Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsLAN (ethernet/Wifi/routers/Bluetooth)Firewall getting bombarded with DNS queries?
wazzab

84 posts

Master Geek
+1 received by user: 2


#33128 30-Apr-2009 15:55
Send private message


The past couple of months our internet data usage has sky-rocketed. Our small business sits behind an Cisco ASA5510 firewall, and after lots of checks I've come down to the conclusion of our firewall continually bombarded with DNS queries (port 53). 

This is a sample of the continuous logs stream we get :
4|Apr 28 2009|22:48:01|106023|216.239.34.10|53|210.54.xxx.xxx|46211|Deny udp src outside:216.239.34.10/53 dst inside:210.54.xxx.xxx/46211 by access-group "outside_acl" [0x386cf24f, 0x0]

Monitoring our Internet Service it equates to 30Mb per hour continuously which is around 20Gb per month.

There is only a few ips that are hitting us, and it doesn’t seem random, just continuous. When i check the offending ip's the seem to end up back as various Name Servers - the above one is goggle. Can anyone shed any light on why this would be happening and if anything can be done. It started in Dec, and as far as I'm aware nothing had changed to our systems.

Create new topic

mjb

mjb
996 posts

Ultimate Geek
+1 received by user: 67

Trusted

  #211041 30-Apr-2009 21:09
Send private message

Something is specifying your IP address as a nameserver.

You'll need to capture the requests to discover what domain it is, and find out where in DNS it's pointing at your IP.

That's the most likely scenario.




contentsofsignaturemaysettleduringshipping



tonyhughes
Hawkes Bay
8476 posts

Uber Geek
+1 received by user: 6

Retired Mod
Trusted
Lifetime subscriber

  #211044 30-Apr-2009 21:22
Send private message

Is changing your ip an option?


Doesnt fix the original issue, but will relieve all your symptoms!







mjb

mjb
996 posts

Ultimate Geek
+1 received by user: 67

Trusted

  #211045 30-Apr-2009 21:23
Send private message

lol, good answer - I'm so used to having a static IP that I forget that 99% have a semi-dynamic IP :)




contentsofsignaturemaysettleduringshipping



Nety
2584 posts

Uber Geek
+1 received by user: 5

Retired Mod
Trusted
Lifetime subscriber

#211046 30-Apr-2009 21:26
Send private message

lol maybe it is Telstras DNS server... the transparent one that is not working properly...

http://www.geekzone.co.nz/forums.asp?ForumId=44&TopicId=29955







Media centre PC - Case Silverstone LC16M with 2 X 80mm AcoustiFan DustPROOF, MOBO Gigabyte MA785GT-UD3H, CPU AMD X2 240 under volted, RAM 4 Gig DDR3 1033, HDD 120Gig System/512Gig data, Tuners 2 X Hauppauge HVR-3000, 1 X HVR-2200, Video Palit GT 220, Sound Realtek 886A HD (onboard), Optical LiteOn DH-401S Blue-ray using TotalMedia Theatre Power Corsair VX Series, 450W ATX PSU OS Windows 7 x64

wazzab

84 posts

Master Geek
+1 received by user: 2


  #211135 1-May-2009 08:55
Send private message

thanks for that

changing ip's is not really an option. we have 10 ips all set up starting with our router, then firewall, the progressing thru the mail server, web server and various other apps servers. i will have to keep digging. we are using Telecoms CID (corporate Internet Direct) servic, which has been rock solid for the past 5 years without any drop-outs at all. just annoying that our traffic has started increasing and blowing our data plans.

mjb

mjb
996 posts

Ultimate Geek
+1 received by user: 67

Trusted

  #211140 1-May-2009 09:34
Send private message

Seriously, traffic capture time. that will usually end up being very enlightening.




contentsofsignaturemaysettleduringshipping

 
 
 
 

Stream your favourite shows now on Apple TV (affiliate link).
PenultimateHop
637 posts

Ultimate Geek
+1 received by user: 2

Trusted

  #212749 6-May-2009 07:13
Send private message

Agree with a traffic capture; although the log output says to me you are receiving DNS responses from a server. It looks like you're sending DNS queries to those server(s) and then discarding the responses - I'd be checking all my PCs to see what they're sending out to the Internet. It's possible that someone is infected with a DNS based trojan/worm.

wazzab

84 posts

Master Geek
+1 received by user: 2


  #212767 6-May-2009 08:45
Send private message

thanks for your advice. after initially querying my provider 6 weeks ago about this and been told, it appeared to be a problem beyond there control, i re-raised a ticket last week. magically get a reply from them saying, that again, looks like nothing is wrong, but 10 mins prior to the email arriving all the DNS bombardment magically stopped. bit too much of a coincidence if you ask me.

Create new topic








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.








RSS feeds
Main feed
Forums feed
Copyright
©2002-2026 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Geekzone Status Page

 

Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright