We help IT Professionals succeed at work.

Adnexus.net keeps getting hit from OpenDNS

1,496 Views
Last Modified: 2017-04-05
I have configured OpenDNS and see several thousand hits to adnexus.net a day from all networks. Do you guys have any info on this? I believe its coming from the AD servers but can't verify. I believe this is also due to 2012/2016 Microsoft Servers that might be 'spying'. Any further insight into this? Sonicwall doesn't know either.
Comment
Watch Question

Adam BrownCloud Security Consultant
CERTIFIED EXPERT
Top Expert 2010

Commented:
ADNexus is a marketing/ad service provider (Kind of like DoubleClick). You're seeing the numerous lookups for them because people in those networks are using websites that have ads that are provided by ADNexus.

Author

Commented:
Can you verify if its from websites or the AD services within windows 10 or 2012/2016?
Adam BrownCloud Security Consultant
CERTIFIED EXPERT
Top Expert 2010

Commented:
It's from websites. AD doesn't do any DNS lookups on non-local DNS records (That is to say, DNS records not in zones belonging to the Domain).

Author

Commented:
Sorry I meat the advertising coming from Windows. Our OpenDNS is stating that it is coming from the Sonicwall and not from workstations.
Adam BrownCloud Security Consultant
CERTIFIED EXPERT
Top Expert 2010

Commented:
All DNS requests to OpenDNS will appear to come from the same location as far as OpenDNS is concerned, since all DNS requests have to come from the firewall on your Internet perimeter. OpenDNS cannot possibly know about anything behind that firewall, so its reports will only show the public IP address used to make the DNS query, which will be the Public IP of the firewall for the site the request was made from.

Windows doesn't have any built in advertising features (yet). It will send usage data to Microsoft's servers if configured to do so, but that will generally be for a host name in the akamai.net (or something like that) domain.

Author

Commented:
I have all internal devices pointing to the internal OpenDNS appliance and should be giving me the IP address.
In this case, I change the OpenDNS to 8.8.8.8 and 4.2.2.2 and did a packet capture. Does it look like the sonicwall is the device reaching out to adnexus from the screenshot below?

Capture.JPG
Adam BrownCloud Security Consultant
CERTIFIED EXPERT
Top Expert 2010

Commented:
To clarify...Any time you attempt to connect to a resource on the Internet, regardless of which computer you use, your traffic will go through the device at your network's Internet perimeter, AKA, the sonicwall. A packet capture will not show this happening because packet capture happens at a higher level than the data routing will appear. Usually, Packet captures on a workstation are done at layer 4 and higher. Routing occurs at layer 3, which is the layer that will show you detailed information regarding destination mac addresses.

When any computer on any network attempts to communicate over the network, it will only be able to communicate with systems on the same subnet (192.168.1.1-250, for example). If the resource the computer needs to reach is on a different network, the computer will attempt to communicate with the default gateway. The default Gateway is, in most cases, a router or firewall that is connected directly to the Internet. Once the default gateway gets the packet, it will see the destination IP address and the source IP address and then perform a Network Address Translation operation against the packet, which records the original source information, then strips the original source IP from the packet and replaces it with the Internet IP address of the Gateway itself, then communicates with whichever routers it knows about to determine which router to send the packet to next. The next router receives the packet, looks at the destination IP address and forwards it to the next router and so on until the packet reaches its destination. The destination computer receives that packet, but because of the Network Address Translation operation that occurred, it will view the source as the IP address of the gateway device, *not* the workstation that originally sent the communication request. When the destination server responds, it will send the response to the IP address included on the packet it received, which will usually result in the packet going back the way the original request came until it reaches the gateway device, at which point the public IP of the gateway is stripped and replaced with the IP of the workstation that originally made that request. This is how *every* attempt to communicate over the Internet through a perimeter device works.

The end result is that servers on the Internet will only ever see the public IP address of the gateway device, because that's where, on the Internet, the packet originated from. Internal IP addresses like 192.168.x.x *cannot* be used as source or destination IP addresses on the Internet, so you have to go through the above process. That's why you are seeing what you are seeing. All your systems are connecting to adnexus.com through a Sonicwall, so the connection reports from OpenDNS will only include the IP address(es) used by the Sonicwall for internet connectivity.

Author

Commented:
Currently, I can see the internal IP of all items in OpenDNS. The internal devices DNS points to ONLY the 2 opendns appliances(192.168.1.1, and .2)
Common configuration is
ip - 192.168.1.x
DNS 1, 192.168.1.1
DNS 2, 192.168.1.2
In Theory (IT)
CERTIFIED EXPERT
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION

Author

Commented:
Sonicwall is not able to help me find the culprit. How would I filter? All dns are pointing to the opendns appliance on our internal network.
Natty GregIn Theory (IT)
CERTIFIED EXPERT

Commented:
by using squid proxy filter

Author

Commented:
Found out there was an adnexus.net address object and sonicwall kept trying to hit it for whatever reason. Took ti off and now i'm good.. So odd! Thanks again guys

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions