keeps getting hit from OpenDNS

I have configured OpenDNS and see several thousand hits to a day from all networks. Do you guys have any info on this? I believe its coming from the AD servers but can't verify. I believe this is also due to 2012/2016 Microsoft Servers that might be 'spying'. Any further insight into this? Sonicwall doesn't know either.
Larry KiterlingAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Adam BrownSenior Systems AdminCommented:
ADNexus is a marketing/ad service provider (Kind of like DoubleClick). You're seeing the numerous lookups for them because people in those networks are using websites that have ads that are provided by ADNexus.
Larry KiterlingAuthor Commented:
Can you verify if its from websites or the AD services within windows 10 or 2012/2016?
Adam BrownSenior Systems AdminCommented:
It's from websites. AD doesn't do any DNS lookups on non-local DNS records (That is to say, DNS records not in zones belonging to the Domain).
Get Blueprints for Increased Customer Retention

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

Larry KiterlingAuthor Commented:
Sorry I meat the advertising coming from Windows. Our OpenDNS is stating that it is coming from the Sonicwall and not from workstations.
Adam BrownSenior Systems AdminCommented:
All DNS requests to OpenDNS will appear to come from the same location as far as OpenDNS is concerned, since all DNS requests have to come from the firewall on your Internet perimeter. OpenDNS cannot possibly know about anything behind that firewall, so its reports will only show the public IP address used to make the DNS query, which will be the Public IP of the firewall for the site the request was made from.

Windows doesn't have any built in advertising features (yet). It will send usage data to Microsoft's servers if configured to do so, but that will generally be for a host name in the (or something like that) domain.
Larry KiterlingAuthor Commented:
I have all internal devices pointing to the internal OpenDNS appliance and should be giving me the IP address.
In this case, I change the OpenDNS to and and did a packet capture. Does it look like the sonicwall is the device reaching out to adnexus from the screenshot below?

Adam BrownSenior Systems AdminCommented:
To clarify...Any time you attempt to connect to a resource on the Internet, regardless of which computer you use, your traffic will go through the device at your network's Internet perimeter, AKA, the sonicwall. A packet capture will not show this happening because packet capture happens at a higher level than the data routing will appear. Usually, Packet captures on a workstation are done at layer 4 and higher. Routing occurs at layer 3, which is the layer that will show you detailed information regarding destination mac addresses.

When any computer on any network attempts to communicate over the network, it will only be able to communicate with systems on the same subnet (, for example). If the resource the computer needs to reach is on a different network, the computer will attempt to communicate with the default gateway. The default Gateway is, in most cases, a router or firewall that is connected directly to the Internet. Once the default gateway gets the packet, it will see the destination IP address and the source IP address and then perform a Network Address Translation operation against the packet, which records the original source information, then strips the original source IP from the packet and replaces it with the Internet IP address of the Gateway itself, then communicates with whichever routers it knows about to determine which router to send the packet to next. The next router receives the packet, looks at the destination IP address and forwards it to the next router and so on until the packet reaches its destination. The destination computer receives that packet, but because of the Network Address Translation operation that occurred, it will view the source as the IP address of the gateway device, *not* the workstation that originally sent the communication request. When the destination server responds, it will send the response to the IP address included on the packet it received, which will usually result in the packet going back the way the original request came until it reaches the gateway device, at which point the public IP of the gateway is stripped and replaced with the IP of the workstation that originally made that request. This is how *every* attempt to communicate over the Internet through a perimeter device works.

The end result is that servers on the Internet will only ever see the public IP address of the gateway device, because that's where, on the Internet, the packet originated from. Internal IP addresses like 192.168.x.x *cannot* be used as source or destination IP addresses on the Internet, so you have to go through the above process. That's why you are seeing what you are seeing. All your systems are connecting to through a Sonicwall, so the connection reports from OpenDNS will only include the IP address(es) used by the Sonicwall for internet connectivity.
Larry KiterlingAuthor Commented:
Currently, I can see the internal IP of all items in OpenDNS. The internal devices DNS points to ONLY the 2 opendns appliances(, and .2)
Common configuration is
ip - 192.168.1.x
DNS 1,
DNS 2,
Natty GregIn Theory (IT)Commented:
It will appear to come from your firewall since every devices is nat to its public ip, what you need is a proxy filter to filter out the ads, behind your firewal.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Larry KiterlingAuthor Commented:
Sonicwall is not able to help me find the culprit. How would I filter? All dns are pointing to the opendns appliance on our internal network.
Natty GregIn Theory (IT)Commented:
by using squid proxy filter
Larry KiterlingAuthor Commented:
Found out there was an address object and sonicwall kept trying to hit it for whatever reason. Took ti off and now i'm good.. So odd! Thanks again guys
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.