wlacroix
asked on
recursive DNS in windows 2008 R2 servers
I recently got a letter from my ISP complaining about rdns coming out of my site.
I have a firewall and behind this 900 ish devices. I have 2 primary DNS servers.
Server 1 shows 1,342,000 recursive queries. On avg about 1.5 - 2 per second.
I need to\ want to figure out where these are coming from so I can find out what they are looking for and asjust it.
I have used perfmon to gather some information, and have used netmon to gather packets and filter DNS, but im not exactly sure what I am looking for.
How do I trace this rdns issue?
I have reset the dns servers and started at zero to monitor.
I have a firewall and behind this 900 ish devices. I have 2 primary DNS servers.
Server 1 shows 1,342,000 recursive queries. On avg about 1.5 - 2 per second.
I need to\ want to figure out where these are coming from so I can find out what they are looking for and asjust it.
I have used perfmon to gather some information, and have used netmon to gather packets and filter DNS, but im not exactly sure what I am looking for.
How do I trace this rdns issue?
I have reset the dns servers and started at zero to monitor.
ASKER
I think they are external.
Out of 2300 queries only 80 have failed since the reset.
How do i tell internal query from external?
Out of 2300 queries only 80 have failed since the reset.
How do i tell internal query from external?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
What I meant by internal was whether the query was for an address in a subnet used by your internal network or not.
Does your edge firewall allow DNS from any internal device (for example can you query Google's public DNS directly from your workstation?) or does it limit DNS to only come from your DNS servers?
Does your edge firewall allow DNS from any internal device (for example can you query Google's public DNS directly from your workstation?) or does it limit DNS to only come from your DNS servers?
ASKER
We can query any dns server from inside.
Standard firewall rules if on inside allow out.
I do have reverse (in.adda.apra) for all of my subnets, the IPs but not the domains.
Standard firewall rules if on inside allow out.
I do have reverse (in.adda.apra) for all of my subnets, the IPs but not the domains.
The next question to answer is, "Where are the requests coming from?" If your edge firewall could show you that would be great, otherwise look at the network captures on your DNS servers. They should tell you if the queries are coming into the DNS server (and then being forwarded on) and from where. If you don't see evidence of the queries coming into the DNS servers, that would mean that another device (or devices) were making queries to external servers directly. I don't know of a quick way of analyzing the captures since that's not my forte.
Or are the queries for external addresses?