DNS query packets

Hi,

I have just found that about 1000 packets were sent out from our local DNS server to the domain nielsen.com 65.171.135.57. All packets were dropped by our firewall, but I want to understand what is actually going on.

Our local DNS server is configured to use our ISP DNS forwarders. So, as far as I understand how DNS works, all DNS queries should go through our DNS server and then it forwards any unknown name to its forwarder IP addresses when reserving domain names.

2015:10:12-09:55:15 fw ulogd[30332]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="11" initf="eth2" outitf="ppp0" srcmac="34:40:b5:8f:xx:xx" dstmac="00:1a:8c:xx:xx:xx" srcip="172.16.x.x" dstip="65.171.135.57" proto="17" length="83" tos="0x00" prec="0x00" ttl="127" srcport="61963" dstport="53"

2015:10:12-09:54:49 fw ulogd[30332]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="11" initf="eth2" outitf="ppp0" srcmac="40:f2:e9:33:xx:xx" dstmac="00:1a:8c:xx:xx:xx" srcip="172.16.x.x" dstip="65.171.135.57" proto="17" length="72" tos="0x00" prec="0x00" ttl="127" srcport="56141" dstport="53"

2015:10:12-09:29:48 fw ulogd[30332]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="11" initf="eth2" outitf="ppp0" srcmac="40:f2:e9:33:xx:xx" dstmac="00:1a:8c:xx:xx:xx" srcip="172.16.x.x" dstip="65.171.135.57" proto="17" length="72" tos="0x00" prec="0x00" ttl="127" srcport="58155" dstport="53"


When I looked for the source port number on the DNS server, it says dns.exe and there are hundreds of them. Please see the attached screenshot.
TCPVIEW.png
EducadAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Mal OsborneAlpha GeekCommented:
Looks pretty normal to me. The DNS server is forwarding to a configured forwarder. It uses a random port to connect to port 53 on the remote DNS server.

I tend not to use forwarders, but if want to, you need to let any source port connect to 53.
0
KimputerCommented:
Can you check the source IP again? It looks like it should be multiple requests from different sources (see the different src mac address). In that case, it could be a virus, or just be an app they all use. DNS packets are quite plain text readable if you use Wireshark, so maybe taking a look what the packets actually is might provide more insight as well (might need to temporarily allow the traffic though). As of right now, it IS a valid DNS server (responds well), and even rejects non nielsen.com DNS requests (like any private DNS server would), so it still possible those are valid packets from a valid app.
0
David Johnson, CD, MVPOwnerCommented:
your dns server should only respond to requests from your local network.  Your's is allowing requests from the WAN and being used for a dns amplification attack.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

mikebernhardtCommented:
As someone else pointed out, the log entries you posted initially have 2 different source MAC addresses. Since we can't see the source IP address, you will have to tell us whether they are the same or different, and what they belong to. You really shouldn't hide your 172.16 addresses from us anyway, what are we going to do with them?

So, where are those firewall log entries? I assume they are on your, well, firewall. They may have nothing to do with your DNS server. Again, what are those source MACs and IPs? They could be misconfigured PCs, or compromised PCs, which are trying to reach a DNS server outside of your network.
0
Mal OsborneAlpha GeekCommented:
The source IP in each packet is 172.16.x.x, destination 65.171.135.57. This is clearly OUTBOUND traffic, from an internal IP address.  Almost certainly this is the DNS server forwarding requests to a configured external DNS server.
0
EducadAuthor Commented:
I should have left the IP address to avoid the confusion. Source IP addresses are different. The first packet was from server 3 which is alternative DNS, and the second and third packets were from server 1 which is primary DNS.

These logs from our firewall. Our firewall only allows DNS packets going to defined ISP DNS server. So I understand it is normal to drop the packets but I am not sure why there are so many packets generated from server 1 and server 3.

2015:10:12-09:55:15 fw ulogd[30332]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="11" initf="eth2" outitf="ppp0" srcmac="34:40:b5:8f:xx:xx" dstmac="00:1a:8c:xx:xx:xx" srcip="172.16.11.3" dstip="65.171.135.57" proto="17" length="83" tos="0x00" prec="0x00" ttl="127" srcport="61963" dstport="53"

2015:10:12-09:54:49 fw ulogd[30332]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="11" initf="eth2" outitf="ppp0" srcmac="40:f2:e9:33:xx:xx" dstmac="00:1a:8c:xx:xx:xx" srcip="172.16.11.1" dstip="65.171.135.57" proto="17" length="72" tos="0x00" prec="0x00" ttl="127" srcport="56141" dstport="53"

2015:10:12-09:29:48 fw ulogd[30332]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="11" initf="eth2" outitf="ppp0" srcmac="40:f2:e9:33:xx:xx" dstmac="00:1a:8c:xx:xx:xx" srcip="172.16.11.1" dstip="65.171.135.57" proto="17" length="72" tos="0x00" prec="0x00" ttl="127" srcport="58155" dstport="53"
0
EducadAuthor Commented:
Malmensa,

The destination IP addresses in the packets are not our ISP forwarder IP addresses. Could you please explain to me that why you do not tend to use DNS forwarders?
0
David Johnson, CD, MVPOwnerCommented:
each dns server has to have its forwarders set independently don't forget to uncheck use root hints when forwarders are not available.
0
David Johnson, CD, MVPOwnerCommented:
someone is part of the nielson group (tv ratings collector)
65.171.135.57 translates to collectionsfo-gtm3.nielsen.com
http://www.nielsen.com/ca/en.html If this is not desired then I'd suggest that it may be malware related.
0
Mal OsborneAlpha GeekCommented:
Without forwarders, your DNS server will start with the root servers, and do multiple DNS queries I response to each query it gets from a client. With forwarders, it just grabs everything from another DNS server.

Sometimes foreign DNS servers have problems, many ignore aging parameters and will return stale records. It also gives another point of failure.

Some say using forwarders is faster, but with cacheing, there is very little real world difference.  

I prefer not to have to rely on a 3rd party DNS server, it simplifies things when there is just your own to worry about.

Either method works.
0
EducadAuthor Commented:
David, you said "each dns server has to have its forwarders set independently don't forget to uncheck use root hints when forwarders are not available."

Is it the best practice to uncheck use root hint when forwarders are not available?
0
David Johnson, CD, MVPOwnerCommented:
Past experience has shown that some of the root hints servers are unreliable. There are much more reliable public dns servers out there.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
EducadAuthor Commented:
Thank you for your prompt answer.

I added two ISP DNS forwarders and google public DNS in the forwarders and unchecked the use root hints server. Our firewall allows only DNS packets going to ISP DNS and google DNS. Does it sound secure and configured properly?
0
David Johnson, CD, MVPOwnerCommented:
sounds like it is fine
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
DNS

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.