1

I am the Microsoft DNS admin at my company. The Linux admin is using nsupdate to add multiple DNS A and PTR records to Microsoft DNS for his servers. The records come in with a timestamp, and DNS scavenging removes them after our configured timeframe. How can he run the command to add only static entries?

Kevin
  • 31
  • 2
  • I researched this earlier this year and was simply unable to accomplish the task. Nsupdate, according to man nsupdate(1), is a "Dynamic DNS update utility." I came up with some Powershell to convert a given dynamic record to static, which I can share if you're interested. – bgStack15 Aug 23 '19 at 00:00

1 Answers1

0

Here is our solution that we use on a Management Webserver (not exactly the solution you requested, but we decided that this would be tho only working solution in our case)

Steps to reproduce:

  1. Configure WinRM on one Windows host (we used our DHCP server for that) https://support.microsoft.com/en-us/help/2019527/how-to-configure-winrm-for-https
  2. Install python and pywinrm on your host, or a centralized host. We host our entire Internal host and IP Management on a Webserver that takes over this role.
  3. Aquire a username and password or a Kerberos Keytab file from a user account which has the rights to manipulate DNS entries
  4. Tho Windows Host Computer account, which acts as a WinRM endpoint, needs to have Kerberos Delegation enabled in order to forward the credentials to the target DNS server
  5. Have Windows RSAT installed to have dnscmd.exe available on the WinRM host.
  6. I had to change a single line in the transport.py file provided by pywinrm in order to make kerberos work with the script provided below. (Unfortunately I can't seem to find the line anymore... sry) (You can skip this it you want to authenticate via username and password. Kerberos delegation is still needed if you have to authenticate to the dns server. You can only skip this if you open up winRM on the DNS server (NOT RECOMENDED!))
  7. Execute the Script as follows: kinit -f -t /path/to/krb5.keytab -k username@DOMAIN ; LANG=\"C.UTF-8\" ; /the/script/provided/below.py -m mywinrmhost.example.org -c "dnscmd.exe dns dns server.example.org /recordadd example.org entire.example.org /CreatePTR newentrie 10.20.30.40"
#!/usr/bin/python3

#https://support.microsoft.com/en-us/help/2019527/how-to-configure-winrm-for-https

import winrm, sys, getpass, argparse
__author__ ='Daywalker (at least partially)'

parser = argparse.ArgumentParser(description='This is a basix winRM script')
parser.add_argument('-a','--auth',help='Authentication type (plaintext|kerberos)', default="kerberos", required=False)
parser.add_argument('-m','--host', help='Hostname or IP address of the target Windows machine',required=False)
parser.add_argument('-u','--user',help='Username for authentication', required=False)
parser.add_argument('-p','--password',help='Password for the given username', required=False)
parser.add_argument('-c','--command',help='Command to execute', required=False)

args = parser.parse_args()

hostname = args.host
user = args.user
pw = args.password
command = args.command
auth = args.auth;

if not hostname:
    hostname = "mytargetwinrmhost.example.org"
if args.auth != 'kerberos':
    if not user:
        user = input("Enter a username for the WinRM connection to " + hostname + ": ")

    if not pw:
        print("Enter password for " + user)
        pw = getpass.getpass()

    if not user:
        print("Username missing");
        sys.exit(1);

    if not pw:
        print("Empty passwords not allowed");
        sys.exit(1);

if not hostname:
    print("Hostname missing");
    sys.exit(1);

#s = winrm.Session(hostname,auth=(user,pw),transport='plaintext')
s = winrm.Session(hostname,auth=(user,pw),transport=auth)

if not command:
    command = input("Please enter the command to execute: ")

r = s.run_cmd(command)
#print(r.status_code)
print(r.std_out.decode('437'))
print(r.std_err.decode('437'))
quit()
Daywalker
  • 485
  • 5
  • 25