Finding DNS Servers

This past month there was a RUSH to patch every single Windows based DNS server in every organization. Something quickly asked was “Did we get them all?”.

For some organizations, you see the phrase “finding DNS,” and you find it crazy. However, at larger global organizations, it may be a real challenge.

What do you mean find them?

Some companies think this is absolute madness, everyone should know where their DNS servers are. However, I have seen organizations where DHCP and DNS servers were stood up to service a “special use case” and never cleaned up.

If you work at a large organization with multiple locations across the globe, it is far more likely to have scattered DNS servers. Making it challenging to keep everyone involved aware of what servers are responsible for DNS, especially in crisis mode.

So how do we go about finding them? Many organizations said Configuration Manager.

Lets talk about Tiering and ConfigMgr

For many organizations, the answer to finding all of their DNS servers was simple. They just activated CMPivot and used a simple query to find their DNS Servers. The below example and others started circling Twitter immediately:

OptionalFeature | where (Caption == 'DNS Server') | where InstallState == 1

What needs to be discussed is how some organizations don’t have the Configuration Manager agent installed on their DNS servers and for a good reason. First, DNS is considered a Tier0 service even if it’s been moved away from a domain controller. When you control how a device resolves the IP address to name, you can easily own an environment.

https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material#logon-restrictions

In a PROPERLY TIERED ENVIRONMENT, ConfigMgr shouldn’t be installed on your Windows DNS servers. This doesn’t mean you should remove ConfigMgr from all your Windows DNS servers. It is rare to encounter an organization with proper tiering and is the only scenario when you use an alternate management layer. This also enters the risk balancing act of adequately managing and patching your servers, v.s. Hardening and securing your core infrastructure.

PowerShell To the Rescue – (ish)

Fortunately, not all hope is lost. We can still find servers with DNS installed using PowerShell either directly or in roundabout ways. There are several different ways to find out if DNS is installed.

First we can look to see if the feature itself is installed.

$(Get-WindowsFeature -Name "DNS" | Where-Object {$_.InstallState -eq "Installed"}).InstallState
Note: If you run the code on a workstation you’ll get the error as depicted above. The code will only run properly on a server OS.

Second we can look to see if the DNS service is installed:

Get-Service -Name DNS

Finally, the question of Scope. How do we determine which servers to run this against? In which case, your best bet is to start with all your domain controllers and then hit every other server in your environment.

The challenge will always be knowing that you have access to all servers from your management layer that potentially COULD have DNS installed. Which brings us to our final point.

Mitigating Risk at Speed

Whenever a critical patch comes out there is always mass panic. Since 2017 there has been at least one patch a year that posed significant risk.

  • WannCry – 2017
  • EternalBlue 2017
  • DoubleKill 2018
  • Bluekeep 2019
  • SIGRed 2020

Learning to mitigate risk at speed starts with removing outdated practices, and ends… well it never really ends. It’s a constant evolution.

To close, we need to address a widespread misconception in IT. The idea we can run a successful, efficient business in a segmented archaic silo structure. This is not fixed in a day or a week. Often this needs to come down as an organizational re-design. Organizations will continue to struggle when mitigating risk at speed when using any structure that does not promote an open and collaborative mindset.

Something I stress during my patching engagements is how there will come a time when you NEED to implement and mitigate risk at speed in a safe, secure manner. The earlier you start to plan out a proper tier model and adequate management of each of those tiers, the better off you will be.


By Jordan Benzing

Jordan Benzing is a consultant for TrueSec and a Microsoft MVP. Jordan has spoken at several user groups including the TrueSec summit in Stockholm and the Midwestern Management Summit in Minneapolis, on subjects such as reporting, patching and that wonderful thing no one likes doing documentation. In the past Jordan has worked in several ConfigMgr environments including being the ConfigMgr team lead for an organization with 170K endpoints. Jordan is known for his "love" of patching, his PowerBI dashboard templates and various other contributions to the ConfigMgr community.

When he’s not working you can usually find him hanging out on the summoners rift in League of Legends. Jordan has been playing since season one and helped out with beta testing the original gameplay.