Solved

server 2012 DNS memory usage extremely high

Posted on 2013-05-30
7
3,963 Views
Last Modified: 2014-02-20
Our MS Server 2012 recently had a virus and now it seems to using too much memory for the DNS. I'm 95% positive that the server is now clean. I already disabled IPv6 which reduced the usage significantly. Still have way too many dns requests and many of them are
from a source called directedat.asia. Could our server be comprised? Everything else runs fine with no problems. We have a VOIP phone system that gets affected whenever the DNS utilization goes over 400MB. HELP.
0
Comment
Question by:markisback
7 Comments
 
LVL 4

Expert Comment

by:EddyvanOpdorp
ID: 39210283
Do you use the DNS server only for internal use ?
If this is the case, please check if port 53 is forwarded in the router. This is not necessary. Maybe the are comming a lot of requests from the outside ?
0
 

Author Comment

by:markisback
ID: 39219773
I think it is used only for internal use but how can I tell for sure? All of the clients are set to use the Server IP for the primary DNS and the internet provider for the secondary DNS.
0
 
LVL 14

Expert Comment

by:BlueCompute
ID: 39259123
Hi,

as per here: http://social.technet.microsoft.com/Forums/windowsserver/en-US/74125383-dad6-4a60-af0c-471849af6dc2/ddos-on-server-2008-r2

and here: http://dnsamplificationattacks.blogspot.co.uk/2013/05/domain-directedatasia.html

This is a Distributed Denial of Service attack using DNS amplification - the source IP for the request is spoofed, and the zone in question (directedat.asia) is large so your DNS server is tricked into helping DDoS the victim by spamming them a large DNS response.

Good gen here: http://www.watchguard.com/infocenter/editorial/41649.asp and they recommend primarily disabling recursion on the DNS server ( http://technet.microsoft.com/en-us/library/cc771738.aspx ).

One option that springs to mind would be to create a fake DNS record, ie create a zone for directedat.asia and just have an A record for 127.0.0.1 to reduce the size of the response, but I'm not really sure what the implications of doing so would be... sorry.

Not a virus on your server though, I don't believe.

EDIT: sorry, just re-read and saw that your DNS server should be internal only.  As the previous poster said, please ensure UDP port 53 is not opened from the internetz.  Another possibility is that an infected local client is spamming out the DNS requests?
0
 
LVL 16

Expert Comment

by:gurutc
ID: 39259596
The recommendation for creating the zone with the localhost A record is a very good idea.  I've done the same with success.  Also, you can try using Process Explorer from Sysinternals to look at the network stack for the DNS service as well as the local process environment to possibly find what process is hooking to the DNS service.

You can run Wireshark Portable on the Server to see if a local client is sending requests also.

- gurutc
0
 
LVL 27

Accepted Solution

by:
Steve earned 500 total points
ID: 39265940
DNS does get a bit big but it shouldn't normally cause system issues.

did you use any tools to remove the virus?
many tools try to be helpful by adding known virus ridden websites to your hosts file, which is loaded into your DNS server's memory.

Check the hosts file is either empty or only contains what you want it to.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

this article is a guided solution for most of the common server issues in server hardware tasks we are facing in our routine job works. the topics in the following article covered are, 1) dell hardware raidlevel (Perc) 2) adding HDD 3) how t…
Learn about cloud computing and its benefits for small business owners.
In this Micro Tutorial viewers will learn how to restore their server from Bare Metal Backup image created with Windows Server Backup feature. As an example Windows 2012R2 is used.
This tutorial will walk an individual through the process of installing of Data Protection Manager on a server running Windows Server 2012 R2, including the prerequisites. Microsoft .Net 3.5 is required. To install this feature, go to Server Manager…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now