Solved

Large amount of DNS Requests causing vpn to dropout?

Posted on 2010-08-20
12
501 Views
Last Modified: 2012-05-10
We have been having a number of problems with users being kicked out of the vpn connection lately. Upon investigating this I have found loads of requests on the Watchguard firewall making DNS requests out to the internet. Around 200 per DNS server at once.
I can only assume that this is the reason users are getting dropped off and assume that this is some sort of DNS attack. Any ideas how to tackle this?
0
Comment
Question by:Mitch P
  • 6
  • 6
12 Comments
 
LVL 4

Expert Comment

by:vickzz
ID: 33485227
Try and find out the source whether they are internal or external.
 One reason could be that some malicious user might have explored your public facing DNS and sending repeated requests.. for that you need to block these IPs on firewall or it may that your Internal DNS Servers are using root hints so you may want to disable root hints and use forwarders.
First step should be to identify the source.
0
 

Author Comment

by:Mitch P
ID: 33485260
We do not have pubic facing dns and are using fowarders
I have tried to determine the source but keep drawing a blank... any tools that may give me a better idea?
 
0
 
LVL 4

Expert Comment

by:vickzz
ID: 33485331
Take a Sniffer trace on Firewall AND/OR DNS Server to see the source. Is it going outside through your firewall or coming in?
0
 

Author Comment

by:Mitch P
ID: 33485421
The firewall states hundreds of 53/DNS connections to our external DNS from the 2 used DNS servers that are being used. They are all outgoing requests
Will try a sniffer
0
 
LVL 4

Expert Comment

by:vickzz
ID: 33485521
External DNS Server means Forwarders to me which means it may happen some client who is pointing to this DNS Server is sending requests and DNS on their behalf going out to resolve each query and thus traffic is increasing.

As stated Sniffer on DNS SErver will give you a good idea about it.
0
 

Author Comment

by:Mitch P
ID: 33485530
Does this seems like some trojan?
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 4

Expert Comment

by:vickzz
ID: 33485541
Yeah may be so if you a machine sending most of the dns requests in the sniffer trace you may want to check the machine for trojan or some apps like Sharewares or Torrents as well.
0
 

Author Comment

by:Mitch P
ID: 33485583
Would something like this hammer bother DNS servers that are listed in the DHCP that is given to a client?
0
 
LVL 4

Expert Comment

by:vickzz
ID: 33485607
Of course client will send requests to dns servers which are supplied by DHCP Server or assigned manually but question is why so many requests to external IPs. This could either be by a User Action or an App/Malware.
0
 

Author Comment

by:Mitch P
ID: 33487021
This is pretty strange the firewall is stating that there are loads of 53 port that are outgoing but saying that the source is from one of our external ips?
 
0
 
LVL 4

Accepted Solution

by:
vickzz earned 250 total points
ID: 33488418
First of all upgrade the Firewall's firmware to make sure there are no holes for exploitation. Secondly if you can attach the network sniffer trace i can surely take a look and see whats going on.
0
 

Author Closing Comment

by:Mitch P
ID: 33807645
Upgraded firmware
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
SSL RA VPN 7 78
spf record 8 58
Exchange 2013 - unable to recieve external emails 14 36
Public DNS 2 31
Some of you may have heard that SonicWALL has finally released an app for iOS devices giving us long awaited connectivity for our iPhone's, iPod's, and iPad's. This guide is just a quick rundown on how to get up and running quickly using the app. …
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now