Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


DNS server cache causing causing network problems

Posted on 2006-11-30
Medium Priority
Last Modified: 2012-08-14
For the past day and a half, something in our DNS cache has been causing our internet access to tank.

Our DNS server is integrated with active directory, and sits on the same network as the rest of our machines. I've discovered that if I disable the DNS service, even temporarily, our internet access comes back. This of course caused problems with just about everything else on our domain because this (for now) is the only DNS server we have locally. I've also noticed that if I go into the DNS console, and clear the DNS cache, then internet access speeds back up to a functional level, but this only lasts a few minutes.

One thing I find suspicious, is that until yesterday afternoon (when I first cleared the cache and reloaded the DNS server), we only had 2 folders in our DNS console. Forward Lookup Zones and Reverse Lookup Zones. We now have a third, Cached Lookups. There's a whole bunch of zone records in there that are for domains in Taiwan, Honk Kong, Argentina, and a few others. This is obviously something wrong or malicious, but when I try to delete the zone record it tells me it can't be deleted because the zone doesn't exist. This may be related, but until an hour ago, we were receiving steady messages in our DNS Event Log saying:

>>The DNS server is configured to forward to a non-recursive DNS server at
DNS servers in forwarders list MUST be configured to process recursive queries. <<

If goes on to give instructions on how to mitigate this, but the address specified (and they're random) is definitely not in my forwarders list. These addresses also resolve to places like Taiwan and Honk Kong.

I've tried to find another way to delete these, but haven't had any luck. Also when I clear the cache, the entries for the garbage zome records start coming back immediate. Does anyone know if this is a sign of a remote DOS attack, or has anyone seen this before in cases where the box may have been compromised?
Question by:danno778
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 38

Accepted Solution

Shift-3 earned 375 total points
ID: 18048691
Cached Lookups is a normal part of the DNS console.  It only shows up if you go to View and select Advanced.  You probably had it hidden before.

It's possible the server has been compromised, but it's more likely one of your workstations has.  You could try turning on logging in the server's properties to see what machine is making those DNS queries.  A better option would be to run a sniffer like Wireshark.

Once you've identified the problem machine, scan the heck out of it with anti-malware tools.

Assisted Solution

Jonas1 earned 375 total points
ID: 18051635
Hey Danno,

I'm in agreement with Shift on this one.  I would have to believe that one (or more) of your machines has some type of spyware or viral infection on it and it is constantly doing lookups.   The DNS cache is growing large because the server is getting hammered with lookup requests.

One tried but true method (if you don't have a lot of workstations) is to unplug all of the machines, clear out the dns cache and start bringing the workstations up one by one.   I know this is a pain, but it will definately isolate which machine is causing the issues.

Also, If you use a centralized AV software like Symantec Corporate edition or Trend Micro on the server and workstations, you can run a network sweep from the server and check all of the workstations.  Be sure to update the definition files first!


Assisted Solution

yours_harjeet earned 375 total points
ID: 18055532
this one is called DNS Cache Poisoning and check the following documents for help.

Topics are too large to be posted here.

LVL 23

Assisted Solution

gecko_au2003 earned 375 total points
ID: 18055617
Just a thought and not sure if it would have the same effect as what was suggested above with regards to unplugging the work stations and bringing them back up one by one, but what about disabling each computer object and slowly but surely re enabling each computer object in AD ??

Like I said, just a thought and Im not sure if it would have the same effect....

Author Comment

ID: 18071307
The problem wasn't caused by what I thought it was, but I'm accepting Shift's answer because he replied first, and for no other reason. It turns out that this server (which I neglected to mention is also running a mail proxy, and yes, I know it's not a best practice) was being used as an open relay. The mail proxy was updated a few weeks ago and a setting (which wasn't meant to control external mail relaying but actually blocked them) stopped working. Relaying was allowed at the exchange level because it was being blocked at the proxy. The update in question fixed the "bug" that allowed relaying to be blocked at the proxy, thus leaving us unprotected. It was only a matter of time before the open relay was discovered and exploited, and the ensuing traffic caused slowdowns on the proxy, causing it to crash intermittently. If also was putting strain on the DNS server which was caching all of those domains in Taiwan while resolving the email addresses. Thankfully we were able to close the relay in a short amount of time. Thanks all for your input...

Featured Post

Does Your Cloud Backup Use Blockchain Technology?

Blockchain technology has already revolutionized finance thanks to Bitcoin. Now it's disrupting other areas, including the realm of data protection. Learn how blockchain is now being used to authenticate backup files and keep them safe from hackers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are many software programs on offer that will claim to magically speed up your computer. The best advice I can give you is to avoid them like the plague, because they will often cause far more problems than they solve. Try some of these "do it…
Want to know how to use Exchange Server Eseutil command? Go through this article as it gives you the know-how.
Video by: Tony
This video teaches viewers how to export a project from Adobe Premiere Pro and the various file types involved.
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor ( Top Charts is a view in which you can set seve…

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question