A lot of SYN_SENT for a Windows DNS server on port TCP

In our syslog we see a lot of syn_sent to a specific class of adresses 192.xxx.xxx.xxx using TCP protocol with everytime increase of the port number.

The Firewall is opent to UDP port 53 Any, but TCP is open only to specific IP to where a zone transfert should be done.

The question is why our DNS server try to SYN_SENT? Here an example :

TCP    dns1:1704              g.gtld-servers.net:domain  SYN_SENT
TCP    dns1:1705              i.gtld-servers.net:domain  SYN_SENT

Thanks in advance for any answer.

Henri.
10-ccAsked:
Who is Participating?
 
Hypercat (Deb)Commented:
You could try setting your DNS server to use forwarders rather than root hints. That might reduce the amount of this traffic.
0
 
Hypercat (Deb)Commented:
It's trying to make a connection with an external server - in this case two of the Internet root servers. I would assume that it's trying to query those servers for name resolution of external domains.
0
 
10-ccAuthor Commented:
Thank for posting hypercat,

I know it is trying to contact these domains, but why it is trying using TCP it should use UDP for name resolution. UDP is open for port 53 ANY, but not TCP.

Thanks for any insights.

Henri.
0
WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

 
Hypercat (Deb)Commented:
Take a look at this article:

http://technet.microsoft.com/en-us/library/dd197515(WS.10).aspx

Specifically:  "...the first response to the message is sent with as much data as the UDP datagram will allow, and then the DNS server sets a flag indicating a truncated response. The message sender can then choose to reissue the request to the DNS server using TCP (over TCP port 53)." This might explain what you're seeing.
0
 
10-ccAuthor Commented:
Thanks again,

It is possible that this is the case, however what is strange that all the SYN_SENT TCP  we seeing are to 192.XXX.XXX.XXX  and our syslog are feeling like crazy as TCP 53 is closed to these servers and we don't want to punch unnecessary holes.

Is there a way, to stop these TCP request from the DNS Server side (Win 2K3)?

Thanks again.

Henri.
0
 
Hypercat (Deb)Commented:
I don't know of any way to do this.  Is this router where you're seeing these packets your main connection to the Internet or is it an internal router between subnets within your company?
0
 
10-ccAuthor Commented:
From Both, the Outside interface and the DMZ too.
0
 
10-ccAuthor Commented:
Ok thank I will try to do that. I t just that in this case I will probabely not be able to take advantage of our DNS cache?
0
 
Hypercat (Deb)Commented:
You server will still cache resolved entries. It is just going to query the DNS forwarders ONLY for non-cached entries or to refresh the cache rather than querying the root servers directly. I would recommend you limit the forwarders to one or two external servers. Normally people will use their ISP's DNS servers or you could use Google's or other open DNS servers. This should reduce the amount of traffic generated by DNS queries that are for external domains.  
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.