconds = 1 day)

Restart the “DNS Client” service to take effect. (net stop dnscache & net start dnscache).
I’ve only tried this on Windows Server 2012 R2, but I guess it should also work on Windows Server 2008, Windows Server 2008 R2 and Windows Server 2012.

Personally, I’ve set this key through Group Policy Preferences to make sure it’s always done, even if the RDGW Server is reinstalled.

The other two values; MaxCacheEntryTtlLimit and MaxNegativeCacheTtl are leftovers from my testing, it seems those values worked for “Windows 2000” and are not used anymore.