Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Microsoft Windows Performance Monitor, DNS, and "Unmatched Responses Received"

Posted on 2013-06-27
2
Medium Priority
?
829 Views
Last Modified: 2013-06-28
We've just replaced our aging, self-hosted, BIND DNS, public-facing physical name servers with Windows Server 2012 DNS virtual servers.  They're operating quite well.

Using Windows Performance Monitor, we're tracking the "UDP Queries Received/sec" and "UDP Response Sent/sec" which look good, peaking in the 300-400/sec range.

We also took a look a the "Unmatched Responses Received" statistic, currently at 427 after 10 days of uptime.  In comparison, this number is negligible compared to the successful response rate, but the interesting thing is that I've been unable to find any information to determine what an "Unmatched Response" is when related to DNS.

My searches to try to explain or define it have only found one or two mentions in passing, in discussions of DNS DDOS attacks, and in logging.  Can anyone fully define this for us, and explain what a sudden increase in "Unmatched Responses" might indicate?  Any URLs to plain, detailed information are certainly appreciated.

Thank you.

Dimarc67
Frederick, MD
0
Comment
Question by:Dimarc67
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 27

Accepted Solution

by:
DrDave242 earned 2000 total points
ID: 39286000
An unmatched response appears to be a DNS response packet sent to a machine that never issued a corresponding DNS query. This typically indicates that there's some source address spoofing going on somewhere, and a large number of these can indicate that a DNS amplification attack (a type of DDOS attack, as you said) is underway. This TechNet article does a good job of explaining how it all works.

I wouldn't worry about 427 unmatched responses over ten days, but if that counter suddenly spikes, you may be under attack.
0
 
LVL 4

Author Closing Comment

by:Dimarc67
ID: 39286042
Great response, Doc.  Thorough, corroborated, and specifically addresses the question.  Thanks much!
0

Featured Post

Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This tutorial will walk an individual through the process of installing of Data Protection Manager on a server running Windows Server 2012 R2, including the prerequisites. Microsoft .Net 3.5 is required. To install this feature, go to Server Manager…

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question