Identifying and deleting unused DNS entries

Danny Thomas d.thomas at its.uq.edu.au
Wed Sep 26 06:12:42 UTC 2007 

blrmaani <blrmaani at gmail.com> asked
>I maintain a DNS server running BIND 9.2.x. We have several unused
>entries but I donot want to delete it before making sure that these
>A records/CNAMES are not being queried.
>
>One approach I know of is to enable querylog, check for the names to
>be deleted in the querylog and delete it if these names are NOT in the
>querylog.
>
>Does BIND maintain some kind of statistics per CNAME/A record ?
>Is there any better approach to solve this problem?

at least for hostname records, I don't believe the absence of dns
queries is a great indicator whether a host still exists.

the policy on our network is to register every active ip-address
including network, gateway, HSRP & broadcast addresses. Conversely
inactive ip-addresses should get removed from the dns.

We use router netflows to identify
  active ip-addresses not registered in the dns
  dns hostnames no longer seen to be active


The date ip-addresses were last seen to be active is also displayed
against each ip-address managed through our web-based dns management system

this information is also brought through to our network information portal
NB for various reasons the flows have not be updated since 03-Jul


PORTAL EXAMPLE 1
============================================================================
VLAN 521
VLAN: Ipswich Students 2
VLAN type: network
VLAN site: Ipswich
466 hosts (55 not registered in DNS), 91.9% of 507 usable-addresses
this VLAN is not handled by the central DHCP server
routed by the HSRP cluster letron/synot

CIDR               gateway            #    ?    x    Q        ou
192.168.10.0/23    192.168.10.30    466   55    3    -        its-uqi

the # column has the total number of hosts seen from flows during
  01-Aug-2006 thru 03-Jul-2007 (336 days)
the ? column has the number of such hosts not registered in the central DNS
the x column has the number of hosts registered in the central DNS not seen
  in flows
the Q column represents whether the CIDR is handled by the Quotient Traffic
  Charging system


PORTAL EXAMPLE 2
============================================================================
this page is brought up when the '3' link in the 'x' column is clicked

3 hosts registered in the DNS were not seen to be active
displaying just those registered in the DNS but not seen to be active
IP               hostname
192.168.10.205   uqi-stud01867.studio.uqi.uq.edu.au
192.168.10.254   the-lexx.studio.uqi.uq.edu.au
192.168.11.255   broadcast-p10.studio.uqi.uq.edu.au


PORTAL EXAMPLE 3
============================================================================
this page is brought up when the '466' link in the '#' column is clicked

411 of the 466 active ip-addresses seen in 192.168.10.0/23 during 01-Aug-2006
thru 03-Jul-2007 (336 days) were registered in the DNS
3 hosts registered in the DNS were not seen to be active
displaying all active addresses
IP            first-time   num-days  last-time     hostname
192.168.10.0  06-Aug-2006        33   9-Dec-2006   net-p10.studio.uqi....
192.168.10.1  05-Aug-2006       134  02-Jul-2007   uqi-rembostud.studio....
192.168.10.2  14-Aug-2006        23  08-Jun-2007
192.168.10.3  14-Aug-2006        17  08-Feb-2007
192.168.10.4  14-Aug-2006        13  16-May-2007
192.168.10.5  01-Aug-2006       293  03-Jul-2007


PORTAL EXAMPLE 4
============================================================================
A special web-page is generated for server domains and lists hostnames
whose ip-address has not been seen to be active in the last month.
The fact that such a list has hundreds of entries indicates the 
processes followed by the server groups for removing interfaces is not
good as they manage these dns entries.


NB those marked with a '*' are dns entries not created through the WebDNS
interface. Produced in 2.0 secs at 13:06 PM on 05-Jul-2007 by
make-inactive-ip-pages.pl (script)

The following server domains were inspected:
  * cc.uq.edu.au
  * mgmt.cc.uq.edu.au
  * soe.uq.edu.au
  * sinet.uq.edu.au
  * ldap.uq.edu.au

These 189 have been inactive (since flow-processing began 2006-08-01):
IP                hostname
130.102.2.14  *   squeak.cc.uq.edu.au  + 1 other name
130.102.2.39  *   calpilot.cc.uq.edu.au
130.102.2.55  *   dhcptest1.cc.uq.edu.au
130.102.2.70  *   gourd.cc.uq.edu.au (USG)  + 1 other name
130.102.2.76  *   inferno.cc.uq.edu.au (USG)
130.102.2.92  *   stg-virt2.cc.uq.edu.au
130.102.2.93  *   stg-virt3.cc.uq.edu.au
130.102.2.94  *   stg-virt4.cc.uq.edu.au
130.102.2.95  *   stg-virt5.cc.uq.edu.au
130.102.3.124     premier.soe.uq.edu.au (USG)
130.102.3.125     deuxieme.soe.uq.edu.au (USG)
130.102.3.128     point.soe.uq.edu.au (USG)
....


Danny

-- 
   d.thomas at its.uq.edu.au    Danny Thomas,                                    
          +61-7-3365-8221    Software Infrastructure,
 http://www.its.uq.edu.au    ITS, The University of Queensland

More information about the bind-users mailing list