DNS Manager, What are all these entries?

I just took over and opened up DNS Manager and see this:
DNS Manager screenshotWhat are all the entries from?
Do I need it for some reason?
How do I stop it?
How do I get rid of them?
knightdogsAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Will SzymkowskiSenior Solution ArchitectCommented:
They are under the Forward lookup Zone. Are these actual internal zones that you use? What are the authoratative DNS servers associated with these zones? Possible DNS virus of some sort?


Will.
0
Mike KlineCommented:
Those are all DNS zones...first are you based in India?   Do you see these zones on every DNS Server?  Are your DCs also DNS servers? (most of the time yes)

Thanks

Mike
0
knightdogsAuthor Commented:
Will:
No we don't use them.
"What are the authoratative DNS servers associated with these zones?" Where would I find the answer to this?

Mike:
Based here in US.
I only see this on 1 DNS server, not the others.
Yes, DC/DNS on same server.
0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

knightdogsAuthor Commented:
If I select one of them this is what I see:
DNS Manager second pic
could this be some type of attempt by a previous admin to stop browsing/malware?
0
Will SzymkowskiSenior Solution ArchitectCommented:
It looks to be some sort of DNS Virus as all of the zones are "Primary Zones" The one you have listed above HOST has an IP or 0.0.0.0 (anything) and the SOA is blackholed-domain.local.

Sounds very suspicious to me.

Based on all of the entries 0200, 0300, 0400 etc looks like it propegated itself. If you delete a zone does it come back automatically?
0
knightdogsAuthor Commented:
If I delete it and then refresh it does not come back.
0
Mike KlineCommented:
run a full virus/malware scan on that DC, check your event logs for any suspicious entries.
0
Will SzymkowskiSenior Solution ArchitectCommented:
If these are foreign object's in DNS, i would check first before deleting them all. Does this server have an Anti-virus on it? I would do a full system scan.
0
knightdogsAuthor Commented:
up-to-date av installed and last full scan was this morning @ 4AM.
0
Will SzymkowskiSenior Solution ArchitectCommented:
These are all Primary Zones. Do you have any other DC's in your environment? Do they have these entries on them as well? Primary Zone is not replicated to other DC's they are manually entered which is why i think it is a virus. Check your other DC's if you have any and see if they have similar records.

I would then delete them if you have no idea what they are.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
knightdogsAuthor Commented:
They are only on this one server and not on the other DNS server, so I will delete them.
Is there a way to group select to delete instead of one at a time? or is there a better way than thru the man GUI of DNS Manager?
0
Mike KlineCommented:
I'd also enable DNS logging at least for a week or so in case this happens again.   Trying to find root cause would be easier that way.

Thanks

Mike
0
knightdogsAuthor Commented:
Is there any way to mass delete DNS records?
0
Mike KlineCommented:
I'd have to test writing something using dnscmd or powershell but those would also need to know what to delete so for a one off like this manual deletion would be just as fast

Thanks

Mike
0
Will SzymkowskiSenior Solution ArchitectCommented:
If you Delete the Zone itself it will delete all of the records inside. In DNS it is probably not recommended to delete these entries via script simply manually delete them.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.