A Windows DNS server is one of those infrastructure pieces that runs for years without anyone looking at it โ until a stale record breaks Outlook for everyone, or an audit asks why scavenging is off, or recursion is open to the internet. This guide walks through a complete DNS health audit you can run from PowerShell, and ships the Dargslan.WinDnsHealth module plus a free PDF cheat sheet.
Table of Contents
Step 1: Zone inventory
Get-DnsServerZone | Select ZoneName, ZoneType, IsDsIntegrated,
DynamicUpdate, IsReverseLookupZone
Two questions to answer: which zones are AD-integrated (preferred for replication and ACLs) and which still allow Nonsecure And Secure dynamic updates? The latter is a 2003-era setting that lets unauthenticated clients overwrite records โ always a finding in 2026.
Step 2: Scavenging
Scavenging is what removes stale records left behind by laptops that join, register, and disappear. With it off, your DNS gradually fills with phantom records. Two settings: server-level on, and per-zone aging on.
Get-DnsServerScavenging
Get-DnsServerZoneAging -Name corp.local
Recommended baseline: server scavenging on, interval 7 days, NoRefresh + Refresh both 7 days. This gives any record at least 14 days to be re-registered before it disappears.
Step 3: Recursion + forwarders
Get-DnsServerRecursion
Get-DnsServerForwarder
Internal DNS servers need recursion enabled โ that is how clients resolve the internet. The control is at the firewall: UDP/TCP 53 inbound from the internet must be denied. If your DNS server has a public IP and recursion is on, you have an open resolver โ fix it today.
Forwarders should point at known resolvers (your ISP, Quad9, Cloudflare, Google) and have a sane timeout (3-5 seconds). Empty forwarders means the server uses root hints, which is fine but slower.
Step 4: DNSSEC + secure response
For zones you publish externally, DNSSEC is now an expectation. Inside the LAN it is rare. The flag to check is EnableDnsSec in Get-DnsServerSetting โ that controls whether the server validates upstream DNSSEC, not whether your zones are signed (use Get-DnsServerDnsSecZoneSetting for that).
A pragmatic PASS / WARN / FAIL score
- At least one Primary zone exists (1 pt โ sanity check)
- At least one zone uses Secure dynamic update (1 pt)
- Forwarders configured (1 pt)
- Scavenging enabled at server level (1 pt)
4/4 PASS, 1-3 WARN, 0 FAIL.
Dargslan.WinDnsHealth module
Install-Module Dargslan.WinDnsHealth -Scope CurrentUser
Import-Module Dargslan.WinDnsHealth
Export-DargslanDnsHealthReport -ComputerName dc01 -OutDir C:\reports
FAQ
Does it run remotely?
Yes โ every cmdlet accepts -ComputerName. PSRemoting is not required if WMI / RPC is open.
What about non-Microsoft DNS?
The module is Windows DNS Server only. For BIND or PowerDNS the audit logic is similar but the cmdlets are different.
Cheat sheet?
Free PDF at /cheat-sheets/windows-dns-server-health-2026.
