• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 513
  • Last Modified:

Large amount of DNS Requests causing vpn to dropout?

We have been having a number of problems with users being kicked out of the vpn connection lately. Upon investigating this I have found loads of requests on the Watchguard firewall making DNS requests out to the internet. Around 200 per DNS server at once.
I can only assume that this is the reason users are getting dropped off and assume that this is some sort of DNS attack. Any ideas how to tackle this?
0
Mitch P
Asked:
Mitch P
  • 6
  • 6
1 Solution
 
vickzzCommented:
Try and find out the source whether they are internal or external.
 One reason could be that some malicious user might have explored your public facing DNS and sending repeated requests.. for that you need to block these IPs on firewall or it may that your Internal DNS Servers are using root hints so you may want to disable root hints and use forwarders.
First step should be to identify the source.
0
 
Mitch PDirectorAuthor Commented:
We do not have pubic facing dns and are using fowarders
I have tried to determine the source but keep drawing a blank... any tools that may give me a better idea?
 
0
 
vickzzCommented:
Take a Sniffer trace on Firewall AND/OR DNS Server to see the source. Is it going outside through your firewall or coming in?
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
Mitch PDirectorAuthor Commented:
The firewall states hundreds of 53/DNS connections to our external DNS from the 2 used DNS servers that are being used. They are all outgoing requests
Will try a sniffer
0
 
vickzzCommented:
External DNS Server means Forwarders to me which means it may happen some client who is pointing to this DNS Server is sending requests and DNS on their behalf going out to resolve each query and thus traffic is increasing.

As stated Sniffer on DNS SErver will give you a good idea about it.
0
 
Mitch PDirectorAuthor Commented:
Does this seems like some trojan?
0
 
vickzzCommented:
Yeah may be so if you a machine sending most of the dns requests in the sniffer trace you may want to check the machine for trojan or some apps like Sharewares or Torrents as well.
0
 
Mitch PDirectorAuthor Commented:
Would something like this hammer bother DNS servers that are listed in the DHCP that is given to a client?
0
 
vickzzCommented:
Of course client will send requests to dns servers which are supplied by DHCP Server or assigned manually but question is why so many requests to external IPs. This could either be by a User Action or an App/Malware.
0
 
Mitch PDirectorAuthor Commented:
This is pretty strange the firewall is stating that there are loads of 53 port that are outgoing but saying that the source is from one of our external ips?
 
0
 
vickzzCommented:
First of all upgrade the Firewall's firmware to make sure there are no holes for exploitation. Secondly if you can attach the network sniffer trace i can surely take a look and see whats going on.
0
 
Mitch PDirectorAuthor Commented:
Upgraded firmware
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

  • 6
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now