IncidentResponsev2

4.60 Remove Unauthorized DNS Entries (Local, AD, Cloud DNS)

Task

Identify and remove unauthorized or malicious DNS records across local hosts, enterprise DNS (Active Directory Integrated DNS), and Cloud DNS services (AWS Route 53, Azure DNS, Google Cloud DNS).

Conditions

Given access to local systems, enterprise DNS servers, and cloud platform DNS management consoles.

Standards

End State

All unauthorized or malicious DNS records are identified, removed, and documented across local, enterprise, and cloud DNS environments.

Notes

Manual Steps

Step 1: Enumerate DNS Entries - Local Hosts Files

Windows

Get-Content C:\Windows\System32\drivers\etc\hosts

Linux / macOS

cat /etc/hosts

Look for:

Operator Note: Hosts file tampering is a known attacker tactic → flag suspicious entries.

Step 2: Enumerate Enterprise DNS Entries (AD Integrated DNS)

Active Directory DNS (Windows Server)

Get-DnsServerResourceRecord -ZoneName "corp.local"

Look for:

Operator Note: Cross-reference with DHCP leases and AD computer accounts.

Step 3: Enumerate Cloud DNS Entries

AWS → Route 53

aws route53 list-hosted-zones
aws route53 list-resource-record-sets --hosted-zone-id ZONEID

Look for:

Azure → Azure DNS

Get-AzDnsZone
Get-AzDnsRecordSet -ZoneName "example.com" -ResourceGroupName "DNS-RG"

Look for:

GCP → Google Cloud DNS

gcloud dns managed-zones list
gcloud dns record-sets list --zone="zone-name"

Look for:

Operator Note: Orphaned cloud DNS records may point to deleted services → subdomain takeover risk.

Step 4: Validate DNS Record Authorization

Operator Note: Validate owner and use-case → unknown or unsupported records should be removed.

Step 5: Remove Unauthorized DNS Records

Hosts File

# Windows
Remove-Item -Path "C:\Windows\System32\drivers\etc\hosts" -Force
# Or manually remove the entry

# Linux / macOS
sudo nano /etc/hosts
# Remove the unauthorized line

Active Directory DNS

Remove-DnsServerResourceRecord -ZoneName "corp.local" -RRType "A" -Name "badhost" -Force

AWS Route 53

aws route53 change-resource-record-sets --hosted-zone-id ZONEID --change-batch file://change-batch.json

Example change-batch.json for deletion

{
  "Comment": "Delete unauthorized record",
  "Changes": [
    {
      "Action": "DELETE",
      "ResourceRecordSet": {
        "Name": "badhost.example.com.",
        "Type": "A",
        "TTL": 300,
        "ResourceRecords": [
          {
            "Value": "192.0.2.44"
          }
        ]
      }
    }
  ]
}

Azure DNS

Remove-AzDnsRecordSet -Name "badhost" -ZoneName "example.com" -ResourceGroupName "DNS-RG" -RecordType A

Google Cloud DNS

gcloud dns record-sets delete "badhost.example.com." --zone="zone-name" --type="A"

Operator Note: When deleting cloud records, validate no active dependencies → removing legitimate records may impact production services.

Step 6: Validate Removal and Document

Dependencies

Other Available Tools

Tool Platform Installation Usage
nslookup / dig Cross-platform Native DNS query and validation
Windows DNS Manager Windows Built-in AD DNS zone management
AWS CLI Cross-platform Package manager Route 53 management
Azure CLI / PowerShell Cross-platform Package manager Azure DNS management
GCloud CLI Cross-platform Package manager Google Cloud DNS management

Operator Recommendations and Additional Tools

Operator Checklist

Best Practices

References

Revision History

Date Version Description Author
2025-05-02 1.0 Created from scratch with operator-focused DNS record validation and removal process (Local, AD, Cloud) Leo