Configuring DNS Scavenging
In trawling through one of our reverse DNS zones I noticed several duplicate RR entries for DHCP IP addresses; most of which had a time stamp that was several weeks old. In our environment we use DHCP DNS Dynamic Updates for client registration.
At the same time we noticed that McAfee EPO was reporting strange client names and UNIX systems that perform reverse DNS when using SSH would report the incorrect FQDN for remote connections.
To resolve all of the above symptoms we neded to implement DNS Scavenging. The internal DNS infrastructure runs from AD-Integrated zones on Windows 2003 R2 x64 Domain Controllers.
DNS Scavenging Terminology
* No-Refresh Interval; prohibits updates for a specific period.
* Refresh Interval; allows updates for a specific period after which a record can be deleted.
The *total sum* of this period should equate the DHCP scope lease expiration time as illustrated below:
For example, on an environment with a DHCP lease time of 3 days:
* No-Refresh Interval: 1 Day
* Refresh Interval: 2 Days
For a default DHCP environment with a lease time of 8 days:
* No-Refresh Interval: 3 Day
* Refresh Interval: 5 Days
Implementation of DNS Scavenging
Scavenging must be enabled at the server level and zone level.
Scavenging should only be enabled on a single DNS server within your environment, this makes troubleshooting much simpler in the event of scavenging failing – it also makes configuration far simpler.
On the server I have configured the following settings:
On the zonethe following setting are required – zone level settings override server level settings: