Windows Monitor - DNS Servers Script

Problem Overview

Unexpected or incorrect DNS settings can reroute traffic to unauthorized servers, slow down network performance, or disrupt critical services. Ensuring that endpoints are always using approved DNS servers mitigates security risks and supports reliable connectivity.

Description

This script retrieves the DNS settings from all network adapters on a Windows system and compares them against a specified list of authorized DNS servers, managed via the cf_dns Level custom field. If the DNS server configuration fully aligns with the allowed list, the script indicates success. Otherwise, it returns an alert, letting you know immediately if a system has strayed from standard policies.

You can run this script on demand by configuring a script-based monitor in Level, triggering checks whenever you suspect a configuration change. Alternatively, you can schedule it through a Level Automation for ongoing compliance checks, automatically alerting you when any system falls out of spec.

Script

<#
This resource is provided as a convenience for Level users. We cannot 
guarantee it will work in all environments. Please test before deploying 
to your production environment. We welcome contributions to our community 
library

Level Library
https://level.io/library/script-windows-monitor-dns-servers
#>

# Comma-separated list of expected DNS servers
$allowedDnsServers = "{{cf_dns}}"

# Convert the comma-separated string into an array
$allowedDnsServersArray = $allowedDnsServers -split "\s*,\s*"

# -----------------------------------------------------------------------------

# Function to check if the DNS servers match the allowed list
function Check-DnsServers {
    $networkInterfaces = Get-WmiObject -Class Win32_NetworkAdapterConfiguration | Where-Object { $_.IPEnabled }

    foreach ($interface in $networkInterfaces) {
        $dnsServers = $interface.DNSServerSearchOrder

        Write-Host "Interface: $($interface.Description)"
        Write-Host "Allowed DNS servers: $($allowedDnsServersArray -join ', ')"
        Write-Host "Current DNS servers: $($dnsServers -join ', ')"

        if ($dnsServers -ne $null -and $dnsServers.Count -gt 0) {
            $matchingServers = @($dnsServers | Where-Object { $allowedDnsServersArray -contains $_ })

            if ($matchingServers.Count -eq $dnsServers.Count) {
                Write-Host "SUCCESS: DNS servers match the allowed list."
                exit 0
            } else {
                Write-Host "ALERT: Not all DNS servers are in the allowed list."
                exit 1
            }
        } else {
            Write-Host "ALERT: No DNS servers configured"
            exit 0
        }
    }
}

# Check if the DNS servers match the allowed list
Check-DnsServers

Use Cases

• Validating that critical endpoints only use secure, approved DNS servers
• Ensuring remote workstations adhere to corporate network policies
• Detecting and alerting on unauthorized or rogue DNS changes
• Proactively maintaining uniform DNS configurations across environments

Recommendations

• Test in a lab or non-production environment before widespread deployment
• Utilize a script-based monitor in Level to receive real-time alerts if DNS settings deviate
• Set up a scheduled Automation in Level for consistent validation
• Regularly update the cf_dns custom field to reflect current authorized servers
• Investigate and remediate any “ALERT” messages promptly

FAQ

• How do I specify my authorized DNS servers?
  ‍Update the cf_dns field in Level with a comma-separated list of valid DNS addresses.

• What happens if there are no DNS servers configured?
  ‍The script will report an alert indicating that no DNS servers are set, prompting you to correct the configuration.

• Will this script automatically fix DNS settings?
  ‍No. It only checks for discrepancies. You can, however, create an additional remediation script to set the correct DNS servers if needed.

• Does this script require administrative privileges?
  ‍Yes. Under Level, scripts run with System or Root permissions, allowing full access to network adapter configurations.

• Can I use it in different network environments?
  ‍Absolutely. Just ensure your custom field is updated with the proper DNS entries for each environment.