Firewall getting bombarded with DNS queries?

Forums › LAN (ethernet/Wifi/routers/Bluetooth) › Firewall getting bombarded with DNS queries?

wazzab

84 posts

Master Geek

#33128 30-Apr-2009 15:55

The past couple of months our internet data usage has sky-rocketed. Our small business sits behind an Cisco ASA5510 firewall, and after lots of checks I've come down to the conclusion of our firewall continually bombarded with DNS queries (port 53).

This is a sample of the continuous logs stream we get :
4|Apr 28 2009|22:48:01|106023|216.239.34.10|53|210.54.xxx.xxx|46211|Deny udp src outside:216.239.34.10/53 dst inside:210.54.xxx.xxx/46211 by access-group "outside_acl" [0x386cf24f, 0x0]

Monitoring our Internet Service it equates to 30Mb per hour continuously which is around 20Gb per month.

There is only a few ips that are hitting us, and it doesn’t seem random, just continuous. When i check the offending ip's the seem to end up back as various Name Servers - the above one is goggle. Can anyone shed any light on why this would be happening and if anything can be done. It started in Dec, and as far as I'm aware nothing had changed to our systems.

mjb

996 posts

Ultimate Geek

Trusted

#211041 30-Apr-2009 21:09

Something is specifying your IP address as a nameserver.

You'll need to capture the requests to discover what domain it is, and find out where in DNS it's pointing at your IP.

That's the most likely scenario.

contentsofsignaturemaysettleduringshipping

tonyhughes

Hawkes Bay
8476 posts

Uber Geek

Retired Mod

Trusted

Lifetime subscriber

#211044 30-Apr-2009 21:22

Is changing your ip an option?

Doesnt fix the original issue, but will relieve all your symptoms!

mjb

996 posts

Ultimate Geek

Trusted

#211045 30-Apr-2009 21:23

lol, good answer - I'm so used to having a static IP that I forget that 99% have a semi-dynamic IP :)

contentsofsignaturemaysettleduringshipping

Nety

2584 posts

Uber Geek

Retired Mod

Trusted

Lifetime subscriber

#211046 30-Apr-2009 21:26

lol maybe it is Telstras DNS server... the transparent one that is not working properly...

http://www.geekzone.co.nz/forums.asp?ForumId=44&TopicId=29955

Media centre PC - Case Silverstone LC16M with 2 X 80mm AcoustiFan DustPROOF, MOBO Gigabyte MA785GT-UD3H, CPU AMD X2 240 under volted, RAM 4 Gig DDR3 1033, HDD 120Gig System/512Gig data, Tuners 2 X Hauppauge HVR-3000, 1 X HVR-2200, Video Palit GT 220, Sound Realtek 886A HD (onboard), Optical LiteOn DH-401S Blue-ray using TotalMedia Theatre Power Corsair VX Series, 450W ATX PSU OS Windows 7 x64

wazzab

84 posts

Master Geek

#211135 1-May-2009 08:55

thanks for that

changing ip's is not really an option. we have 10 ips all set up starting with our router, then firewall, the progressing thru the mail server, web server and various other apps servers. i will have to keep digging. we are using Telecoms CID (corporate Internet Direct) servic, which has been rock solid for the past 5 years without any drop-outs at all. just annoying that our traffic has started increasing and blowing our data plans.

mjb

996 posts

Ultimate Geek

Trusted

#211140 1-May-2009 09:34

Seriously, traffic capture time. that will usually end up being very enlightening.

contentsofsignaturemaysettleduringshipping

PenultimateHop

637 posts

Ultimate Geek

Trusted

#212749 6-May-2009 07:13

Agree with a traffic capture; although the log output says to me you are receiving DNS responses from a server. It looks like you're sending DNS queries to those server(s) and then discarding the responses - I'd be checking all my PCs to see what they're sending out to the Internet. It's possible that someone is infected with a DNS based trojan/worm.

Equinox IT

Cloud spending continues to surge globally, but most organisations haven’t made the changes necessary to maximise the value and cost-efficiency benefits of their cloud investments. Download the whitepaper From Overspend to Advantage now.

wazzab

84 posts

Master Geek

#212767 6-May-2009 08:45

thanks for your advice. after initially querying my provider 6 weeks ago about this and been told, it appeared to be a problem beyond there control, i re-raised a ticket last week. magically get a reply from them saying, that again, looks like nothing is wrong, but 10 mins prior to the email arriving all the DNS bombardment magically stopped. bit too much of a coincidence if you ask me.