DNS Attempting to contact

Posted on 2009-04-26
Last Modified: 2012-05-06
I am running a Windows Server 2003 native domain.  All of my domain controllers are Windows Server 2003 Enterprise R2 x32 with all the latest security updates installed.

I noticed in my Sidewinder firewall reports that one of my domain controllers is consistently attempting to go out to the following ip addresses.  The sidewinder only allows dns out to the internet from two other of my domain controllers.  I have changed the forwarders on all the other dns servers to point to these two servers and have allowed traffic out on the sidewinder from these two servers.
The sidewinder blocks dns requests to port 53 from one server 24/7 for the following dstip addresses:
Destination                           Port      Count      %Count      53      2140      21.2872%                           53      2140      21.2872%        53      1283      12.7624%
All three of these addresses are from, as you can see from the following links.

Any ideas what I should do to prevent this?  I have looked around and have found that it may be linked to a reverse lookup zone setup incorrectly.

Question by:engstromr
    LVL 26

    Accepted Solution

    Those three servers handle dns related requests for non-routable IPs (,, etc). It looks like you need to setup reverse zones ( for your private address space. That way when your workstations try to register themselves in DNS, the requests go to your DCs rather than getting fowarded to IANA's blackhole servers over the internet.
    ( maps to

    Author Comment

    From what I understand, I have reverse zones setup for each of my subnets.  Attached is a screen shot.  Is there something else that needs to be done?  I inherited this network a couple years back.  We never really monitored what was going out until we recently got our Sidewinder.  Previously, everything was allowed out so it is possible something has been misconfigured for quite some time.

    Author Comment

    It looks like may have missed setting up a couple reverse lookup zones on my network.  I recently added a couple extra dhcp scopes when I added wireless to my network.  I did not have reverse lookup zones added for the new scopes.  The attacks have stopped.  I will check the reports tomorrow to be sure, but this makes sense.
    LVL 26

    Expert Comment

    I was just going to ask you if you added any new scopes when I got to work. Glad it looks like it's figured out

    Author Closing Comment

    The reports did not have this server listed under the attacks.  I am also not seeing any attacks when I audit in real-time.  I can't believe I overlooked this when creating the new scopes!  Thanks for the help!

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    Suggested Solutions

    This article is intended as an extension of a blog on Aging and Scavenging by the MS Enterprise Networking Team. In brief, Scavenging is used as follows: Each record in a zone which has been dynamically registered with an MS DNS Server will have…
    BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (, affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…
    Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now