Adnexus.net keeps getting hit from OpenDNS

Larry Kiterling
Larry Kiterling used Ask the Experts™
on
I have configured OpenDNS and see several thousand hits to adnexus.net a day from all networks. Do you guys have any info on this? I believe its coming from the AD servers but can't verify. I believe this is also due to 2012/2016 Microsoft Servers that might be 'spying'. Any further insight into this? Sonicwall doesn't know either.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Adam BrownSenior Systems Admin
Top Expert 2010

Commented:
ADNexus is a marketing/ad service provider (Kind of like DoubleClick). You're seeing the numerous lookups for them because people in those networks are using websites that have ads that are provided by ADNexus.

Author

Commented:
Can you verify if its from websites or the AD services within windows 10 or 2012/2016?
Adam BrownSenior Systems Admin
Top Expert 2010

Commented:
It's from websites. AD doesn't do any DNS lookups on non-local DNS records (That is to say, DNS records not in zones belonging to the Domain).
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
Sorry I meat the advertising coming from Windows. Our OpenDNS is stating that it is coming from the Sonicwall and not from workstations.
Adam BrownSenior Systems Admin
Top Expert 2010

Commented:
All DNS requests to OpenDNS will appear to come from the same location as far as OpenDNS is concerned, since all DNS requests have to come from the firewall on your Internet perimeter. OpenDNS cannot possibly know about anything behind that firewall, so its reports will only show the public IP address used to make the DNS query, which will be the Public IP of the firewall for the site the request was made from.

Windows doesn't have any built in advertising features (yet). It will send usage data to Microsoft's servers if configured to do so, but that will generally be for a host name in the akamai.net (or something like that) domain.

Author

Commented:
I have all internal devices pointing to the internal OpenDNS appliance and should be giving me the IP address.
In this case, I change the OpenDNS to 8.8.8.8 and 4.2.2.2 and did a packet capture. Does it look like the sonicwall is the device reaching out to adnexus from the screenshot below?

Capture.JPG
Adam BrownSenior Systems Admin
Top Expert 2010

Commented:
To clarify...Any time you attempt to connect to a resource on the Internet, regardless of which computer you use, your traffic will go through the device at your network's Internet perimeter, AKA, the sonicwall. A packet capture will not show this happening because packet capture happens at a higher level than the data routing will appear. Usually, Packet captures on a workstation are done at layer 4 and higher. Routing occurs at layer 3, which is the layer that will show you detailed information regarding destination mac addresses.

When any computer on any network attempts to communicate over the network, it will only be able to communicate with systems on the same subnet (192.168.1.1-250, for example). If the resource the computer needs to reach is on a different network, the computer will attempt to communicate with the default gateway. The default Gateway is, in most cases, a router or firewall that is connected directly to the Internet. Once the default gateway gets the packet, it will see the destination IP address and the source IP address and then perform a Network Address Translation operation against the packet, which records the original source information, then strips the original source IP from the packet and replaces it with the Internet IP address of the Gateway itself, then communicates with whichever routers it knows about to determine which router to send the packet to next. The next router receives the packet, looks at the destination IP address and forwards it to the next router and so on until the packet reaches its destination. The destination computer receives that packet, but because of the Network Address Translation operation that occurred, it will view the source as the IP address of the gateway device, *not* the workstation that originally sent the communication request. When the destination server responds, it will send the response to the IP address included on the packet it received, which will usually result in the packet going back the way the original request came until it reaches the gateway device, at which point the public IP of the gateway is stripped and replaced with the IP of the workstation that originally made that request. This is how *every* attempt to communicate over the Internet through a perimeter device works.

The end result is that servers on the Internet will only ever see the public IP address of the gateway device, because that's where, on the Internet, the packet originated from. Internal IP addresses like 192.168.x.x *cannot* be used as source or destination IP addresses on the Internet, so you have to go through the above process. That's why you are seeing what you are seeing. All your systems are connecting to adnexus.com through a Sonicwall, so the connection reports from OpenDNS will only include the IP address(es) used by the Sonicwall for internet connectivity.

Author

Commented:
Currently, I can see the internal IP of all items in OpenDNS. The internal devices DNS points to ONLY the 2 opendns appliances(192.168.1.1, and .2)
Common configuration is
ip - 192.168.1.x
DNS 1, 192.168.1.1
DNS 2, 192.168.1.2
In Theory (IT)
Commented:
It will appear to come from your firewall since every devices is nat to its public ip, what you need is a proxy filter to filter out the ads, behind your firewal.

Author

Commented:
Sonicwall is not able to help me find the culprit. How would I filter? All dns are pointing to the opendns appliance on our internal network.
Natty GregIn Theory (IT)

Commented:
by using squid proxy filter

Author

Commented:
Found out there was an adnexus.net address object and sonicwall kept trying to hit it for whatever reason. Took ti off and now i'm good.. So odd! Thanks again guys

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial