A lot of SYN_SENT for a Windows DNS server on port TCP

In our syslog we see a lot of syn_sent to a specific class of adresses 192.xxx.xxx.xxx using TCP protocol with everytime increase of the port number.

The Firewall is opent to UDP port 53 Any, but TCP is open only to specific IP to where a zone transfert should be done.

The question is why our DNS server try to SYN_SENT? Here an example :

TCP    dns1:1704              g.gtld-servers.net:domain  SYN_SENT
TCP    dns1:1705              i.gtld-servers.net:domain  SYN_SENT

Thanks in advance for any answer.

Henri.
10-ccAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Hypercat (Deb)Commented:
It's trying to make a connection with an external server - in this case two of the Internet root servers. I would assume that it's trying to query those servers for name resolution of external domains.
0
10-ccAuthor Commented:
Thank for posting hypercat,

I know it is trying to contact these domains, but why it is trying using TCP it should use UDP for name resolution. UDP is open for port 53 ANY, but not TCP.

Thanks for any insights.

Henri.
0
Hypercat (Deb)Commented:
Take a look at this article:

http://technet.microsoft.com/en-us/library/dd197515(WS.10).aspx

Specifically:  "...the first response to the message is sent with as much data as the UDP datagram will allow, and then the DNS server sets a flag indicating a truncated response. The message sender can then choose to reissue the request to the DNS server using TCP (over TCP port 53)." This might explain what you're seeing.
0
Make Network Traffic Fast and Furious with SD-WAN

Software-defined WAN (SD-WAN) is a technology that determines the most effective way to route traffic to and from datacenter sites. Register for the webinar today to learn how your business can benefit from SD-WAN!

10-ccAuthor Commented:
Thanks again,

It is possible that this is the case, however what is strange that all the SYN_SENT TCP  we seeing are to 192.XXX.XXX.XXX  and our syslog are feeling like crazy as TCP 53 is closed to these servers and we don't want to punch unnecessary holes.

Is there a way, to stop these TCP request from the DNS Server side (Win 2K3)?

Thanks again.

Henri.
0
Hypercat (Deb)Commented:
I don't know of any way to do this.  Is this router where you're seeing these packets your main connection to the Internet or is it an internal router between subnets within your company?
0
10-ccAuthor Commented:
From Both, the Outside interface and the DMZ too.
0
Hypercat (Deb)Commented:
You could try setting your DNS server to use forwarders rather than root hints. That might reduce the amount of this traffic.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
10-ccAuthor Commented:
Ok thank I will try to do that. I t just that in this case I will probabely not be able to take advantage of our DNS cache?
0
Hypercat (Deb)Commented:
You server will still cache resolved entries. It is just going to query the DNS forwarders ONLY for non-cached entries or to refresh the cache rather than querying the root servers directly. I would recommend you limit the forwarders to one or two external servers. Normally people will use their ISP's DNS servers or you could use Google's or other open DNS servers. This should reduce the amount of traffic generated by DNS queries that are for external domains.  
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
DNS

From novice to tech pro — start learning today.