{"id":24307725,"url":"https://github.com/jakehildreth/bluetuxedo","last_synced_at":"2025-04-05T20:05:14.822Z","repository":{"id":201142084,"uuid":"632441766","full_name":"jakehildreth/BlueTuxedo","owner":"jakehildreth","description":"A tiny tool built to find and fix common misconfigurations in Active Directory-integrated DNS","archived":false,"fork":false,"pushed_at":"2025-01-21T13:50:45.000Z","size":18079,"stargazers_count":112,"open_issues_count":11,"forks_count":9,"subscribers_count":8,"default_branch":"main","last_synced_at":"2025-04-05T20:04:58.160Z","etag":null,"topics":["active-directory","adi-dns","adidns","dns","powershell","powershell-module"],"latest_commit_sha":null,"homepage":"","language":"PowerShell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/jakehildreth.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":"FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"github":["jakehildreth"],"patreon":null,"open_collective":null,"ko_fi":"jakehildreth","tidelift":null,"community_bridge":null,"liberapay":null,"issuehunt":null,"lfx_crowdfunding":null,"polar":null,"buy_me_a_coffee":null,"thanks_dev":null,"custom":null}},"created_at":"2023-04-25T12:17:41.000Z","updated_at":"2025-02-18T21:29:10.000Z","dependencies_parsed_at":"2023-10-28T11:28:01.555Z","dependency_job_id":"14717523-049f-43d0-8195-2d845a44c1d5","html_url":"https://github.com/jakehildreth/BlueTuxedo","commit_stats":null,"previous_names":["trimarcjake/bluetuxedo","jakehildreth/bluetuxedo"],"tags_count":2,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jakehildreth%2FBlueTuxedo","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jakehildreth%2FBlueTuxedo/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jakehildreth%2FBlueTuxedo/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jakehildreth%2FBlueTuxedo/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/jakehildreth","download_url":"https://codeload.github.com/jakehildreth/BlueTuxedo/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247393568,"owners_count":20931812,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["active-directory","adi-dns","adidns","dns","powershell","powershell-module"],"created_at":"2025-01-17T04:05:59.389Z","updated_at":"2025-04-05T20:05:14.796Z","avatar_url":"https://github.com/jakehildreth.png","language":"PowerShell","funding_links":["https://github.com/sponsors/jakehildreth","https://ko-fi.com/jakehildreth"],"categories":[],"sub_categories":[],"readme":"# BlueTuxedo\nA tiny tool built to find and fix common misconfigurations in Active Directory-Integrated DNS (and a little DHCP as a treat).\n\n## How can BlueTuxedo help you?\n[Read the slides from WWHF.](https://github.com/jakehildreth/BlueTuxedo/blob/main/ADI%20DNS%20-%20No%20demo.pptx)\n\n[Watch the presentation from BSidesCharm.](https://www.hub.trimarcsecurity.com/post/ad-dns-a-match-made-in-heck)\n\n## Quick Start:\n``` powershell\n# Install from PSGallery\nInstall-Module -Name BlueTuxedo -Scope CurrentUser\nInvoke-BlueTuxedo\n\n# Clone from GitHub and Import\ngit clone https://github.com/jakehildreth/BlueTuxedo.git\ncd BlueTuxedo\nImport-Module .\\BlueTuxedo.psd1 -Force\nInvoke-BlueTuxedo\n\n# Use the testing branch - probably broken, but 🤷‍♀️\ngit clone https://github.com/jakehildreth/BlueTuxedo.git\ncd BlueTuxedo\ngit checkout testing\nImport-Module .\\BlueTuxedo.psd1 -Force\nInvoke-BlueTuxedo\n```\nRunning `Invoke-BlueTuxedo` with no paramters will [`Get`](#get-stuff) stuff, [`Test`](#test-stuff) it, then offer code for how to [`Repair`](#repair-stuff) identified issues (where possible).\n\n### `Get` Stuff\n\n- ADI Zones\n- Conditional Forwarder\n- Dangling SPNs [^1]\n- DHCP Dynamic Update service account configuration\n- DnsAdmins Membership\n- DnsUpdateProxy Membership\n- Forwarder Configuration\n- Global Query Block List (GQBL)\n- Non-ADI Zone Auditing\n- Query Resolution Policies\n- Security Descriptors\n- Socket Pool Configuration\n- Tombstoned DNS Records\n- Wildcard Record\n- WPAD Record\n- Zone Scopes\n- Zone Scope Containers\n\n### `Test` Stuff\n| Item | Test Condition |\n|---------|---------------|\n| ADI Zones | Is Legacy Zone? |\n| ADI Zones | Are Secure Updates enabled? |\n| DHCP Dynamic Update service account | Exists on each DHCP server? |\n| Dangling SPNs | Exist? |\n| DnsAdmins Membership | Is non-zero? |\n| DnsUpdateProxy Membership | Is non-zero? |\n| Forwarder Configuration | Exist? |\n| Global Query Block List (GQBL) | Contains `wpad`/`isatap` |\n| Non-ADI Zones | Exist? |\n| Query Resolution Policies | Exist? |\n| Security Descriptor (ACEs) | Standard/Expected? |\n| Security Descriptor (Ownership) | Standard/Expected? |\n| Socket Pool Configuration | Is maximum? |\n| Tombstoned DNS Records | Exist? |\n| Wildcard Record | Exists \u0026 correct type? |\n| WPAD Record | Exists \u0026 correct type? |\n| Zone Scopes | Exist? |\n| Zone Scope Containers | Exists \u0026 empty? |\n\n### `Repair` Stuff\n| Item | Fix |\n|-|-|\n| ADI Zones | Convert Legacy (Windows 2000 Compatible) Zones to Modern |\n| Dangling SPNs | Delete SPN from Account |\n| Socket Pool Configuration | Set Socket Pool Configuration to Maximum |\n| Tombstoned DNS Records | Delete Tombstoned DNS Record |\n| Wildcard Record | Create Proper Wildcard Record |\n| WPAD Record | Create Proper WPAD Record |\n\n[^1]: A \"Dangling SPN\" is a Service Principal Name (SPN) in which the host portion of the SPN does not resolve to an IP address.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjakehildreth%2Fbluetuxedo","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjakehildreth%2Fbluetuxedo","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjakehildreth%2Fbluetuxedo/lists"}