Configure DNS Scavenging to Clean Up Old Records in Windows Server

: Travis Nuske; 27 Sep 2022

In this guide I'll cover configuring DNS in Windows Server to scavenge (delete) stale records automatically.

Consider the scenario where you are working through the Best Practices Analyser for DNS Server in Windows Server and you come across this:

Problem:
Scavenging is disabled on the DNS server.

Impact:
The size of the DNS database can become excessive if scavenging is not enabled.

Resolution:
Enable scavenging on the DNS Server.

What is DNS Scavenging?

Windows DNS server will keep every DNS record (hostname and IP address) of each client device that it assigns. Over time, especially if you have a large network or support BYOD in your environment, your DNS record database will become quite large and the DNS service will consume more and more RAM. By default, these records are not removed. DNS Scavenging is a process in Windows DNS sever that automatically removes records that aren't updated after a period of time (become stale).

No-Refresh Interval, Refresh Interval & Scavenging Period

DNS server uses two periods of time - the No-Refresh Internal and the Refresh Interval to determine if a record is stale, and performs the removal of stale records once per Scavenging Period.

When a record in DNS is first created, it is timestamped with the current date and time. The record is now in it's No-Refresh Interval. The length of this interval is configured for each DNS zone (Microsoft Best Practices suggests 7 days). During this time, the record's time stamp can't be updated. For example, if a device is turned off for a few days and is then turned back on again before the end of the No-Refresh Interval, it's DNS record timestamp won't be updated.

Once the No-Refresh Interval time has passed, the record is now in it's Refresh Interval. The Refresh Interval length is also configurable for each zone (again, Microsoft Best Practices suggests 7 days). During this time, a device's DNS record time stamp will be updated if it registers itself with the DNS server. If the timestamp is not updated during this time, the record is considered stale can be Scavenged (deleted)

The Scavenging Period is set per DNS server (not per zone like the No-Refresh Interval and Refresh Interval) and determines how often the server will remove stale DNS records (again, Microsoft Best Practices suggests 7 days).

So in summary, with this default setup, a DNS record needs to be at least 14 days old with no updates to be considered stale and then needs to wait up to another 7 days before the server will delete it.

Setup DNS Scavenging

The first step in setting up scavenging is to check your DNS zone for records that should be static but aren't - the last thing you want is the DNS server deleting records pointing to your servers.

On your Windows Server that hosts DNS, open DNS Manager

Left click on the zone with your local network records and have a look through the list - make note of any records that point to servers or services you need that are not set to static in the timestamp field. If you find some that are not set to static, create a static A record for them. To do this:

Right click on your Zone and choose New Host (A or AAAA)...

Enter the IP address and hostname of the server and click Add Host.

Once you are sure that all services and servers have a static DNS entry, move on to the next step.

Configure Aging for DNS Zones

Right click on the DNS Zone you wish to enable scavenging and choose Properties.

On the General tab, click Aging...

In the Zone Aging/Scavenging Properties dialog box, tick Scavenge stale resource records and adjust the No-Refresh Interval and Refresh Interval as necessary. The defaults are 7 days each. Click OK.

Click OK to close the Zone Properties dialog box.

Enable Automatic Scavenging on the DNS server

Now that the zones are setup with the correct no-refresh and refresh intervals, it's time to enable the automatic scavenging on the DNS server.

Right click on the DNS server object in the DNS Manager and choose Properties

On the Properties dialog box, click the Advanced tab. Tick Enable automatic scavenging of stale records and choose a scavenging period (the default is 7 days). Click OK.

All done - the server is now configured to scavenge stale records. Note it will take around 3 weeks before you'll notice any records being removed, as they all need to pass through their no-refresh and refresh intervals before waiting for the weekly scavenge process to run.