Tag Archives: hijack

PowerShell script to alert for changes in NS records


Posted on October 17, 2013 by

UPDATE: A newer version of this script is here.

Last week, Johannes Ullrich shared a Bash script that would check for changes in NS records.  This was in a blog post about the google.com.my DNS hijack.  I wanted to create a version of the this script that would be usable on Windows machines.  So I created the PowerShell script below that does pretty much the same thing as the Bash script.  The script runs nslookup.exe instead of DIG and queries the DNS server for all NS records for a domain.  This is saved in file named domain.new and compared with a previous query of the NS records stored in domain.old.  If there are any differences, an email is sent and an entry is made in the Application Event Log. (more…)