Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsLAN (ethernet/Wifi/routers/Bluetooth)Firewall getting bombarded with DNS queries?


84 posts

Master Geek
+1 received by user: 1


Topic # 33128 30-Apr-2009 15:55
Send private message


The past couple of months our internet data usage has sky-rocketed. Our small business sits behind an Cisco ASA5510 firewall, and after lots of checks I've come down to the conclusion of our firewall continually bombarded with DNS queries (port 53). 

This is a sample of the continuous logs stream we get :
4|Apr 28 2009|22:48:01|106023|216.239.34.10|53|210.54.xxx.xxx|46211|Deny udp src outside:216.239.34.10/53 dst inside:210.54.xxx.xxx/46211 by access-group "outside_acl" [0x386cf24f, 0x0]

Monitoring our Internet Service it equates to 30Mb per hour continuously which is around 20Gb per month.

There is only a few ips that are hitting us, and it doesn’t seem random, just continuous. When i check the offending ip's the seem to end up back as various Name Servers - the above one is goggle. Can anyone shed any light on why this would be happening and if anything can be done. It started in Dec, and as far as I'm aware nothing had changed to our systems.

Create new topic

mjb

922 posts

Ultimate Geek
+1 received by user: 21

Trusted

  Reply # 211041 30-Apr-2009 21:09
Send private message

Something is specifying your IP address as a nameserver.

You'll need to capture the requests to discover what domain it is, and find out where in DNS it's pointing at your IP.

That's the most likely scenario.




contentsofsignaturemaysettleduringshipping

Hawkes Bay
8477 posts

Uber Geek
+1 received by user: 5

Mod Emeritus
Trusted
Lifetime subscriber

  Reply # 211044 30-Apr-2009 21:22
Send private message

Is changing your ip an option?


Doesnt fix the original issue, but will relieve all your symptoms!







 
 
 
 


mjb

922 posts

Ultimate Geek
+1 received by user: 21

Trusted

  Reply # 211045 30-Apr-2009 21:23
Send private message

lol, good answer - I'm so used to having a static IP that I forget that 99% have a semi-dynamic IP :)




contentsofsignaturemaysettleduringshipping

2584 posts

Uber Geek
+1 received by user: 5

Mod Emeritus
Trusted
Lifetime subscriber

Reply # 211046 30-Apr-2009 21:26
Send private message

lol maybe it is Telstras DNS server... the transparent one that is not working properly...

http://www.geekzone.co.nz/forums.asp?ForumId=44&TopicId=29955







Media centre PC - Case Silverstone LC16M with 2 X 80mm AcoustiFan DustPROOF, MOBO Gigabyte MA785GT-UD3H, CPU AMD X2 240 under volted, RAM 4 Gig DDR3 1033, HDD 120Gig System/512Gig data, Tuners 2 X Hauppauge HVR-3000, 1 X HVR-2200, Video Palit GT 220, Sound Realtek 886A HD (onboard), Optical LiteOn DH-401S Blue-ray using TotalMedia Theatre Power Corsair VX Series, 450W ATX PSU OS Windows 7 x64



84 posts

Master Geek
+1 received by user: 1


  Reply # 211135 1-May-2009 08:55
Send private message

thanks for that

changing ip's is not really an option. we have 10 ips all set up starting with our router, then firewall, the progressing thru the mail server, web server and various other apps servers. i will have to keep digging. we are using Telecoms CID (corporate Internet Direct) servic, which has been rock solid for the past 5 years without any drop-outs at all. just annoying that our traffic has started increasing and blowing our data plans.

mjb

922 posts

Ultimate Geek
+1 received by user: 21

Trusted

  Reply # 211140 1-May-2009 09:34
Send private message

Seriously, traffic capture time. that will usually end up being very enlightening.




contentsofsignaturemaysettleduringshipping

637 posts

Ultimate Geek
+1 received by user: 2

Trusted

  Reply # 212749 6-May-2009 07:13
Send private message

Agree with a traffic capture; although the log output says to me you are receiving DNS responses from a server. It looks like you're sending DNS queries to those server(s) and then discarding the responses - I'd be checking all my PCs to see what they're sending out to the Internet. It's possible that someone is infected with a DNS based trojan/worm.



84 posts

Master Geek
+1 received by user: 1


  Reply # 212767 6-May-2009 08:45
Send private message

thanks for your advice. after initially querying my provider 6 weeks ago about this and been told, it appeared to be a problem beyond there control, i re-raised a ticket last week. magically get a reply from them saying, that again, looks like nothing is wrong, but 10 mins prior to the email arriving all the DNS bombardment magically stopped. bit too much of a coincidence if you ask me.

Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Geekzone Live »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.