?
Solved

server 2012 DNS memory usage extremely high

Posted on 2013-05-30
7
Medium Priority
?
4,852 Views
Last Modified: 2014-02-20
Our MS Server 2012 recently had a virus and now it seems to using too much memory for the DNS. I'm 95% positive that the server is now clean. I already disabled IPv6 which reduced the usage significantly. Still have way too many dns requests and many of them are
from a source called directedat.asia. Could our server be comprised? Everything else runs fine with no problems. We have a VOIP phone system that gets affected whenever the DNS utilization goes over 400MB. HELP.
0
Comment
Question by:markisback
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 4

Expert Comment

by:EddyvanOpdorp
ID: 39210283
Do you use the DNS server only for internal use ?
If this is the case, please check if port 53 is forwarded in the router. This is not necessary. Maybe the are comming a lot of requests from the outside ?
0
 

Author Comment

by:markisback
ID: 39219773
I think it is used only for internal use but how can I tell for sure? All of the clients are set to use the Server IP for the primary DNS and the internet provider for the secondary DNS.
0
 
LVL 14

Expert Comment

by:BlueCompute
ID: 39259123
Hi,

as per here: http://social.technet.microsoft.com/Forums/windowsserver/en-US/74125383-dad6-4a60-af0c-471849af6dc2/ddos-on-server-2008-r2

and here: http://dnsamplificationattacks.blogspot.co.uk/2013/05/domain-directedatasia.html

This is a Distributed Denial of Service attack using DNS amplification - the source IP for the request is spoofed, and the zone in question (directedat.asia) is large so your DNS server is tricked into helping DDoS the victim by spamming them a large DNS response.

Good gen here: http://www.watchguard.com/infocenter/editorial/41649.asp and they recommend primarily disabling recursion on the DNS server ( http://technet.microsoft.com/en-us/library/cc771738.aspx ).

One option that springs to mind would be to create a fake DNS record, ie create a zone for directedat.asia and just have an A record for 127.0.0.1 to reduce the size of the response, but I'm not really sure what the implications of doing so would be... sorry.

Not a virus on your server though, I don't believe.

EDIT: sorry, just re-read and saw that your DNS server should be internal only.  As the previous poster said, please ensure UDP port 53 is not opened from the internetz.  Another possibility is that an infected local client is spamming out the DNS requests?
0
 
LVL 16

Expert Comment

by:gurutc
ID: 39259596
The recommendation for creating the zone with the localhost A record is a very good idea.  I've done the same with success.  Also, you can try using Process Explorer from Sysinternals to look at the network stack for the DNS service as well as the local process environment to possibly find what process is hooking to the DNS service.

You can run Wireshark Portable on the Server to see if a local client is sending requests also.

- gurutc
0
 
LVL 27

Accepted Solution

by:
Steve earned 1500 total points
ID: 39265940
DNS does get a bit big but it shouldn't normally cause system issues.

did you use any tools to remove the virus?
many tools try to be helpful by adding known virus ridden websites to your hosts file, which is loaded into your DNS server's memory.

Check the hosts file is either empty or only contains what you want it to.
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A procedure for exporting installed hotfix details of remote computers using powershell
Lease-to-own eliminates the expenditure of hardware replacement and allows you to pay off the server over time. Usually, this is much cheaper than leasing servers. Think of lease-to-own as credit without interest.
In this Micro Tutorial viewers will learn how to use Windows Server Backup to create full image of their system. Tutorial shows how to install Windows Server Backup Feature on Windows 2012R2 and how to configure scheduled Bare Metal Recovery backup.…
In this Micro Tutorial viewers will learn how they can get their files copied out from their unbootable system without need to use recovery services. As an example non-bootable Windows 2012R2 installation is used which has boot problems.
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question