DNS server cache causing causing network problems

Posted on 2006-11-30
Last Modified: 2012-08-14
For the past day and a half, something in our DNS cache has been causing our internet access to tank.

Our DNS server is integrated with active directory, and sits on the same network as the rest of our machines. I've discovered that if I disable the DNS service, even temporarily, our internet access comes back. This of course caused problems with just about everything else on our domain because this (for now) is the only DNS server we have locally. I've also noticed that if I go into the DNS console, and clear the DNS cache, then internet access speeds back up to a functional level, but this only lasts a few minutes.

One thing I find suspicious, is that until yesterday afternoon (when I first cleared the cache and reloaded the DNS server), we only had 2 folders in our DNS console. Forward Lookup Zones and Reverse Lookup Zones. We now have a third, Cached Lookups. There's a whole bunch of zone records in there that are for domains in Taiwan, Honk Kong, Argentina, and a few others. This is obviously something wrong or malicious, but when I try to delete the zone record it tells me it can't be deleted because the zone doesn't exist. This may be related, but until an hour ago, we were receiving steady messages in our DNS Event Log saying:

>>The DNS server is configured to forward to a non-recursive DNS server at
DNS servers in forwarders list MUST be configured to process recursive queries. <<

If goes on to give instructions on how to mitigate this, but the address specified (and they're random) is definitely not in my forwarders list. These addresses also resolve to places like Taiwan and Honk Kong.

I've tried to find another way to delete these, but haven't had any luck. Also when I clear the cache, the entries for the garbage zome records start coming back immediate. Does anyone know if this is a sign of a remote DOS attack, or has anyone seen this before in cases where the box may have been compromised?
Question by:danno778
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 38

Accepted Solution

Shift-3 earned 125 total points
ID: 18048691
Cached Lookups is a normal part of the DNS console.  It only shows up if you go to View and select Advanced.  You probably had it hidden before.

It's possible the server has been compromised, but it's more likely one of your workstations has.  You could try turning on logging in the server's properties to see what machine is making those DNS queries.  A better option would be to run a sniffer like Wireshark.

Once you've identified the problem machine, scan the heck out of it with anti-malware tools.

Assisted Solution

Jonas1 earned 125 total points
ID: 18051635
Hey Danno,

I'm in agreement with Shift on this one.  I would have to believe that one (or more) of your machines has some type of spyware or viral infection on it and it is constantly doing lookups.   The DNS cache is growing large because the server is getting hammered with lookup requests.

One tried but true method (if you don't have a lot of workstations) is to unplug all of the machines, clear out the dns cache and start bringing the workstations up one by one.   I know this is a pain, but it will definately isolate which machine is causing the issues.

Also, If you use a centralized AV software like Symantec Corporate edition or Trend Micro on the server and workstations, you can run a network sweep from the server and check all of the workstations.  Be sure to update the definition files first!


Assisted Solution

yours_harjeet earned 125 total points
ID: 18055532
this one is called DNS Cache Poisoning and check the following documents for help.

Topics are too large to be posted here.

LVL 23

Assisted Solution

gecko_au2003 earned 125 total points
ID: 18055617
Just a thought and not sure if it would have the same effect as what was suggested above with regards to unplugging the work stations and bringing them back up one by one, but what about disabling each computer object and slowly but surely re enabling each computer object in AD ??

Like I said, just a thought and Im not sure if it would have the same effect....

Author Comment

ID: 18071307
The problem wasn't caused by what I thought it was, but I'm accepting Shift's answer because he replied first, and for no other reason. It turns out that this server (which I neglected to mention is also running a mail proxy, and yes, I know it's not a best practice) was being used as an open relay. The mail proxy was updated a few weeks ago and a setting (which wasn't meant to control external mail relaying but actually blocked them) stopped working. Relaying was allowed at the exchange level because it was being blocked at the proxy. The update in question fixed the "bug" that allowed relaying to be blocked at the proxy, thus leaving us unprotected. It was only a matter of time before the open relay was discovered and exploited, and the ensuing traffic caused slowdowns on the proxy, causing it to crash intermittently. If also was putting strain on the DNS server which was caching all of those domains in Taiwan while resolving the email addresses. Thankfully we were able to close the relay in a short amount of time. Thanks all for your input...

Featured Post

The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Today companies are subjected to more-and-more data, and it won't stop any time soon.  But there are obvious opportunities for reducing data, particularly data duplicated among companies.
This post contains step-by-step instructions for setting up alerting in Percona Monitoring and Management (PMM) using Grafana.
An overview on how to enroll an hourly employee into the employee database and how to give them access into the clock in terminal.
With the power of JIRA, there's an unlimited number of ways you can customize it, use it and benefit from it. With that in mind, there's bound to be things that I wasn't able to cover in this course. With this summary we'll look at some places to go…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question