Solved

server 2012 DNS memory usage extremely high

Posted on 2013-05-30
7
4,069 Views
Last Modified: 2014-02-20
Our MS Server 2012 recently had a virus and now it seems to using too much memory for the DNS. I'm 95% positive that the server is now clean. I already disabled IPv6 which reduced the usage significantly. Still have way too many dns requests and many of them are
from a source called directedat.asia. Could our server be comprised? Everything else runs fine with no problems. We have a VOIP phone system that gets affected whenever the DNS utilization goes over 400MB. HELP.
0
Comment
Question by:markisback
7 Comments
 
LVL 4

Expert Comment

by:EddyvanOpdorp
ID: 39210283
Do you use the DNS server only for internal use ?
If this is the case, please check if port 53 is forwarded in the router. This is not necessary. Maybe the are comming a lot of requests from the outside ?
0
 

Author Comment

by:markisback
ID: 39219773
I think it is used only for internal use but how can I tell for sure? All of the clients are set to use the Server IP for the primary DNS and the internet provider for the secondary DNS.
0
 
LVL 14

Expert Comment

by:BlueCompute
ID: 39259123
Hi,

as per here: http://social.technet.microsoft.com/Forums/windowsserver/en-US/74125383-dad6-4a60-af0c-471849af6dc2/ddos-on-server-2008-r2

and here: http://dnsamplificationattacks.blogspot.co.uk/2013/05/domain-directedatasia.html

This is a Distributed Denial of Service attack using DNS amplification - the source IP for the request is spoofed, and the zone in question (directedat.asia) is large so your DNS server is tricked into helping DDoS the victim by spamming them a large DNS response.

Good gen here: http://www.watchguard.com/infocenter/editorial/41649.asp and they recommend primarily disabling recursion on the DNS server ( http://technet.microsoft.com/en-us/library/cc771738.aspx ).

One option that springs to mind would be to create a fake DNS record, ie create a zone for directedat.asia and just have an A record for 127.0.0.1 to reduce the size of the response, but I'm not really sure what the implications of doing so would be... sorry.

Not a virus on your server though, I don't believe.

EDIT: sorry, just re-read and saw that your DNS server should be internal only.  As the previous poster said, please ensure UDP port 53 is not opened from the internetz.  Another possibility is that an infected local client is spamming out the DNS requests?
0
 
LVL 16

Expert Comment

by:gurutc
ID: 39259596
The recommendation for creating the zone with the localhost A record is a very good idea.  I've done the same with success.  Also, you can try using Process Explorer from Sysinternals to look at the network stack for the DNS service as well as the local process environment to possibly find what process is hooking to the DNS service.

You can run Wireshark Portable on the Server to see if a local client is sending requests also.

- gurutc
0
 
LVL 27

Accepted Solution

by:
Steve earned 500 total points
ID: 39265940
DNS does get a bit big but it shouldn't normally cause system issues.

did you use any tools to remove the virus?
many tools try to be helpful by adding known virus ridden websites to your hosts file, which is loaded into your DNS server's memory.

Check the hosts file is either empty or only contains what you want it to.
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
In this Micro Tutorial viewers will learn how to restore single file or folder from Bare Metal backup image of their system. Tutorial shows how to restore files and folders from system backup. Often it is not needed to restore entire system when onl…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question