Windows DNS

[tomslacks]

This question may be in the wrong forum but this seemed the closest.

I have Win2K DNS on my home network, once a day i get a message from my firewall (Tiny Personal Firewall) that DNS is trying to connect to the ns1.flyingcroc.com server. Flyingcroc is a web hosting company that has several porn related sites. This message comes on in the middle of the night when there is no internet activity. I have been unable to find any ad-ware that is connecting and all normal dns is allowed through the firewall. Is this normal or sometype of ad-ware that I dont know about. If it is normal how can i turn it off? I dont like my computer accessing random servers.

thanks T

 

[Seizure]

One of the machines on your network has made the request apparently. Tell me more about your connection. Are you using 2k server for your workstation? Are you behind NAT or using a public address? Jim - Synnex Info Tech

 

[tomslacks]

I have 2 Win2K Pro Workstations, 2 Win2K servers and 1 OSX Mac. My router uses NAT and I have a cable connection. The request always appears near 2am when there is no internet activity going on. MY DNS, DHCP and firewall are all on the one of the Win2K servers (server1). On server1 i get the request to allow/deny the connection. I get a message box from the firewall that states that server1 has requested to connect to ns1.flyingcroc.com. I have denied the request every time. I am assuming that this is their dns server but why only that one? they are not my ISP and the ip does match any given out by my DHCP leases. I can make a rule that denies it every time but i would like to know where the request is coming from. I am afraid that it is sending some usage info to their servers, or is this just paranoid?

T

 

[jjgraf]

You must have some kind of software/application running on your network that is trying to connect to the bad site.

what you need to do is figure out which machine may have this software installed

You are correct that this is their DNS server and your DNS server has received a request from some machine to go get this information. Go into your DNS setups and turn on all the logging. Its under the properties dialog box and under the tab Logging, turn on everything.

then the next day go into the Event viewer and under the DNS, review the log for that time period and see if it shows up. if not something else is wrong or going on.

I know your going to ask this question if you find out if it is application running on your network, you ask how did it get there. We call that install on demand or a pushed install from some web site you went to. It uses a similar technique as a web site resets your Home page

 

[Seizure]

The ns1.flyingcroc.com server is probably more than just their DNS. If it were a normal DNS request, you wouldn't get the message. (I assume you don't get these messages when you browse other sites). They are probably trying to exploit the windows messaging service with an ad or worse. I'm not that familiar with the Tiny Firewall. Make sure that port 53 is closed except for sessions that originate from the inside(dynamic). Set your DNS server as a forwarder to your ISP, so that it won't be connecting to other DNS servers to resolve requests. Jim - Synnex Info Tech