I was writing a Powershell script for my network when I came across some alarming information in our DNS. Bear in mind we still use Powershell v2, not v3. So I have to query DNS via the Get-WMI command. I wrote a query to get all A records from one of our DNS servers. The exact command I used was:
get-wmiobject -computer OURDNS -Namespace roo\MicrosoftDNS -class MicrosoftDNS_AType
This command worked, but it gave me a very alarming root hint:
Caption:
ContainerName: ..RootHints
Description:
DnsServerName: OURDNS.ourdomain.com
DomainName: biz.
InstallDate:
IP Address: 195.22.26.253
Name:
OwnerName: hmksreiuojy.biz
....
I did a whois on that domain. The IP address is correct. It's flagged as a malware site. Based on the raw data above, any client who resolves a .biz domain name will be directed to that site. This is....bad.
Now I need to get rid of this. But I can't find it anywhere on my DNS server. The DNS snap-in doesn't have any reference to this hostname or IP. The server properties page doesn't list this host or IP in Root Hints or Forwarders. It's not in the Conditional Forwarders container. Nor is it in the file c:\windows\system32\dns\cache.dns.
So where is WMI getting this entry? And how do I get rid of it?
Does it appear in ADSIEdit? It seems like you should be able to remove it from there. Try this: https://msmvps.com/blogs/acefekay/archive/2009/09/02/using-adsi-edit-to-resolve-conflicting-or-duplicate-ad-integrated-dns-zones.aspx
Edit: I know the article is not exactly your case, but it does show how to get to the DNS section and gives some background info, etc.
You can access it here: Default Naming Context -> domain -> System -> MicrosoftDNS