Educad
asked on
DNS query packets
Hi,
I have just found that about 1000 packets were sent out from our local DNS server to the domain nielsen.com 65.171.135.57. All packets were dropped by our firewall, but I want to understand what is actually going on.
Our local DNS server is configured to use our ISP DNS forwarders. So, as far as I understand how DNS works, all DNS queries should go through our DNS server and then it forwards any unknown name to its forwarder IP addresses when reserving domain names.
2015:10:12-09:55:15 fw ulogd[30332]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="11" initf="eth2" outitf="ppp0" srcmac="34:40:b5:8f:xx:xx" dstmac="00:1a:8c:xx:xx:xx" srcip="172.16.x.x" dstip="65.171.135.57" proto="17" length="83" tos="0x00" prec="0x00" ttl="127" srcport="61963" dstport="53"
2015:10:12-09:54:49 fw ulogd[30332]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="11" initf="eth2" outitf="ppp0" srcmac="40:f2:e9:33:xx:xx" dstmac="00:1a:8c:xx:xx:xx" srcip="172.16.x.x" dstip="65.171.135.57" proto="17" length="72" tos="0x00" prec="0x00" ttl="127" srcport="56141" dstport="53"
2015:10:12-09:29:48 fw ulogd[30332]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="11" initf="eth2" outitf="ppp0" srcmac="40:f2:e9:33:xx:xx" dstmac="00:1a:8c:xx:xx:xx" srcip="172.16.x.x" dstip="65.171.135.57" proto="17" length="72" tos="0x00" prec="0x00" ttl="127" srcport="58155" dstport="53"
When I looked for the source port number on the DNS server, it says dns.exe and there are hundreds of them. Please see the attached screenshot.
TCPVIEW.png
I have just found that about 1000 packets were sent out from our local DNS server to the domain nielsen.com 65.171.135.57. All packets were dropped by our firewall, but I want to understand what is actually going on.
Our local DNS server is configured to use our ISP DNS forwarders. So, as far as I understand how DNS works, all DNS queries should go through our DNS server and then it forwards any unknown name to its forwarder IP addresses when reserving domain names.
2015:10:12-09:55:15 fw ulogd[30332]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="11" initf="eth2" outitf="ppp0" srcmac="34:40:b5:8f:xx:xx"
2015:10:12-09:54:49 fw ulogd[30332]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="11" initf="eth2" outitf="ppp0" srcmac="40:f2:e9:33:xx:xx"
2015:10:12-09:29:48 fw ulogd[30332]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="11" initf="eth2" outitf="ppp0" srcmac="40:f2:e9:33:xx:xx"
When I looked for the source port number on the DNS server, it says dns.exe and there are hundreds of them. Please see the attached screenshot.
TCPVIEW.png
Can you check the source IP again? It looks like it should be multiple requests from different sources (see the different src mac address). In that case, it could be a virus, or just be an app they all use. DNS packets are quite plain text readable if you use Wireshark, so maybe taking a look what the packets actually is might provide more insight as well (might need to temporarily allow the traffic though). As of right now, it IS a valid DNS server (responds well), and even rejects non nielsen.com DNS requests (like any private DNS server would), so it still possible those are valid packets from a valid app.
your dns server should only respond to requests from your local network. Your's is allowing requests from the WAN and being used for a dns amplification attack.
As someone else pointed out, the log entries you posted initially have 2 different source MAC addresses. Since we can't see the source IP address, you will have to tell us whether they are the same or different, and what they belong to. You really shouldn't hide your 172.16 addresses from us anyway, what are we going to do with them?
So, where are those firewall log entries? I assume they are on your, well, firewall. They may have nothing to do with your DNS server. Again, what are those source MACs and IPs? They could be misconfigured PCs, or compromised PCs, which are trying to reach a DNS server outside of your network.
So, where are those firewall log entries? I assume they are on your, well, firewall. They may have nothing to do with your DNS server. Again, what are those source MACs and IPs? They could be misconfigured PCs, or compromised PCs, which are trying to reach a DNS server outside of your network.
The source IP in each packet is 172.16.x.x, destination 65.171.135.57. This is clearly OUTBOUND traffic, from an internal IP address. Almost certainly this is the DNS server forwarding requests to a configured external DNS server.
ASKER
I should have left the IP address to avoid the confusion. Source IP addresses are different. The first packet was from server 3 which is alternative DNS, and the second and third packets were from server 1 which is primary DNS.
These logs from our firewall. Our firewall only allows DNS packets going to defined ISP DNS server. So I understand it is normal to drop the packets but I am not sure why there are so many packets generated from server 1 and server 3.
2015:10:12-09:55:15 fw ulogd[30332]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="11" initf="eth2" outitf="ppp0" srcmac="34:40:b5:8f:xx:xx" dstmac="00:1a:8c:xx:xx:xx" srcip="172.16.11.3" dstip="65.171.135.57" proto="17" length="83" tos="0x00" prec="0x00" ttl="127" srcport="61963" dstport="53"
2015:10:12-09:54:49 fw ulogd[30332]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="11" initf="eth2" outitf="ppp0" srcmac="40:f2:e9:33:xx:xx" dstmac="00:1a:8c:xx:xx:xx" srcip="172.16.11.1" dstip="65.171.135.57" proto="17" length="72" tos="0x00" prec="0x00" ttl="127" srcport="56141" dstport="53"
2015:10:12-09:29:48 fw ulogd[30332]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="11" initf="eth2" outitf="ppp0" srcmac="40:f2:e9:33:xx:xx" dstmac="00:1a:8c:xx:xx:xx" srcip="172.16.11.1" dstip="65.171.135.57" proto="17" length="72" tos="0x00" prec="0x00" ttl="127" srcport="58155" dstport="53"
These logs from our firewall. Our firewall only allows DNS packets going to defined ISP DNS server. So I understand it is normal to drop the packets but I am not sure why there are so many packets generated from server 1 and server 3.
2015:10:12-09:55:15 fw ulogd[30332]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="11" initf="eth2" outitf="ppp0" srcmac="34:40:b5:8f:xx:xx"
2015:10:12-09:54:49 fw ulogd[30332]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="11" initf="eth2" outitf="ppp0" srcmac="40:f2:e9:33:xx:xx"
2015:10:12-09:29:48 fw ulogd[30332]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="11" initf="eth2" outitf="ppp0" srcmac="40:f2:e9:33:xx:xx"
ASKER
Malmensa,
The destination IP addresses in the packets are not our ISP forwarder IP addresses. Could you please explain to me that why you do not tend to use DNS forwarders?
The destination IP addresses in the packets are not our ISP forwarder IP addresses. Could you please explain to me that why you do not tend to use DNS forwarders?
each dns server has to have its forwarders set independently don't forget to uncheck use root hints when forwarders are not available.
someone is part of the nielson group (tv ratings collector)
65.171.135.57 translates to collectionsfo-gtm3.nielsen .com
http://www.nielsen.com/ca/en.html If this is not desired then I'd suggest that it may be malware related.
65.171.135.57 translates to collectionsfo-gtm3.nielsen
http://www.nielsen.com/ca/en.html If this is not desired then I'd suggest that it may be malware related.
Without forwarders, your DNS server will start with the root servers, and do multiple DNS queries I response to each query it gets from a client. With forwarders, it just grabs everything from another DNS server.
Sometimes foreign DNS servers have problems, many ignore aging parameters and will return stale records. It also gives another point of failure.
Some say using forwarders is faster, but with cacheing, there is very little real world difference.
I prefer not to have to rely on a 3rd party DNS server, it simplifies things when there is just your own to worry about.
Either method works.
Sometimes foreign DNS servers have problems, many ignore aging parameters and will return stale records. It also gives another point of failure.
Some say using forwarders is faster, but with cacheing, there is very little real world difference.
I prefer not to have to rely on a 3rd party DNS server, it simplifies things when there is just your own to worry about.
Either method works.
ASKER
David, you said "each dns server has to have its forwarders set independently don't forget to uncheck use root hints when forwarders are not available."
Is it the best practice to uncheck use root hint when forwarders are not available?
Is it the best practice to uncheck use root hint when forwarders are not available?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you for your prompt answer.
I added two ISP DNS forwarders and google public DNS in the forwarders and unchecked the use root hints server. Our firewall allows only DNS packets going to ISP DNS and google DNS. Does it sound secure and configured properly?
I added two ISP DNS forwarders and google public DNS in the forwarders and unchecked the use root hints server. Our firewall allows only DNS packets going to ISP DNS and google DNS. Does it sound secure and configured properly?
sounds like it is fine
I tend not to use forwarders, but if want to, you need to let any source port connect to 53.