engstromr
asked on
DNS Attempting to contact iana.org
I am running a Windows Server 2003 native domain. All of my domain controllers are Windows Server 2003 Enterprise R2 x32 with all the latest security updates installed.
I noticed in my Sidewinder firewall reports that one of my domain controllers is consistently attempting to go out to the following ip addresses. The sidewinder only allows dns out to the internet from two other of my domain controllers. I have changed the forwarders on all the other dns servers to point to these two servers and have allowed traffic out on the sidewinder from these two servers.
The sidewinder blocks dns requests to port 53 from one server 24/7 for the following dstip addresses:
Destination Port Count %Count
192.175.48.42 53 2140 21.2872%
192.175.48.6 53 2140 21.2872%
192.175.48.1 53 1283 12.7624%
All three of these addresses are from iana.org, as you can see from the following links.
http://private.dnsstuff.com/tools/ipall.ch?ip=192.175.48.42
http://private.dnsstuff.com/tools/ipall.ch?ip=192.175.48.6
http://private.dnsstuff.com/tools/ipall.ch?ip=192.175.48.1
Any ideas what I should do to prevent this? I have looked around and have found that it may be linked to a reverse lookup zone setup incorrectly.
Thanks!
I noticed in my Sidewinder firewall reports that one of my domain controllers is consistently attempting to go out to the following ip addresses. The sidewinder only allows dns out to the internet from two other of my domain controllers. I have changed the forwarders on all the other dns servers to point to these two servers and have allowed traffic out on the sidewinder from these two servers.
The sidewinder blocks dns requests to port 53 from one server 24/7 for the following dstip addresses:
Destination Port Count %Count
192.175.48.42 53 2140 21.2872%
192.175.48.6 53 2140 21.2872%
192.175.48.1 53 1283 12.7624%
All three of these addresses are from iana.org, as you can see from the following links.
http://private.dnsstuff.com/tools/ipall.ch?ip=192.175.48.42
http://private.dnsstuff.com/tools/ipall.ch?ip=192.175.48.6
http://private.dnsstuff.com/tools/ipall.ch?ip=192.175.48.1
Any ideas what I should do to prevent this? I have looked around and have found that it may be linked to a reverse lookup zone setup incorrectly.
Thanks!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
It looks like may have missed setting up a couple reverse lookup zones on my network. I recently added a couple extra dhcp scopes when I added wireless to my network. I did not have reverse lookup zones added for the new scopes. The attacks have stopped. I will check the reports tomorrow to be sure, but this makes sense.
I was just going to ask you if you added any new scopes when I got to work. Glad it looks like it's figured out
ASKER
The reports did not have this server listed under the attacks. I am also not seeing any attacks when I audit in real-time. I can't believe I overlooked this when creating the new scopes! Thanks for the help!
ASKER
dns.bmp