While resolving a different DNS issue (which we solved) I noticed this.
First, some information:
We have a few ports connected to load balanced ISA servers.
We have a few ports connected to load balanced Web Servers.
The ISA and Web server ports are on different VLANs.
To solve the issue we had, I used port mirroring to mirror the web server ports to another port so I could use Wireshark to monitor the DNS traffic. I noticed that both ports saw all DNS responses to the ISA servers. To confirm my suspicions I mirrored just one of the ISA ports and sure enough, that port also saw all of the DNS responses to the Web servers (all the web servers.) It's just the responses - if a Web server sends out a query the response is also seen on any of the ports any of the ISA servers are in.
When I remove port mirroring, the machine I have doing the monitoring stops seeing any DNS responses for either of them.
So my question is why does it appear that the router is multi-casting the DNS responses it receives? And what is it using to decide what ports it's being multi-cast to? They are on seperate VLANs.
To make it more confusing, there is a third VLAN for Internet Kiosks with their own ISA firewall, and DNS responses to that port are not seen on either of the other two VLANs. However, that VLAN does see the DNS responses for the other two VLANs.
First, some information:
We have a few ports connected to load balanced ISA servers.
We have a few ports connected to load balanced Web Servers.
The ISA and Web server ports are on different VLANs.
To solve the issue we had, I used port mirroring to mirror the web server ports to another port so I could use Wireshark to monitor the DNS traffic. I noticed that both ports saw all DNS responses to the ISA servers. To confirm my suspicions I mirrored just one of the ISA ports and sure enough, that port also saw all of the DNS responses to the Web servers (all the web servers.) It's just the responses - if a Web server sends out a query the response is also seen on any of the ports any of the ISA servers are in.
When I remove port mirroring, the machine I have doing the monitoring stops seeing any DNS responses for either of them.
So my question is why does it appear that the router is multi-casting the DNS responses it receives? And what is it using to decide what ports it's being multi-cast to? They are on seperate VLANs.
To make it more confusing, there is a third VLAN for Internet Kiosks with their own ISA firewall, and DNS responses to that port are not seen on either of the other two VLANs. However, that VLAN does see the DNS responses for the other two VLANs.