recursive DNS in windows 2008 R2 servers

I recently got a letter from my ISP complaining about rdns coming out of my site.

I have a firewall and behind this 900 ish devices. I have 2 primary DNS servers.

Server 1 shows 1,342,000 recursive queries. On avg about 1.5 - 2 per second.

I need to\ want to figure out where these are coming from so I can find out what they are looking for and asjust it.

I have used perfmon to gather some information, and have used netmon to gather packets and filter DNS, but im not exactly sure what I am looking for.

How do I trace this rdns issue?
I have reset the dns servers and started at zero to monitor.
LVL 3
wlacroixAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

footechCommented:
If reverse DNS queries are for internal addresses, make sure that you have appropriate reverse zones set up on your internal DNS.

Or are the queries for external addresses?
0
wlacroixAuthor Commented:
I think they are external.

Out of 2300 queries only 80 have failed since the reset.

How do i tell internal query from external?
0
Bruno PACIIT ConsultantCommented:
Hi,

If you want to make sure that reverse DNS queries will not be forwarded outside of your organization, adn if you're sure you don't need to resolve external DNS reverse name, you can create a reverse lookup zone on your internal DNS servers named "in-addr.arpa".
This DNS zone acts as the "." DNS zone for forward lookup zones: it's the "root" zone.
If your internal DNS servers host the "in-addr.arpa" reverse DNS zone then they will always give a negative authoritative response for any reverse query that does not match any existent reverse zone, and they will not forward the query to external DNS servers.

To create the in-addr.arpa reverse zone  on a Windows 2008 R2 server do the following:

1) in the DNs console, right-click the container "reverse lookup zones" and choose "new zone".
2) on the "Welcome" window click "Next".
3) as "Zone type" select "primary" and if you want to store the zone in AD then check the box at the bottom, then "Next".
4) Select "IPv4..." then "Next".
5) Select option "reverse lookup DNS zone name" instead of "Network ID" and type the name "in-addr-arpa", then click "Next".
6) Depending of you choosed AD integrated zone or standard zone you may be asked for the file name to store the DNS zone... juste click "Next".
7) Make your choice about dynamically registering option and click "Next" (personnally, as it is about a "root" reverse DNS zone I would refuse any dynamic registering).
8) Click "Finish".

Now, your DNS server will no more forward any reverse DNS query. It will just answer "domain inexistent" for any reverse DNS query that does not match any other reverse internal DNS zone.


CAUTION : if you have some Exchange server or any other messaging server in your network that needs to make some RDNS queries to check for spam, you might configure specifically this server to interrogate external DNS servers for the RDNS check.


Have a good day
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Challenges in Government Cyber Security

Has cyber security been a challenge in your government organization? Are you looking to improve your government's network security? Learn more about how to improve your government organization's security by viewing our on-demand webinar!

footechCommented:
What I meant by internal was whether the query was for an address in a subnet used by your internal network or not.

Does your edge firewall allow DNS from any internal device (for example can you query Google's public DNS directly from your workstation?) or does it limit DNS to only come from your DNS servers?
0
wlacroixAuthor Commented:
We can query any dns server from inside.
Standard firewall rules if on inside allow out.

I do have reverse (in.adda.apra) for all of my subnets, the IPs but not the domains.
0
footechCommented:
The next question to answer is, "Where are the requests coming from?"  If your edge firewall could show you that would be great, otherwise look at the network captures on your DNS servers.  They should tell you if the queries are coming into the DNS server (and then being forwarded on) and from where.  If you don't see evidence of the queries coming into the DNS servers, that would mean that another device (or devices) were making queries to external servers directly.  I don't know of a quick way of analyzing the captures since that's not my forte.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
DNS

From novice to tech pro — start learning today.