Solved

DNS server cache causing causing network problems

Posted on 2006-11-30
5
769 Views
Last Modified: 2012-08-14
For the past day and a half, something in our DNS cache has been causing our internet access to tank.

Our DNS server is integrated with active directory, and sits on the same network as the rest of our machines. I've discovered that if I disable the DNS service, even temporarily, our internet access comes back. This of course caused problems with just about everything else on our domain because this (for now) is the only DNS server we have locally. I've also noticed that if I go into the DNS console, and clear the DNS cache, then internet access speeds back up to a functional level, but this only lasts a few minutes.

One thing I find suspicious, is that until yesterday afternoon (when I first cleared the cache and reloaded the DNS server), we only had 2 folders in our DNS console. Forward Lookup Zones and Reverse Lookup Zones. We now have a third, Cached Lookups. There's a whole bunch of zone records in there that are for domains in Taiwan, Honk Kong, Argentina, and a few others. This is obviously something wrong or malicious, but when I try to delete the zone record it tells me it can't be deleted because the zone doesn't exist. This may be related, but until an hour ago, we were receiving steady messages in our DNS Event Log saying:

>>The DNS server is configured to forward to a non-recursive DNS server at 211.79.207.25.
 
DNS servers in forwarders list MUST be configured to process recursive queries. <<

If goes on to give instructions on how to mitigate this, but the address specified (and they're random) is definitely not in my forwarders list. These addresses also resolve to places like Taiwan and Honk Kong.

I've tried to find another way to delete these, but haven't had any luck. Also when I clear the cache, the entries for the garbage zome records start coming back immediate. Does anyone know if this is a sign of a remote DOS attack, or has anyone seen this before in cases where the box may have been compromised?
0
Comment
Question by:danno778
5 Comments
 
LVL 38

Accepted Solution

by:
Shift-3 earned 125 total points
ID: 18048691
Cached Lookups is a normal part of the DNS console.  It only shows up if you go to View and select Advanced.  You probably had it hidden before.

It's possible the server has been compromised, but it's more likely one of your workstations has.  You could try turning on logging in the server's properties to see what machine is making those DNS queries.  A better option would be to run a sniffer like Wireshark.

Once you've identified the problem machine, scan the heck out of it with anti-malware tools.
0
 
LVL 2

Assisted Solution

by:Jonas1
Jonas1 earned 125 total points
ID: 18051635
Hey Danno,

I'm in agreement with Shift on this one.  I would have to believe that one (or more) of your machines has some type of spyware or viral infection on it and it is constantly doing lookups.   The DNS cache is growing large because the server is getting hammered with lookup requests.

One tried but true method (if you don't have a lot of workstations) is to unplug all of the machines, clear out the dns cache and start bringing the workstations up one by one.   I know this is a pain, but it will definately isolate which machine is causing the issues.

Also, If you use a centralized AV software like Symantec Corporate edition or Trend Micro on the server and workstations, you can run a network sweep from the server and check all of the workstations.  Be sure to update the definition files first!

-Jonas1
0
 
LVL 3

Assisted Solution

by:yours_harjeet
yours_harjeet earned 125 total points
ID: 18055532
this one is called DNS Cache Poisoning and check the following documents for help.

Topics are too large to be posted here.

http://www.seoconsultants.com/tools/dns/cache/

http://isc.sans.org/presentations/dnspoisoning.php

http://www.dnsstuff.com/info/opendns.htm


Harjeet
0
 
LVL 23

Assisted Solution

by:gecko_au2003
gecko_au2003 earned 125 total points
ID: 18055617
Just a thought and not sure if it would have the same effect as what was suggested above with regards to unplugging the work stations and bringing them back up one by one, but what about disabling each computer object and slowly but surely re enabling each computer object in AD ??

Like I said, just a thought and Im not sure if it would have the same effect....
0
 

Author Comment

by:danno778
ID: 18071307
The problem wasn't caused by what I thought it was, but I'm accepting Shift's answer because he replied first, and for no other reason. It turns out that this server (which I neglected to mention is also running a mail proxy, and yes, I know it's not a best practice) was being used as an open relay. The mail proxy was updated a few weeks ago and a setting (which wasn't meant to control external mail relaying but actually blocked them) stopped working. Relaying was allowed at the exchange level because it was being blocked at the proxy. The update in question fixed the "bug" that allowed relaying to be blocked at the proxy, thus leaving us unprotected. It was only a matter of time before the open relay was discovered and exploited, and the ensuing traffic caused slowdowns on the proxy, causing it to crash intermittently. If also was putting strain on the DNS server which was caching all of those domains in Taiwan while resolving the email addresses. Thankfully we were able to close the relay in a short amount of time. Thanks all for your input...
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

This article covers general Notes 8.5 troubleshooting information including recreating the Notes\Data folder.
In our personal lives, we have well-designed consumer apps to delight us and make even the most complex transactions simple. Many enterprise applications, however, are a bit behind the times. For an enterprise app to be successful in today's tech wo…
The viewer will learn how to set up a document for the web and print and the recommended PPI for printing.
The viewer will learn common shortcuts with easy ways to remember them. The viewer will then learn where to find all of the keyboard shortcuts, how to create/change them, and how to speed up their workflow.

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now