Excessive Dial Up On Router - I'm going to be fired !! 2

[jasonb007]

Hi,

I have W2K Advanced Server and a Dlink DI300M router. Since moving to W2K from NT4 the router seems to be constantly active.

I use DHCP to give the clients IP addresses. Something is triggering the router therefore this months phone bill was astronomical !!

In response to another user, I've deleted all the forwarders in DNS and disabled DNS Server and Client in Services, but still dial-ups occur. There must be thousands of people with W2K and router's and this problems so must be a simple solution.

My boss is off and I have this week to solve this b4 I get fired on Tuesday as it was my recommendation to move to W2K. Any information on how to solve this would be appreiciated.

Jason B.

 

[Muh]

The DLink router probably have a feature that will tell exactly what triggers the calls. If it's DNS, Netbios, NTP, whatever..

It's not clear exactly what you use the router for, i.e. connecting to the internet, other offices etc??

Have you enabled Netbios filters?

If you can be sure that it's only the server that generates the calls, you could watch it and do a netstat -a and see what it tries to contact through the router.
(Setup a schedule overnight with netstat -A >>netstat.log)

Hope you don't loose your job!

 

[jasonb007]

Thanks for your reply. I can see which IP addresses the server asks the router to look for. They are all 194.168.180.x, where x differs most of the time.

The router is used to access our ISP for Internet and Email purposes.

Where would you enable NetBios filters? I am 99% certain it is the server as I've had all the clients turned off. I will use netstat to make a log.

Jason.

 

[Muh]

With Netstat -a you will also be able to see what kind of trafic the server sends out.
Like <IpAdresse/DNSname>:nbsession

I don't know DLink routers, so I can't tell you where should enable Netbios filters, so you'll have to RTFM

 

[UNIX72]

Hello jasonb007, had similar problem but with a cisco router. Im assuming you are using isdn. From the server remove all dns ip addresses also the gateway ip. To be exact you need a sniffer program to see who is the talker. You need to do step by step troubleshooting. Take down the server when all users are logoff and see the results. Most likey it is the 2000 server.

 

[paulwood]

Hi Jason

Most likely you have sorted it out by now, but I was researching a wierd virus-like attack for a client and came across the W95/MTX.gen@M worm which runs MTX_.EXE as a process and makes Internet calls every 2 minutes according to McAfee.

If it's not the other stuff is your AV up to date?

Regards

 

[jasonb007]

To date I have not solved this issue. I have installed SP2 plus also blocked NetBIOS traffic. This hasn't helped. I have moved to a unlimited access dialup account (ISP)which doesn't matter how many times I now connect until I have more time to study this issue. I can't beleive there isn't a straight forward solution to this.

I feel for all the users/administrators who are experiencing this issue.

 

[WiredToad]

Hey, what kind of connection are you using with the 2K server, is it an RRAS just for sharing your net connection. Is it running NAT anything else? Have you tried making the interface connnected to the router Demand dial (again, shooting in the dark without more info). If you are using RRAS go into the RRAS MMC and use the &quot;routing general&quot; then click the exteranl interface and enable packet filters. First start with dropping all packets, if the calls stop, this is where it is coming from. Then once they have stopped, start enabling types of traffic, one at a time. This way you will come accross the bandit. Or you might blindly fix it. Hope this helps

 

[paulwood]

I'm not sure you haven't covered this, but I had the same problem last week and it turned out to be incorrect dns settings on a client machine that dialed out every few minutes looking for dns resolution, result - mucho large phone bill. They were using a 3com router modem which had a log available for the last 10 connections via a browser interface. That's how I found out what was happening. Hope this is of some help.

 

[amb3rsil]

I have also had a similar problem with an allied telesyn router. After sniffing what was going on and where I narrowed it down to WINs on port 135. Try blocking port 135 it may help.


Amb3rsil

 

[yizhar]

HI!

This is most likely a DNS issue.

I guess you have an internal DNS server on Win2K itself.
I also guess that your internal DNS server is not configured as a root server, which means that if it cannot answer a request it will try to contact one of the root DNS servers of the Internet.

There are several solutions:
1) Configure the DNS server as a root server. Simply add a &quot;.&quot; (dote) primary zone to it.
THIS IS NOT A GOOD SOLUTION SINCE IT WILL CAUSE PROBLEM USING LEGITIMATE DNS REQUESTS TO THE INTERNET!

2) Redesign DNS:
Configure all servers and clients to use your internal DNS server.
Configure all servers and clients to use the same internal DNS domain name.
(Same name as your AD domain name).
ReConfigure your DNS server not to be a root server (delete the &quot;.&quot; zone if needed. This is the opposite of the previous solution).
ReConfigure your DNS server with ISP DNS servers as forwarders.
If you don't use forwarders, your DNS server will contact other farther DNS ROOT servers and this will degrade performance (a bit) and will anyway not change your ISDN bills.

3) In any configuration, you can configure the ISDN router not to dial on WINS or DNS requests. However this might prevent legitimate connections to the Internet from working unless first accessed by IP address or iniated by another user/server.

4) Anyway, the best solution is what you did - use an unlimitted ISDN account.

Bye
Yizhar



Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[marconotsopolo]

I am having the same problem as you, I have stopped DNS services, filtered TCP/UDP 137/138/139/445 in the ISDN router, took out the DNS IP addresses of my ISP in the network configuration but still every 2 minutes or so, the server makes a DNS(53) call and the dial up starts again. I have traced the DNS requests to be from my server, I have no trojan viruses according to my AV software so this is ruled out. Not done anything with Zone's/records yet as am not really familiar with that. I have searched the internet for all info on this topic since Jan 2001 and not had much luck in finding a solution. I am presuming from all correspondance to this subject that it is a DNS records/lookup thing but I wish somebody could give a decisive answer on this, maybe I will email this direct to microsoft support and see what they have to say..

If I get anything I will let you know

Till then..
Keep smiling )
Mark

 

[999Dom999]

Help?? Just searched and found this old post, the above description is the exact problem that I am experiencing, win2k with a cisco router and yep every 2mins it dials out I used netmon which showed that it trys to hit port 53 DNS with the IP address of my isp's dns address set on my nic the sourse port is always different like 3753 or 53495.

We use u-net dialup which don't have an unmetered service and can't change cos we have our domain registered with them last bill was £1,333.75 and my boss has put me in charge of sorting it! Yikes, thanks for any help!

 

[999Dom999]

Oh if i remove the isp's dns address off the network card then it only dials out to pick up mail or send, then I have no internet access, this will do until i can work out what the problem is.

 

[marconotsopolo]

After my last post, I found some things out.. First off, make sure your timeout on the isdn router is set to say 360 seconds.. the default could be set to zero, next make sure you have your netbios filters in place for ports 135,137,139 and for w2k port 445 in your router. Then if you have WINS installed, make sure the clients are pointing to your WINS server, this will reduce netbios broadcasts. Next, do you have DNS installed, if so, do not use ROOT SERVER, have IP forwarding only, and in each client make sure that you set the DNS settings point to the server DNS details. Is your DNS server setup as a .LOCAL.. ie MYDOMAIN.LOCAL, if not and you do not use your DNS server for anything other than Local resolution then change to this.
Also,
Remove Netbios protocol from each client if installed, make sure if File & Printer sharing is installed on any client that it is not set to automatic broadcast, look at the properties and uncheck if necessary.

I have resolved my problem by instigating most of the above, and I hope that it gives you some insight into what might be causing your problem.

Good Luck
Marco

 

[N3wcomer]

Hello Jason B,

Did you ever resolve this problem?

I am experiencing the same, I've tried so many things, I'm now really confused.

 

[lier74ok]

i have the same problem.....do only thing solve my problem is to use proxy server- MS ISA server

 

[999Dom999]

Or get a flat rate charge from your isp for your internet, I run ISA and I still had the problem. I found that when my server was dialing the IP was actually microsoft.com that it was trying to reach, and a few others, I think that some programs try to do an auto update, if have service pack 3 on a win2k server you set it to not update in ctrl panel, not sure if this will help any cos I got the flat rate which seemed the easiest answer! the other things that lifted the line was dns queries, I think there is some stuff to change on that on previous posts!

Goodluck

 

[N3wcomer]

Thanks for your prompt replies,

I have 5 servers to put on Windows2000, only installed 2 so far, but they are not in buildings owned by me. They don't use my ISP, they supply their own, so that they can control filtering for children to use the workstations. The ISP doesn't offer flat rate charges - I had already considered this.

I've installed SP3 yesterday but no change.

5 copies of (Proxy Server) ISA server is not an option at present because we don't have enough money in our budget.

 

[jasonb007]

What have I started here !! I never solved this issue with W2K and spurious dial up's. I signed up for a flat rate ISP although this is not ideal because I am limited to 64KB (with BT). In the end we reverted back to NT 4.0 Server which is more of a workaround than a solution. We also tried a proxy server, but this didn't solve the issue.

I haven't heard from anyone who has resolved this completely.