Document toolboxDocument toolbox

DNS Record Scavenging

Owned by Panna .
Last updated: Feb 19, 2024
12 min read

The DNS scavenging feature allows you to remove unused DNS resource records from zone data to prevent the accumulation of unneeded records. A scavenging operation determines, based on predefined rules, which records are not needed, i.e. are reclaimable, and removes them. For information about scavenging rules, see Scavenging Rules in this topic.

Scavenging is used for records with the dynamic record source type. Dynamic records are those created automatically, for example, via a dynamic DNS update. Static records, i.e. records that you add manually, can be identified as reclaimable based on scavenging rules but are not subject to scavenging. You can see the source type for each record in the DNS Resource Records viewer in Grid Manager.

You can use the records scavenging feature at the following levels in NIOS:

  • Grid: scavenging is performed in all views and zones of the Grid.

  • DNS view: scavenging is performed in all zones of the view.

  • Authoritative zone (a Grid primary or unassigned zone): scavenging is performed in the specified zone, but not in the subzones.

You can either scavenge DNS records immediately or schedule automatic scavenging. For more information, see
Scavenging DNS Records Immediately and Scheduling Automatic Scavenging in this topic..

You can organize and monitor records identified as reclaimable by using Smart Folders. For information, see Smart Folders.

Scavenging events are logged in the NIOS syslog. You can view it, as described in Viewing the Syslog and Searching in the Syslog.

The records are removed to the Recycle Bin and can be restored from there. For more information, see Restoring Reclaimed Records in this topic..

Note

Membership in the DNS Admin group is required to complete scavenging operations. For details, see Administrative Permissions for DNS Records Scavenging below. See Forcing Creation Timestamp Initialization for Unchanged Records for information on handling the creation timestamp of records that remain unchanged at DDNS updates.

Scavenging Rules


You can configure the following match rules to identify reclaimable DNS resource records:

  • Resource Record Type: This rule allows you to specify the record type to run scavenging on. A record is reclaimable if its type matches or does not match the type specified in the rule. The record types that support scavenging include the following:

    • A

    • AAAA

    • PTR

    • CNAME

    • DNAME

    • MX

    • SRV

    • NAPTR

    • TXT

  • Creation Time: This rule allows you to identify reclaimable records based on the record's creation timestamp. You can see the "Creation Time" value for the records in the DNS Resource Records viewer.

    Last Queried Time: This rule allows you to identify reclaimable records based on when they were last queried for their DNS data. You can see the last queried time for the records in the DNS Resource Records viewer.

    Note that if you use this rule, also select Enable last queried time monitoring for resource records in the Grid, view, or zone scavenging properties, as described in the next section.

  • Last Discovered Time: This rule allows you to identify reclaimable records based on the record's last discovered timestamp. This rule is applicable to A, AAAA, and PTR records.

  • Record Source: This rule allows you to specify the record source – static or dynamic – to be used as a filter when identifying reclaimable records.

  • Associated Records: This rule allows you to identify reclaimable records based on whether they have or do not have associated records. Record associations are supported for address records (A, AAAA, and PTR). Additionally, you can reclaim the associated records when reclaiming the original ones by enabling the option When reclaiming A, AAAA, or PTR records, also reclaim the corresponding, symmetric A, AAAA, and PTR records in the scavenging properties, as described in the next section.

  • Extensible Attributes: You can specify extensible attributes that reclaimable records should match in addition to the scavenging rules described above.

Configuring DNS Record Scavenging Properties

You can configure the DNS record scavenging properties at the Grid, DNS view, or DNS zone level. According to the NIOS inheritance pattern for object properties, the scavenging properties configured at a given level are inherited by the level below, unless overridden.

To configure the DNS record scavenging properties, complete the following:

  1. Grid: From the Data Management tab, select the DNS tab, expand the Toolbar and click Grid DNS Properties.
    DNS view: From the Data Management tab, select the DNS tab and click the Zones tab -> dns_view checkbox -> Edit icon.
    DNS zone: From the Data Management tab, select the DNS tab and click the Zones tab -> click a DNS view -> zone checkbox -> Edit icon.

  2. If the properties editor is in basic mode, click Toggle Advanced Mode.

  3. Click DNS Scavenging.

  4. Enable last queried time monitoring for resource records: Select this if you are going to use the Last Queried Time rule. This setting enables monitoring the time when the resource record was last queried for its DNS data. For more information on DNS queries monitoring for resource records, see Monitoring DNS Queries.

  5. Enable last queried time monitoring for zones: This setting enables monitoring the time when the zone, or at least a single record in it, was last queried for its DNS data. The data resulting from zone last queries time monitoring is displayed in the zones viewer (Data Management -> DNS -> Zones -> click a DNS view to open zones list).

    Note that enabling monitoring for a zone does not enable monitoring for child zones.

  6. You can configure the set of ACLs (Access Control Lists) to filter clients on DNS queries from updating the last-queried timestamp, under Prevent the following ACLs or ACEs from updating the last queried timestamp. To configure the ACLs, you should select either Enable last queried time monitoring for resource records or Enable last queried time monitoring for zones option, these options are disabled by default. 

  7. Select one of the following: 

    • None: Select this option if you do not want to configure any access control for updating the last queried time stamp. When you select this option, NIOS will allow updates to the last queried time stamp for the queries received from any client. This is selected by default.

    • Named ACL: Select this option and click Select Named ACL to select a named ACL that you want to use. If you have only one named ACL, only that named ACL is displayed. When you select this option, the appliance prevents clients with the Include permission from updating the last queried timestamp. You can click Clear to remove the selected named ACL.

    • Set of ACEs: Select this option to configure individual access control entries (ACEs). Click the Add icon and select one of the following from the drop-down list. Depending on the item you select, Grid Manager either adds a row for the selected item or expands the panel so that you can specify additional information about the item you are adding.

      • IPv4 Address and IPv6 Address: Select this option to add an IPv4 or IPv6 address. Click the Value field and enter the IP address. The Permission column displays Include by default. You can change it to Exclude by clicking the field and selecting Exclude from the drop-down list. When you select Include, the appliance prevents the client from updating the last queried timestamp. When you select Exclude, the appliance allows the client to update the last queried timestamp.

      • IPv4 Network: In the Add IPv4 Network panel, complete the following, and then click Add to add the network to the list:

        • Address: Enter an IPv4 network address and either type a netmask or move the slider to the desired netmask.

        • Permission: Select Include or Exclude from the drop-down list. 

      • IPv6 Network: In the Add IPv6 Network panel, complete the following, and then click Add to add the network to the list:

        • Address: Enter an IPv6 network address and select the netmask from the drop-down list.

        • Permission: Select Include or Exclude from the drop-down list. 

      • Any Address/Network: Select this option to include or exclude all IP addresses and networks to the last queried ACL list. The default permission is Include, which means the appliance prevents updating the last queried timestamp from all clients. You can change this to Exclude to allow all clients to update the last queried timestamp.

      • After you have added access control entries, you can perform the following:

        • Select the ACEs that you want to consolidate and put into a new named ACL. Click the Create new named ACL icon and enter a name in the Convert to Named ACL dialog box. The appliance creates a new named ACL and adds it to the Named ACL panel. Note that the ACEs you configure for this operation stay intact.

        • Reorder the list of ACEs using the up and down arrows next to the table.

        • Select an ACE and click the Edit icon to modify the entry.

        • Select an ACE and click the Delete icon to delete the entry. You can select multiple ACEs for deletion.

  8. Select Enable record scavenging.

  9. To override the inherited properties, click Override and complete the fields.

  10. Under Match the following rule, create a rule as follows. For information about rules, see Scavenging Rules above.

    • Choose Filter: Select a criterion from the drop-down list.

    • Choose Operator: Select an operator for the filter criterion.

    • In the value field, enter the value for the filter field. To add another rule:

    • Click + to add another rule at the same level.

    • Click |<- to add an all (logical AND) or any (logical OR) operator line and a parenthetical rule that is indented one level and above the first rule.

    • Click ->| to add an all (logical AND) or any (logical OR) operator line and a parenthetical rule that is indented one level.
      To logically combine the whole ruleset, select Match all of the following rules or  Match any of the following rules.
      After you add all the match rules, you can click Reset to remove the previously configured rules and start again.

  11. Under Match records with the following extensible attribute, add an extensible attribute to use as an additional criterion for finding necessary records.

    • Choose Operator: Select an operator for the filter criterion.

    • Choose Filter: Select a criterion from the drop-down list.

    • In the value field, enter the value for the filter field.

To add another extensible attribute, click +.

  1. To logically combine the extensible attributes set, select Match all records with the following extensible attributes or Match any records with the following extensible attributes.

  2. After you add all the extensible attributes, you can click Reset to remove the previously configured attributes and start again.

    Note that the extensible attributes rule is always combined with the rest of the match rules using the AND operator.

  3. When reclaiming A, AAAA or PTR records, also reclaim the corresponding, symmetric A, AAAA and PTR records: Select this if you want to reclaim records associated to the ones identified as reclaimable.

  4. To configure a schedule for automatic records scavenging, select Enable scheduled record scavenging. See Scheduling Automatic Scavenging in this topic.

  5. Click Save & Close or Save.

Scheduling Automatic Scavenging

You can schedule a scavenging operation only at the Grid level. For a scavenging operation at the view or zone level, you can use the schedule inherited from the Grid.

Note

Infoblox recommends manually testing the configured scavenging settings before enabling scheduled scavenging.

  1. In the DNS record scavenging properties described in the previous section, select the Enable scheduled record scavenging checkbox.

  2. To enable automatic scavenging after records are marked as reclaimable, select After marking a record as reclaimable, automatically reclaim the record.

  3. Click the Scheduling icon and complete the following in the Scavenging Scheduler dialog:

    • Select how often you want to execute the scavenging. You can select Once, Hourly, Daily, Weekly, or Monthly.

    • If you select Once, complete the following:

      • Enter the day in the date picker and select a month from the drop-down list. When you select Once, DNS record scavenging takes place once a year, on the date that you selected.

      • Enter a time in the hh:mm:ss AM/PM format. You can also select a time from the drop-down list.

      • Choose the time zone.

    • If you select Hourly, complete the following:

      • Schedule every hour(s) at: Enter the number of hours between each scavenging instance. You can enter a value from 1 to 24.

      • Minutes past the hour: Enter the number of minutes past the hour. For example, enter 5 if you want to schedule the scavenging operation five minutes after the hour.

      • Choose the Time Zone.

    • If you select Daily, complete the following:

      • Click either Every day or Every weekday.

      • Enter a time in the hh:mm:ss AM/PM format. You can also select a time from the drop-down list.

      • Choose the Time Zone.

    • If you select Weekly, complete the following:

      • Schedule every week on: Select any day of the week.

      • Enter a time in the hh:mm:ss AM/PM format. You can also select a time from the drop-down list.

      • Choose the Time Zone.

    • If you select Monthly, complete the following:

      • Schedule the day of the month: Enter the day of the month and the monthly interval. For example, to schedule the rule update on the first day after every 2 months, you can enter Day 1 every 2 month(s).

      • Enter a time in the hh:mm:ss AM/PM format. You can also select a time from the drop-down list.

      • Choose the Time Zone.

  4. Click OK.

Scavenging DNS Records Immediately

To perform record scavenging for the Grid, a DNS view, or a zone according to the predefined rules, use the Scavenge Records command from the Toolbar. This adds a background task that starts immediately or, if another scavenging task is in progress, after its completion.

The scavenging is split into two stages that you can execute separately or together:

  • Mark records as reclaimable: This stage analyzes the records against the scavenging rules. The records matching the rules are marked as reclaimable, i.e. their "Reclaimable" flag is set to "Yes" in the DNS Resource Records viewer. These records can be reclaimed by using the second stage, unless you disable scavenging for them as described in Disabling Scavenging for Individual Records in this topic.

  • Reclaim records marked as reclaimable: This stage automatically removes the records marked as reclaimable in the result of the execution of the first option. Running only the "Reclaim records marked as reclaimable" stage without the analysis stage does not perform a new analysis on the affected records. It only removes the records marked as reclaimable during the previous analysis.

Also, you can reset the reclaimable flag of the records. As an example of when this may be useful: if records have previously been marked as reclaimable and under a revised scavenging policy some records may no longer be reclaimable.

Note

To start immediate scavenging of DNS records, you must first carefully define the scavenging properties, as described in Configuring DNS Record Scavenging Properties in this topic.

To scavenge DNS records immediately, complete the following:

  1. Grid: From the Data Management tab, select the DNS tab, expand the Toolbar and click Scavenge Records -> Scavenge Grid Records.
    DNS view: From the Data Management tab, select the DNS tab, click a DNS view, expand the Toolbar, and then click Scavenge Records -> Scavenge View Records.
    DNS zone: From the Data Management tab, select the DNS tab, click a DNS view, click a zone, expand the Toolbar, and then click Scavenge Records -> Scavenge Zone Records.

  2. Select one of the following:

    • Scavenge Records: Select this to proceed to the record scavenging. Go to the next step.

    • Reset reclaimable flag: Select this to set the "Reclaimable" flag of all affected records to "No".

  3. If you chose Scavenge Records, select one of the following options or both of them:

    • Mark records are reclaimable

    • Reclaim records marked as reclaimable

      Note that static records are never reclaimed automatically even if they are marked as reclaimable. You can only delete static records manually from the DNS Resource Records viewer.

  4. Click Start.

To check the progress of the current scavenging task, you can use the DNS Record Scavenging widget in the Dashboard. You can also view a scavenging report, as described in DNS Scavenged Object Count Trend.

The scavenging task may be subject to an approval workflow. For information on approval workflows, see Configuring Approval Workflows.

Disabling Scavenging for Individual Records

You can disable scavenging for individual records, even if they are marked as reclaimable. In this case, the record is never reclaimed unless you enable the scavenging for it again.

To disable scavenging for a record, complete the following:

  1. In the DNS Resource Records viewer, select the appropriate record.

  2. Click Edit.

  3. In the record properties dialog, click DNS Scavenging.

  4. Select the Disable scavenging for this record checkbox.

  5. Click Save & Close.
    Additionally, you can see the following information in the resource record scavenging properties:

  • Record creation time

  • Record last queried time

  • Whether the record is reclaimable

  1. For records synced from MS servers, the creation timestamp is not synced. This implies the following limitations:

    • When a zone is converted from MS to NIOS, the timestamp is initialized to the time when the operation occurs.

    • When a zone is converted from NIOS to MS, the timestamp is reset.

Administrative Permissions for DNS Records Scavenging

By default, only superusers can perform DNS records scavenging. Limited-access users can use the scavenging functionality if they have the corresponding DNS scavenging permissions. For more information about admin permissions, see About Administrative Permissions.

The DNS scavenging permissions are global to Grid Manager. They are used in addition to the regular DNS global and object permissions. For more information about the DNS permissions, see Administrative Permissions for DNS Resources.

The following operations require scavenging permissions:

  • Modifying scavenging properties for the Grid, a view, or a zone

  • Configuring a scavenging schedule

  • Performing a scavenging task

  • Viewing the DNS Record Scavenging dashboard widget

  • Viewing the DNS Scavenged Object Count Trend report

Restoring Reclaimed Records

A reclaimed record remains in the Recycle Bin until the bin is emptied. You can restore the deleted records from the Recycle Bin, as described in Restoring Objects from the Recycle Bin.

The Recycle Bin does not display information on whether a record was deleted during a scavenging process or manually.

Therefore, you cannot restore the reclaimed data only.

When a record is restored from the Recycle Bin, its Reclaimable flag is reset to "No".