Link to home
Start Free TrialLog in
Avatar of Larry Kiterling
Larry Kiterling

asked on keeps getting hit from OpenDNS

I have configured OpenDNS and see several thousand hits to a day from all networks. Do you guys have any info on this? I believe its coming from the AD servers but can't verify. I believe this is also due to 2012/2016 Microsoft Servers that might be 'spying'. Any further insight into this? Sonicwall doesn't know either.
Avatar of Adam Brown
Adam Brown
Flag of United States of America image

ADNexus is a marketing/ad service provider (Kind of like DoubleClick). You're seeing the numerous lookups for them because people in those networks are using websites that have ads that are provided by ADNexus.
Avatar of Larry Kiterling
Larry Kiterling


Can you verify if its from websites or the AD services within windows 10 or 2012/2016?
It's from websites. AD doesn't do any DNS lookups on non-local DNS records (That is to say, DNS records not in zones belonging to the Domain).
Sorry I meat the advertising coming from Windows. Our OpenDNS is stating that it is coming from the Sonicwall and not from workstations.
All DNS requests to OpenDNS will appear to come from the same location as far as OpenDNS is concerned, since all DNS requests have to come from the firewall on your Internet perimeter. OpenDNS cannot possibly know about anything behind that firewall, so its reports will only show the public IP address used to make the DNS query, which will be the Public IP of the firewall for the site the request was made from.

Windows doesn't have any built in advertising features (yet). It will send usage data to Microsoft's servers if configured to do so, but that will generally be for a host name in the (or something like that) domain.
I have all internal devices pointing to the internal OpenDNS appliance and should be giving me the IP address.
In this case, I change the OpenDNS to and and did a packet capture. Does it look like the sonicwall is the device reaching out to adnexus from the screenshot below?

User generated image
To clarify...Any time you attempt to connect to a resource on the Internet, regardless of which computer you use, your traffic will go through the device at your network's Internet perimeter, AKA, the sonicwall. A packet capture will not show this happening because packet capture happens at a higher level than the data routing will appear. Usually, Packet captures on a workstation are done at layer 4 and higher. Routing occurs at layer 3, which is the layer that will show you detailed information regarding destination mac addresses.

When any computer on any network attempts to communicate over the network, it will only be able to communicate with systems on the same subnet (, for example). If the resource the computer needs to reach is on a different network, the computer will attempt to communicate with the default gateway. The default Gateway is, in most cases, a router or firewall that is connected directly to the Internet. Once the default gateway gets the packet, it will see the destination IP address and the source IP address and then perform a Network Address Translation operation against the packet, which records the original source information, then strips the original source IP from the packet and replaces it with the Internet IP address of the Gateway itself, then communicates with whichever routers it knows about to determine which router to send the packet to next. The next router receives the packet, looks at the destination IP address and forwards it to the next router and so on until the packet reaches its destination. The destination computer receives that packet, but because of the Network Address Translation operation that occurred, it will view the source as the IP address of the gateway device, *not* the workstation that originally sent the communication request. When the destination server responds, it will send the response to the IP address included on the packet it received, which will usually result in the packet going back the way the original request came until it reaches the gateway device, at which point the public IP of the gateway is stripped and replaced with the IP of the workstation that originally made that request. This is how *every* attempt to communicate over the Internet through a perimeter device works.

The end result is that servers on the Internet will only ever see the public IP address of the gateway device, because that's where, on the Internet, the packet originated from. Internal IP addresses like 192.168.x.x *cannot* be used as source or destination IP addresses on the Internet, so you have to go through the above process. That's why you are seeing what you are seeing. All your systems are connecting to through a Sonicwall, so the connection reports from OpenDNS will only include the IP address(es) used by the Sonicwall for internet connectivity.
Currently, I can see the internal IP of all items in OpenDNS. The internal devices DNS points to ONLY the 2 opendns appliances(, and .2)
Common configuration is
ip - 192.168.1.x
DNS 1,
DNS 2,
Avatar of Natty Greg
Natty Greg
Flag of Canada image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Sonicwall is not able to help me find the culprit. How would I filter? All dns are pointing to the opendns appliance on our internal network.
by using squid proxy filter
Found out there was an address object and sonicwall kept trying to hit it for whatever reason. Took ti off and now i'm good.. So odd! Thanks again guys