DNS scavenging not working as expected

forefrontsecurity — Wed, 23 Jun 2010 09:12:00 GMT

Hi,

I am not talking about identity and access management today, but I want to share with you a strange issue that I have encountered this week.

The problem

A Windows Server 2003 DNS Server host a non AD-integrated primary DNS zone. An other Windows Server 2008 R2 host a copy of this zone (secondary zone).

We note that there are some very old records in this zone, that should be deleted by the auto scavenging process (that is actually in place).

Every day, there are a 2502 events in the DNS event log, but no 2501.

Product:
Windows Operating System

ID:
2502

Source:
Microsoft-Windows-DNS-Server-Service

Version:
6.1

Symbolic Name:
DNS_EVENT_AGING_SCAVENGING_END_NO_WORK

Message:
The DNS server has completed a scavenging cycle but no nodes were visited. Possible causes of this condition include:
1) No zones are configured for scavenging by this server.
2) A scavenging cycle was performed within the last %1 minutes.
3) An error occurred during scavenging.
The next scavenging cycle is scheduled to run in %2 hours.
The event data will contain the error code if there was an error during the scavenging cycle.

The 2502 event prove that the scavenging process is running, but why aren’t the old records deleted ?

The configuration

First I want to be sure that the auto scavenging process is running and is well configured.

We have two DNS servers, but only one host a read/write copy of the zone (the primary zone). This server is configured to scavenge the stale records every day (at 7am)

The no-refresh interval is set to 3 days, and the refresh interval is set to 4 days. The sum is equal to 7 days, that is the maximum DHCP lease minus 1 day. Great.

Troubleshooting

First, I have to go deep in the aging and scavenging process. Have a look at these articles :

What we have to note, is :

A record can be deleted when the timestamp is older than the no-refresh + refresh interval
When records are deleted, a 2501 event appears in the event log
When no records are deleted, a 2502 event appears in the event log.

When scavenging can start ? (Understanding aging and scavenging)

Dynamic updates are enabled for the zone : OK
A change in the state of the Scavenge stale resource records check box is applied. You can use DNS Manager to modify this setting at either an applicable DNS server or one of its primary zones : OK, all records are ready to be scavenge
The DNS server loads a primary zone that is enabled to use scavenging : OK
This can occur when the server computer is started or when the DNS Server service is started.
When a zone resumes service after having been paused : Never paused
If the zone is AD DS-integrated, replication for the zone must have taken place at least once since the DNS service was restarted or the domain controller was rebooted. When the previous events occur, the DNS server sets the value of start scavenging time by calculating the following sum:
Current server time + Refresh interval = Start scavenging time
This value is used as a basis of comparison during scavenging operations. : Zones are not AD-Integrated

Finally, I find this KB : http://support.microsoft.com/kb/830689. This KB explain :

After you restart the DNS service on your Microsoft Windows Server 2003-based computer, you may not be able to scavenge old Domain Name System (DNS) records. DNS zones are protected from being scavenged for the period of time that is specified on the zone refresh interval when the DNS service is restarted.

I note that in the DNS Event Log, DNS service is restarted every morning (5am). That’s it ! A scheduled task start every day to backup the DNS zone files. Therefore, the zone is always protected, and the scavenging process can never delete stale records.

A look at the zone info with dnscmd show this anomaly :

c:\ODX>dnscmd /zoneinfo mazone.local

Zone query result:

Zone info:
        ptr                   = 0000000000307980
        zone name             = mazone.local
        zone type             = 1
        shutdown              = 0
        paused                = 0
        update                = 1
        DS integrated         = 0
        read only zone        = 0
        data file             = mazone.local.dns
        using WINS            = 0
        using Nbstat          = 0
        aging                 = 1
          refresh interval    = 96
          no refresh          = 72
scavenge available = date with timeformat : last restart date + refresh interval.

        Zone Masters    NULL IP Array.
        Zone Secondaries
        Ptr          = 00000000002FD150
        MaxCount     = 1
        AddrCount    = 1
                Secondary[0] => af=2, salen=16, [sub=0, flag=00000000] p=13568,
addr=xxx.xxx.xxx.xxx

        secure secs           = 2
Command completed successfully.

The resolution

It is not necessary to stop the DNS service to backup the DNS zone files. When the zones are not AD-integrated, a simple export of the zone with dnscmd can be used :

dnscmd myserver /zoneExport mazone.local backup\mazone.local.dns.bak

By the way, zones are not protected from being scavenged.

Published by Olivier DETILLEUX

Forefront Security at myITForum : Windows Server 2008 R2, ID 2501

DNS scavenging not working as expected

The problem

The configuration

Troubleshooting

The resolution