dns traffic dropping from wan to local domain controllers

d d
d d used Ask the Experts™
on
sonicwall NSA 4500       SonicOS Enhanced 5.9.1.8-1 need help getting  wan traffic to pass through to local private 10/24 dns servers (suddenly getting ip sppof issues
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
MaheshArchitect
Distinguished Expert 2018

Commented:
what IP spoof issues?

Is there any IP duplication?

OR network ports are blocked?
d d

Author

Commented:
no, wide open for now, has been in place for about five years, two hosts performing local dhcp/dns services....had an outage Monday, got everything back online, clients show "Internet" status, but the sonicwall doesn't seem to be passing dns queries through to the  local dns servers....I created a couple of ad hoc routes for the XO port to allow dns traffic , but not able to successfully query (nslookup provides IP addresses)

to clarify, local traffic submits dns queries through local DC, Local DC forwards request, this information is somehow getting spoofed
MaheshArchitect
Distinguished Expert 2018

Commented:
so firewall won't pass client queries to dns or dns server unable to pass queries to internet dns server?
OWASP Proactive Controls

Learn the most important control and control categories that every architect and developer should include in their projects.

d d

Author

Commented:
dns servers submit queries on behalf of clients, so servers unable to resolve
MaheshArchitect
Distinguished Expert 2018

Commented:
so dns server to internet dns server traffic is getting blocked?

what dns forwarders you are using on dns servers?

and where firewall is pointed for internet name resolution?

Did you created root zone on dns servers?
d d

Author

Commented:
right, tried various forwarders (ISP, google, opendns...) ,

I believe it may possibly be related to routing as that dns traffic is dropping (indicating spoofed)
MaheshArchitect
Distinguished Expert 2018

Commented:
try telnet google dns servers from domain controller, probably you can try tracert command and check if traffic is routed to wrong place

Commented:
what you can do to bypass a potential issue, is to remove the firewall rules for DNS forward.
using Sonicwall as your DNS resolver from AD servers and have Sonicwall resolve to ISP or whatever DNS you want.  

in this scenario, port 53 can be closed, preventing any potential attacks.

Also what can look like a DDOS or attack on DNS could be outbound traffic not inbound.  
Had to deal with something similar recently, and it was all created by some local application spamming servers.
Top Expert 2016

Commented:
One normally does not need to add a rule to allow DNS forwarding
If you have a dns server on your local network that you have forwarded port 53 from the wan then I as a malicious actor can start a dns amplification flood attack using your dns server to DDOS another ip address.

if your dns is set to forward dns queries to a forwarder then the router knows that it was sent from an internal address and will allow the reply packet to go to the correct device that initiated the query.
Commented:
Seems there was a route change for an old obscure voip setup, that was removed and seemed to affect traffic flow ( references a 172* network)

I turned out back on until I can fix and research, dns working....not a solution, but will buy time, thanks all

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial