DNS Aging and Scavenging
DNS Aging is a process of identifying the stale resource records from the DNS Server. Stale resource records create issues in the name resolution (by creating duplicate DNS records), unnecessary space utilization, degradation of the DNS server performance. It keeps track of the time stamps of the individual resource records (RR). From last time stamp of the resource record to the current time of the server is considered as the age of the resource record. The value we get is used for Scavenging Operation which deletes / removes / cleans up the resource-record from the DNS Server.
DNS Scavenging is a recurring scheduled process runs on the DNS Server which checks if resource-record needs to be removed from the DNS. The eligible Stale resource-records are then removed.
Things to Note before enabling DNS Scavenging
- Go through the DNS resource records to check and confirm that the servers / printers / critical devices which should hold a static IP are set to static DNS record. This is to make sure that these records are not scavenged when it runs on the DNS Server. If you find any resource record which is showing as Dynamic DNS Record (with date and time stamp). You can simply open the resource record and uncheck the checkbox as shown below. Please note that in that case you will have to manually clean up the Static DNS resource records (through server / device decommissioning process document via manual deletion because static records are not deleted by scavenging process).
- Enable DNS Scavenging only on One DNS Server so that it can be easily managed. If the DNS Server is AD Integrated and AD replication is working fine and a resource record is scavenged on one DNS server, it will get replicated to all the DNS Servers. E.g. if a workstation DNS record WK-DESKTOP1 has been scavenged, this will be deleted across all the DNS Server through AD replication. Therefore there is no need to apply Scavenging configuration on multiple DNS Servers.
- Please make sure to configure the non-refresh and refresh intervals carefully as this could still lead to duplicate records if not configured correctly as per the DHCP Lease. You can adjust these values so that the record is scavenged after the DHCP Lease is expired. Set the DHCP Lease by adding the non-refresh interval and refresh interval values.
DNS Aging Configuration
The time period when the resource record cannot be refreshed. This reduces the DNS replication Traffic according to the value you set. Please note that update of the IP Address of the resource record through Dynamic DNS update is exempt from the Non-Refresh Interval.
The time period when the resource record can be refreshed or allowed to be refreshed.
If you set Non-Refresh Interval to 7 Days and Refresh Interval to 7 Days. Your resource record would be eligible for Scavenging After 14 Days. It will be scavenged based on when the last scavenging process occurred (recurring scheduled process on the DNS Server). You can check the last Scavenging date and time using event ID 2501.
Event ID 2501: When records were scavenged.
Event ID 2502: When no resource records were scavenged.
Three places you can enable DNS Aging / Scavenging
Enable Aging / Scavenging at DNS Server Level
This will enable / set DNS Scavenging on All the Zones on the DNS Server. Follow the steps below to enable it on Server Level. (If you do not want to enable Scavenging for all the DNS Zones then please skip this step and proceed to Enabling Aging / Scavenging at DNS Zone Level). Please note Enabling Aging / Scavenging at DNS Server Level setting will not be replicated to other DNS Servers.
- Right Click on DNS Server and click on Set Aging/Scavenging for All Zones…
Set the No-Refresh Interval and Refresh Interval Values
Keep the default Values or update it as per the requirement. I have kept 7 days for non-refresh and refresh interval.
On the next window, you will see below options:
Scavenge stale resource records: Enabled
Apply these settings to the existing Active Directory-Integrated zones – Enable the checkbox to apply the Aging / Scavenging settings to all the DNS Zones. In some cases, you will see that even though you select this checkbox and click OK and then you check the DNS Zone Level Aging Settings, the changes are not propagated. Why? I will explain this in the end of the article.
- To Verify that the Aging / Scavenging has been enabled at the DNS Server Level. You can check using the command line by using dnscmd command as shown below:
Enabling Aging / Scavenging at DNS Zone Level
This will enable DNS Aging / scavenging at the DNS Zone Level without affecting other DNS Zones on your server. Follow below steps to enable it on the DNS Zone Level.
Enable Aging / Scavenging at resource record (RR) level
You can enable DNS Scavenging at resource record (RR) level as well as shown below:
Great! Now you have Enabled Aging / Scavenging on the DNS Server. There is a second step to complete the Scavenging Configuration. Make sure to complete both the steps otherwise it will not work. I have seen Administrators easily forget one step and then wait for few days and then check the Stale records are still existing on their DNS Server.
STEP 2 – Yes! That’s an Important Step.
Once you have set the DNS Scavenging at DNS Server Level or DNS Zone Level or at resource record (RR) level, Enable the Recurring Scavenging Interval to delete the Stale Records from the DNS Server when they become eligible as per the Aging configuration.
Enable the checkbox “Enable automatic scavenging of stale records” and keep the scavenging period to 7 Days (or update it as per the requirement). That means the DNS Server will check every 7 days if there are any eligible stale records to be Scavenged, if not then it will check again in 7 days (as per the Scavenging Period Value) and so on…
Now Right click on the DNS Zone where the Scavenging is Configured or if Scavenging is enabled at DNS Server Level and you have multiple zones, Right Click on any Zone and click properties and then click on Aging.
This will open Zone/Scavenging Properties window. This will show the date and time the zone can be scavenged after:
There could be a case when you configure Aging and Scavenging on the DNS Server Level and select the checkbox “Apply these settings to the existing Active Directory-Integrated zones” it does not propagate it to particular zone(s).
Let’s take an Example:
DNS Zone Level Scavenging is configured on sysitpro.local to non-refresh interval = 6 Days and refresh interval = 2 days and when you enable the DNS Scavenging at server level keeping the default values of non-refresh and refresh interval and select the checkbox “Apply these settings to the existing Active Directory-Integrated zones” but DNS Zone sysitpro.local still shows values 6 and 2 for non-refresh and refresh intervals respectively.
The workaround of this is to change the values at the DNS Server Level to other than 7 for non-refresh and refresh intervals e.g. 9
Now when you check the DNS Zone Level Aging Configuration, its set to 9 and 9 for non-refresh and refresh intervals:
Now the Configuration has been propagating fine. You can change the DNS Server Level Scavenging Configuration from 9 to 7 for non-refresh and refresh intervals and propagate again. At this point, you will be able to see that the DNS Zone also shows the correct aging configuration values which are being propagated from the DNS Server Level Aging Configuration.