Infoblox’s global team of threat hunters uncovers a DNS operation with the ability to bypass traditional security measures and control the Great Firewall of China. Read about “Muddling Meerkat” and the many other threat actors discovered by Infoblox Threat Intel here.



Clarity on DNS Scavenging

Posts: 26
1200     0

We're in the process of starting up the use of DNS Scavening, and we're running across some things we don't necessarily understand, so I'd appreciate some clarification on how the process works.

Where we are so far:
1) If we enable DNS scavenging on our primary View, and use a date of 1 year previous, we get approximately 43,000 records marks as Reclaimable. Previously, we reset the Reclaimable flag to guarantee a clean slate. My understanding of the Scavenging process is that Dyanmic records are deleted immediately, while STATIC records are placed into a Smart Folder for later action.
2) The resulting Smart Folder only allows a total of 2,000 records, so it is impossible to see the full entent of the records affected.
3) I've written a python script that actally goes out and finds every Reclaimable record, and outputs data on the record to a file. The data includes the Last Queried Date. The records includes 22,734 A, 1,791 CNAME, 102 Host, 39 MX, 2,758 PTR, and 122 SRV, and 15,268 TXT records. The intent here is to run another script that deletes the records that have been identified. There are ~130,000 records of these types in this View
4) The Last Queried Date on many of the records is more recent than the date provided for the Scavenging run. In the case of SRV records, there are clearly records which should not be deleted (mainly AD services), but yet they are marked at Reclaimable, I'm extremely hesitant to delete any SRV records. I'm also hesitant to reclaim and MX records.
5) What is the criteria for setting the Last Queried Date on a record? In a case where you might have redundant devices running the same service, it seems that a record might not get a updated Last Queried Date. Deleting such a record would delete the intended redundancy.
6) Of the ~43,000 records, approximately 6000 of them are DYNAMIC. Why weren't they deleted autmatically?
7) What is the exact criteria used for marking a record Reclaimable?

At this point, I'm extremely reluctant to delete ANY of these records.

Showing results for 
Search instead for 
Did you mean: 

Recommended for You