Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Westi on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

I am working on a new network confi

Status
Not open for further replies.
AlexIT

AlexIT

Technical User
Jul 27, 2001
802
US
I am working on a new network configuration. We put four Win2K servers (AD/DNS/DHCP, Exchange, Mail Marshal, OracleDB) behind a Raptor firewall to host a remote AD domain. I have the raptor set as the default gateway, and using its DNSd service, it is now the forwarder for the AD/DNS server, which has recursion disabled (and the root hints deleted.) All the other servers point to the AD/DNS for their DNS. Name resolution works fine except I see in the raptor logs a flood of outgoing traffic to the root name servers with destination port 53 (which of course it blocks because the servers are supposed to ask the raptor for external DNS name resolution. These floods happen from each server, perodically, in random order throughout the day. The source port on the server changes every three or four attempts. The firewall is doing its job by blocking this but I hate to see the logs getting filled with spurious error.

So where in Win2K (on all four servers) could this be coming from??

Here is a copy of a few of the attempts:
(192.168.1.10->192.175.48.1: Protocol=UDP Port 3162->53)
(192.168.1.11->192.175.48.1: Protocol=UDP Port 3630->53)(192.168.1.12->192.175.48.1: Protocol=UDP Port 1601->53)
(192.168.1.13->192.175.48.1: Protocol=UDP Port 4463->53)


Any suggestions will be appreciated!
 
Sort by date Sort by votes
Well, 192.175.48.1 is definately a dns root server.
( )

Looks like all your machines are trying to access it, not just your internal dns server.
I highly doubt this is suspicious traffic. So you may have better luck posting in the DNS forums.

A wild guess? Are you using dynamic DNS or the standard primary and secondary DNS structure?
Check on your machines to see if they're set to register they're names with a DNS server. Might be it...maybe

At any rate, try to sniff the traffic to find out what they're trying to resolve.

I'll see your DMCA and raise you a First Amendment.
 
Upvote 0 Downvote
The three secondary servers should only register themselves with the internal DNS server as its authorative for the internal domain...so only 192.168.1.10 should be trying to register itself to an outside source using dynamic DNS but its definately an idea (why didn't I think of that!)

Thanks, I'll play with those settings.
Alex
 
Upvote 0 Downvote
The AD/DNS server has recursion disabled (and the root
hints deleted.) The floods have not stopped, and I am stumped.

Where in Win2K (on all four servers) could this be
coming from? WHY would the member servers ever try to update the Root Name Servers? Wouldn't they only go the the AD server that is authorative for their DNS suffix?)

I am tearing (the last of) my hair out here...
 
Upvote 0 Downvote
Rogaine!

Anyway...Its a packet sniffer. It'll let you look at the DNS queries to find out exactly what the servers are trying to do. Armed with this information, we can narrow down the search a bit and hopefully find an answer!
[thumbsup2]

I'll see your DMCA and raise you a First Amendment.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
776
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
643
Johnkite
Johnkite
ciscokid1984
  • Locked
  • Question
Watchguard RDP from external network
Replies
1
Views
248
hairlessupportmonkey
hairlessupportmonkey
acabezas2014
  • Locked
  • Question
Configuring ASA for Network Segmentation
Replies
1
Views
278
acabezas2014
acabezas2014
XLNTech1
  • Locked
  • Question
iptables port forwarding
Replies
0
Views
582
XLNTech1
XLNTech1

Part and Inventory Search

Sponsor

Back
Top