Go Premium for a chance to win a PS4. Enter to Win


DNS server cache causing causing network problems

Posted on 2006-11-30
Medium Priority
Last Modified: 2012-08-14
For the past day and a half, something in our DNS cache has been causing our internet access to tank.

Our DNS server is integrated with active directory, and sits on the same network as the rest of our machines. I've discovered that if I disable the DNS service, even temporarily, our internet access comes back. This of course caused problems with just about everything else on our domain because this (for now) is the only DNS server we have locally. I've also noticed that if I go into the DNS console, and clear the DNS cache, then internet access speeds back up to a functional level, but this only lasts a few minutes.

One thing I find suspicious, is that until yesterday afternoon (when I first cleared the cache and reloaded the DNS server), we only had 2 folders in our DNS console. Forward Lookup Zones and Reverse Lookup Zones. We now have a third, Cached Lookups. There's a whole bunch of zone records in there that are for domains in Taiwan, Honk Kong, Argentina, and a few others. This is obviously something wrong or malicious, but when I try to delete the zone record it tells me it can't be deleted because the zone doesn't exist. This may be related, but until an hour ago, we were receiving steady messages in our DNS Event Log saying:

>>The DNS server is configured to forward to a non-recursive DNS server at
DNS servers in forwarders list MUST be configured to process recursive queries. <<

If goes on to give instructions on how to mitigate this, but the address specified (and they're random) is definitely not in my forwarders list. These addresses also resolve to places like Taiwan and Honk Kong.

I've tried to find another way to delete these, but haven't had any luck. Also when I clear the cache, the entries for the garbage zome records start coming back immediate. Does anyone know if this is a sign of a remote DOS attack, or has anyone seen this before in cases where the box may have been compromised?
Question by:danno778
LVL 38

Accepted Solution

Shift-3 earned 375 total points
ID: 18048691
Cached Lookups is a normal part of the DNS console.  It only shows up if you go to View and select Advanced.  You probably had it hidden before.

It's possible the server has been compromised, but it's more likely one of your workstations has.  You could try turning on logging in the server's properties to see what machine is making those DNS queries.  A better option would be to run a sniffer like Wireshark.

Once you've identified the problem machine, scan the heck out of it with anti-malware tools.

Assisted Solution

Jonas1 earned 375 total points
ID: 18051635
Hey Danno,

I'm in agreement with Shift on this one.  I would have to believe that one (or more) of your machines has some type of spyware or viral infection on it and it is constantly doing lookups.   The DNS cache is growing large because the server is getting hammered with lookup requests.

One tried but true method (if you don't have a lot of workstations) is to unplug all of the machines, clear out the dns cache and start bringing the workstations up one by one.   I know this is a pain, but it will definately isolate which machine is causing the issues.

Also, If you use a centralized AV software like Symantec Corporate edition or Trend Micro on the server and workstations, you can run a network sweep from the server and check all of the workstations.  Be sure to update the definition files first!


Assisted Solution

yours_harjeet earned 375 total points
ID: 18055532
this one is called DNS Cache Poisoning and check the following documents for help.

Topics are too large to be posted here.




LVL 23

Assisted Solution

gecko_au2003 earned 375 total points
ID: 18055617
Just a thought and not sure if it would have the same effect as what was suggested above with regards to unplugging the work stations and bringing them back up one by one, but what about disabling each computer object and slowly but surely re enabling each computer object in AD ??

Like I said, just a thought and Im not sure if it would have the same effect....

Author Comment

ID: 18071307
The problem wasn't caused by what I thought it was, but I'm accepting Shift's answer because he replied first, and for no other reason. It turns out that this server (which I neglected to mention is also running a mail proxy, and yes, I know it's not a best practice) was being used as an open relay. The mail proxy was updated a few weeks ago and a setting (which wasn't meant to control external mail relaying but actually blocked them) stopped working. Relaying was allowed at the exchange level because it was being blocked at the proxy. The update in question fixed the "bug" that allowed relaying to be blocked at the proxy, thus leaving us unprotected. It was only a matter of time before the open relay was discovered and exploited, and the ensuing traffic caused slowdowns on the proxy, causing it to crash intermittently. If also was putting strain on the DNS server which was caching all of those domains in Taiwan while resolving the email addresses. Thankfully we were able to close the relay in a short amount of time. Thanks all for your input...

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Want to know how to use Exchange Server Eseutil command? Go through this article as it gives you the know-how.
When you discover the power of the R programming language, you are going to wonder how you ever lived without it! Learn why the language merits a place in your programming arsenal.
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…
Is your OST file inaccessible, Need to transfer OST file from one computer to another? Want to convert OST file to PST? If the answer to any of the above question is yes, then look no further. With the help of Stellar OST to PST Converter, you can e…

876 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question