server 2012 DNS memory usage extremely high

Our MS Server 2012 recently had a virus and now it seems to using too much memory for the DNS. I'm 95% positive that the server is now clean. I already disabled IPv6 which reduced the usage significantly. Still have way too many dns requests and many of them are
from a source called directedat.asia. Could our server be comprised? Everything else runs fine with no problems. We have a VOIP phone system that gets affected whenever the DNS utilization goes over 400MB. HELP.
markisbackAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
SteveConnect With a Mentor Commented:
DNS does get a bit big but it shouldn't normally cause system issues.

did you use any tools to remove the virus?
many tools try to be helpful by adding known virus ridden websites to your hosts file, which is loaded into your DNS server's memory.

Check the hosts file is either empty or only contains what you want it to.
0
 
EddyvanOpdorpCommented:
Do you use the DNS server only for internal use ?
If this is the case, please check if port 53 is forwarded in the router. This is not necessary. Maybe the are comming a lot of requests from the outside ?
0
 
markisbackAuthor Commented:
I think it is used only for internal use but how can I tell for sure? All of the clients are set to use the Server IP for the primary DNS and the internet provider for the secondary DNS.
0
 
BlueComputeCommented:
Hi,

as per here: http://social.technet.microsoft.com/Forums/windowsserver/en-US/74125383-dad6-4a60-af0c-471849af6dc2/ddos-on-server-2008-r2

and here: http://dnsamplificationattacks.blogspot.co.uk/2013/05/domain-directedatasia.html

This is a Distributed Denial of Service attack using DNS amplification - the source IP for the request is spoofed, and the zone in question (directedat.asia) is large so your DNS server is tricked into helping DDoS the victim by spamming them a large DNS response.

Good gen here: http://www.watchguard.com/infocenter/editorial/41649.asp and they recommend primarily disabling recursion on the DNS server ( http://technet.microsoft.com/en-us/library/cc771738.aspx ).

One option that springs to mind would be to create a fake DNS record, ie create a zone for directedat.asia and just have an A record for 127.0.0.1 to reduce the size of the response, but I'm not really sure what the implications of doing so would be... sorry.

Not a virus on your server though, I don't believe.

EDIT: sorry, just re-read and saw that your DNS server should be internal only.  As the previous poster said, please ensure UDP port 53 is not opened from the internetz.  Another possibility is that an infected local client is spamming out the DNS requests?
0
 
gurutcCommented:
The recommendation for creating the zone with the localhost A record is a very good idea.  I've done the same with success.  Also, you can try using Process Explorer from Sysinternals to look at the network stack for the DNS service as well as the local process environment to possibly find what process is hooking to the DNS service.

You can run Wireshark Portable on the Server to see if a local client is sending requests also.

- gurutc
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.