Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/trimarcjake/bluetuxedo

A tiny tool to find and fix common misconfigurations in Active Directory-integrated DNS
https://github.com/trimarcjake/bluetuxedo

active-directory adi-dns adidns dns powershell powershell-module

Last synced: 1 day ago
JSON representation

A tiny tool to find and fix common misconfigurations in Active Directory-integrated DNS

Host: GitHub
URL: https://github.com/trimarcjake/bluetuxedo
Owner: TrimarcJake
License: other
Created: 2023-04-25T12:17:41.000Z (over 1 year ago)
Default Branch: main
Last Pushed: 2024-12-04T15:23:41.000Z (about 1 month ago)
Last Synced: 2025-01-09T15:10:04.326Z (2 days ago)
Topics: active-directory, adi-dns, adidns, dns, powershell, powershell-module
Language: PowerShell
Homepage:
Size: 17.2 MB
Stars: 103
Watchers: 8
Forks: 6
Open Issues: 10
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

        # BlueTuxedo

A tiny tool built to find and fix common misconfigurations in Active Directory-Integrated DNS (and a little DHCP as a treat).

## How can BlueTuxedo help you?

[Read the slides from WWHF.](https://github.com/TrimarcJake/BlueTuxedo/blob/main/ADI%20DNS%20-%20No%20demo.pptx)

[Watch the presentation from BSidesCharm.](https://www.hub.trimarcsecurity.com/post/ad-dns-a-match-made-in-heck)

## Quick Start:

``` powershell

# Install from PSGallery

Install-Module -Name BlueTuxedo -Scope CurrentUser

Invoke-BlueTuxedo

# Clone from GitHub and Import

git clone https://github.com/TrimarcJake/BlueTuxedo.git

cd BlueTuxedo

Import-Module .\BlueTuxedo.psd1 -Force

Invoke-BlueTuxedo

# Use the testing branch - probably broken, but 🤷‍♀️

git clone https://github.com/TrimarcJake/BlueTuxedo.git

cd BlueTuxedo

git checkout testing

Import-Module .\BlueTuxedo.psd1 -Force

Invoke-BlueTuxedo

```

Running `Invoke-BlueTuxedo` with no paramters will [`Get`](#get-stuff) stuff, [`Test`](#test-stuff) it, then offer code for how to [`Repair`](#repair-stuff) identified issues (where possible).

### `Get` Stuff

- ADI Zones

- Conditional Forwarder

- Dangling SPNs [^1]

- DHCP Dynamic Update service account configuration

- DnsAdmins Membership

- DnsUpdateProxy Membership

- Forwarder Configuration

- Global Query Block List (GQBL)

- Non-ADI Zone Auditing

- Query Resolution Policies

- Security Descriptors

- Socket Pool Configuration

- Tombstoned DNS Records

- Wildcard Record

- WPAD Record

- Zone Scopes

- Zone Scope Containers

### `Test` Stuff

| Item | Test Condition |

|---------|---------------|

| ADI Zones | Is Legacy Zone? |

| ADI Zones | Are Secure Updates enabled? |

| DHCP Dynamic Update service account | Exists on each DHCP server? |

| Dangling SPNs | Exist? |

| DnsAdmins Membership | Is non-zero? |

| DnsUpdateProxy Membership | Is non-zero? |

| Forwarder Configuration | Exist? |

| Global Query Block List (GQBL) | Contains `wpad`/`isatap` |

| Non-ADI Zones | Exist? |

| Query Resolution Policies | Exist? |

| Security Descriptor (ACEs) | Standard/Expected? |

| Security Descriptor (Ownership) | Standard/Expected? |

| Socket Pool Configuration | Is maximum? |

| Tombstoned DNS Records | Exist? |

| Wildcard Record | Exists & correct type? |

| WPAD Record | Exists & correct type? |

| Zone Scopes | Exist? |

| Zone Scope Containers | Exists & empty? |

### `Repair` Stuff

| Item | Fix |

|-|-|

| ADI Zones | Convert Legacy (Windows 2000 Compatible) Zones to Modern |

| Dangling SPNs | Delete SPN from Account |

| Socket Pool Configuration | Set Socket Pool Configuration to Maximum |

| Tombstoned DNS Records | Delete Tombstoned DNS Record |

| Wildcard Record | Create Proper Wildcard Record |

| WPAD Record | Create Proper WPAD Record |

[^1]: A "Dangling SPN" is a Service Principal Name (SPN) in which the host portion of the SPN does not resolve to an IP address.