DNS server cache causing causing network problems

For the past day and a half, something in our DNS cache has been causing our internet access to tank.

Our DNS server is integrated with active directory, and sits on the same network as the rest of our machines. I've discovered that if I disable the DNS service, even temporarily, our internet access comes back. This of course caused problems with just about everything else on our domain because this (for now) is the only DNS server we have locally. I've also noticed that if I go into the DNS console, and clear the DNS cache, then internet access speeds back up to a functional level, but this only lasts a few minutes.

One thing I find suspicious, is that until yesterday afternoon (when I first cleared the cache and reloaded the DNS server), we only had 2 folders in our DNS console. Forward Lookup Zones and Reverse Lookup Zones. We now have a third, Cached Lookups. There's a whole bunch of zone records in there that are for domains in Taiwan, Honk Kong, Argentina, and a few others. This is obviously something wrong or malicious, but when I try to delete the zone record it tells me it can't be deleted because the zone doesn't exist. This may be related, but until an hour ago, we were receiving steady messages in our DNS Event Log saying:

>>The DNS server is configured to forward to a non-recursive DNS server at
DNS servers in forwarders list MUST be configured to process recursive queries. <<

If goes on to give instructions on how to mitigate this, but the address specified (and they're random) is definitely not in my forwarders list. These addresses also resolve to places like Taiwan and Honk Kong.

I've tried to find another way to delete these, but haven't had any luck. Also when I clear the cache, the entries for the garbage zome records start coming back immediate. Does anyone know if this is a sign of a remote DOS attack, or has anyone seen this before in cases where the box may have been compromised?
Who is Participating?
Cached Lookups is a normal part of the DNS console.  It only shows up if you go to View and select Advanced.  You probably had it hidden before.

It's possible the server has been compromised, but it's more likely one of your workstations has.  You could try turning on logging in the server's properties to see what machine is making those DNS queries.  A better option would be to run a sniffer like Wireshark.

Once you've identified the problem machine, scan the heck out of it with anti-malware tools.
Hey Danno,

I'm in agreement with Shift on this one.  I would have to believe that one (or more) of your machines has some type of spyware or viral infection on it and it is constantly doing lookups.   The DNS cache is growing large because the server is getting hammered with lookup requests.

One tried but true method (if you don't have a lot of workstations) is to unplug all of the machines, clear out the dns cache and start bringing the workstations up one by one.   I know this is a pain, but it will definately isolate which machine is causing the issues.

Also, If you use a centralized AV software like Symantec Corporate edition or Trend Micro on the server and workstations, you can run a network sweep from the server and check all of the workstations.  Be sure to update the definition files first!

this one is called DNS Cache Poisoning and check the following documents for help.

Topics are too large to be posted here.




Shane Russell2nd Line Desktop SupportCommented:
Just a thought and not sure if it would have the same effect as what was suggested above with regards to unplugging the work stations and bringing them back up one by one, but what about disabling each computer object and slowly but surely re enabling each computer object in AD ??

Like I said, just a thought and Im not sure if it would have the same effect....
danno778Author Commented:
The problem wasn't caused by what I thought it was, but I'm accepting Shift's answer because he replied first, and for no other reason. It turns out that this server (which I neglected to mention is also running a mail proxy, and yes, I know it's not a best practice) was being used as an open relay. The mail proxy was updated a few weeks ago and a setting (which wasn't meant to control external mail relaying but actually blocked them) stopped working. Relaying was allowed at the exchange level because it was being blocked at the proxy. The update in question fixed the "bug" that allowed relaying to be blocked at the proxy, thus leaving us unprotected. It was only a matter of time before the open relay was discovered and exploited, and the ensuing traffic caused slowdowns on the proxy, causing it to crash intermittently. If also was putting strain on the DNS server which was caching all of those domains in Taiwan while resolving the email addresses. Thankfully we were able to close the relay in a short amount of time. Thanks all for your input...
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.