[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

server 2012 DNS memory usage extremely high

Posted on 2013-05-30
7
Medium Priority
?
5,151 Views
Last Modified: 2014-02-20
Our MS Server 2012 recently had a virus and now it seems to using too much memory for the DNS. I'm 95% positive that the server is now clean. I already disabled IPv6 which reduced the usage significantly. Still have way too many dns requests and many of them are
from a source called directedat.asia. Could our server be comprised? Everything else runs fine with no problems. We have a VOIP phone system that gets affected whenever the DNS utilization goes over 400MB. HELP.
0
Comment
Question by:markisback
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 4

Expert Comment

by:EddyvanOpdorp
ID: 39210283
Do you use the DNS server only for internal use ?
If this is the case, please check if port 53 is forwarded in the router. This is not necessary. Maybe the are comming a lot of requests from the outside ?
0
 

Author Comment

by:markisback
ID: 39219773
I think it is used only for internal use but how can I tell for sure? All of the clients are set to use the Server IP for the primary DNS and the internet provider for the secondary DNS.
0
 
LVL 14

Expert Comment

by:BlueCompute
ID: 39259123
Hi,

as per here: http://social.technet.microsoft.com/Forums/windowsserver/en-US/74125383-dad6-4a60-af0c-471849af6dc2/ddos-on-server-2008-r2

and here: http://dnsamplificationattacks.blogspot.co.uk/2013/05/domain-directedatasia.html

This is a Distributed Denial of Service attack using DNS amplification - the source IP for the request is spoofed, and the zone in question (directedat.asia) is large so your DNS server is tricked into helping DDoS the victim by spamming them a large DNS response.

Good gen here: http://www.watchguard.com/infocenter/editorial/41649.asp and they recommend primarily disabling recursion on the DNS server ( http://technet.microsoft.com/en-us/library/cc771738.aspx ).

One option that springs to mind would be to create a fake DNS record, ie create a zone for directedat.asia and just have an A record for 127.0.0.1 to reduce the size of the response, but I'm not really sure what the implications of doing so would be... sorry.

Not a virus on your server though, I don't believe.

EDIT: sorry, just re-read and saw that your DNS server should be internal only.  As the previous poster said, please ensure UDP port 53 is not opened from the internetz.  Another possibility is that an infected local client is spamming out the DNS requests?
0
 
LVL 16

Expert Comment

by:gurutc
ID: 39259596
The recommendation for creating the zone with the localhost A record is a very good idea.  I've done the same with success.  Also, you can try using Process Explorer from Sysinternals to look at the network stack for the DNS service as well as the local process environment to possibly find what process is hooking to the DNS service.

You can run Wireshark Portable on the Server to see if a local client is sending requests also.

- gurutc
0
 
LVL 27

Accepted Solution

by:
Steve earned 1500 total points
ID: 39265940
DNS does get a bit big but it shouldn't normally cause system issues.

did you use any tools to remove the virus?
many tools try to be helpful by adding known virus ridden websites to your hosts file, which is loaded into your DNS server's memory.

Check the hosts file is either empty or only contains what you want it to.
0

Featured Post

Moving data to the cloud? Find out if you’re ready

Before moving to the cloud, it is important to carefully define your db needs, plan for the migration & understand prod. environment. This wp explains how to define what you need from a cloud provider, plan for the migration & what putting a cloud solution into practice entails.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
A procedure for exporting installed hotfix details of remote computers using powershell
In this Micro Tutorial viewers will learn how to use Windows Server Backup to create full image of their system. Tutorial shows how to install Windows Server Backup Feature on Windows 2012R2 and how to configure scheduled Bare Metal Recovery backup.…
This tutorial will walk an individual through the process of configuring basic necessities in order to use the 2010 version of Data Protection Manager. These include storage, agents, and protection jobs. Launch Data Protection Manager from the deskt…

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question