In this case, we can list all the A records from the forward lookup zone and search for the IP address we know.
Use WMI
If you have admin rights on the DNS server, you can use WMI:gwmi -Namespace root/microsoftDNS -q "select * from MicrosoftDNS_AType where recorddata='10.1.1.123'" | select Ownername,recordData
Use dnscmd
However, if you don't have any sort of permissions, you can try to use dnscmd to enumerate all records from the given zone and then use powershell to search for the IP, then do some text parsing to get a proper output:A bit of explanation:
- $zoneContent = dnscmd $dnsserver /enumrecords $dnsDomain . /continue
Get the full list of records from the given zone - if($item -match "$ip"){...
Go through each line in the output and if the given line contains the IP you are looking for, start processing the data - if($item -match "^ "){
If the line starts with spaces, that means it will have an IP which belongs to a host with multiple IPs, so we will need to list the previous line as well - $aging = $($tmp=$zoneContent[$k-1] -match "aging:(?<number>[^\]]+)"; $matches.number)
$timestamp = (Get-Date ("1601/01/01 00:00")).addhours($aging)Calculate the time stamp of the record from the Aging number (which is the number of hours from 1st Jan 1601 - New-Object -TypeName psobject -Property @{"IP"=$ip; Host=($zoneContent[$k-1].split(" ")[0]); timestamp=$timestamp}
Put the data into an object and throw it to the std out
$ip = "10.1.1.122"
$dnsServer = "c3podc1"
$dnsDomain = "tatooine.com"
$zoneContent = dnscmd $dnsserver /enumrecords $dnsDomain . /continue
$k = 0
Foreach($item in $zoneContent){
if($item -match "$ip"){
# if the host has 2 IPs and we searched for the 2nd one, we will need the previous line from the output
if($item -match "^ "){
$aging = $($tmp=$zoneContent[$k-1] -match "aging:(?<number>[^\]]+)"; $matches.number)
$timestamp = (Get-Date ("1601/01/01 00:00")).addhours($aging)
New-Object -TypeName psobject -Property @{"IP"=$ip; Host=($zoneContent[$k-1].split(" ")[0]); timestamp=$timestamp}
$aging = $($tmp=$item -match "aging:(?<number>[^\]]+)"; $matches.number)
$timestamp = (Get-Date ("1601/01/01 00:00")).addhours($aging)
New-Object -TypeName psobject -Property @{"IP"=$ip; Host=($zoneContent[$k-1].split(" ")[0]); timestamp=$timestamp}
}
else{
$aging = $($tmp=$item -match "aging:(?<number>[^\]]+)"; $matches.number)
$timestamp = (Get-Date ("1601/01/01 00:00")).addhours($aging)
New-Object -TypeName psobject -Property @{"IP"=$ip; Host=($item.split(" ")[0]); timestamp=$timestamp}
}
}
$k++
}
No comments:
Post a Comment