Solved

Microsoft Windows Performance Monitor, DNS, and "Unmatched Responses Received"

Posted on 2013-06-27
2
715 Views
Last Modified: 2013-06-28
We've just replaced our aging, self-hosted, BIND DNS, public-facing physical name servers with Windows Server 2012 DNS virtual servers.  They're operating quite well.

Using Windows Performance Monitor, we're tracking the "UDP Queries Received/sec" and "UDP Response Sent/sec" which look good, peaking in the 300-400/sec range.

We also took a look a the "Unmatched Responses Received" statistic, currently at 427 after 10 days of uptime.  In comparison, this number is negligible compared to the successful response rate, but the interesting thing is that I've been unable to find any information to determine what an "Unmatched Response" is when related to DNS.

My searches to try to explain or define it have only found one or two mentions in passing, in discussions of DNS DDOS attacks, and in logging.  Can anyone fully define this for us, and explain what a sudden increase in "Unmatched Responses" might indicate?  Any URLs to plain, detailed information are certainly appreciated.

Thank you.

Dimarc67
Frederick, MD
0
Comment
Question by:Dimarc67
2 Comments
 
LVL 25

Accepted Solution

by:
DrDave242 earned 500 total points
ID: 39286000
An unmatched response appears to be a DNS response packet sent to a machine that never issued a corresponding DNS query. This typically indicates that there's some source address spoofing going on somewhere, and a large number of these can indicate that a DNS amplification attack (a type of DDOS attack, as you said) is underway. This TechNet article does a good job of explaining how it all works.

I wouldn't worry about 427 unmatched responses over ten days, but if that counter suddenly spikes, you may be under attack.
0
 
LVL 4

Author Closing Comment

by:Dimarc67
ID: 39286042
Great response, Doc.  Thorough, corroborated, and specifically addresses the question.  Thanks much!
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

I've written instructions for one router type, but this principle may be useful for others of the same brand and even other brands of router. Problem: I had an issue especially with mobile devices that refused to use DNS information supplied via…
Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now