Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsLAN (ethernet/Wifi/routers/Bluetooth)Firewall getting bombarded with DNS queries?


84 posts

Master Geek


# 33128 30-Apr-2009 15:55
Send private message


The past couple of months our internet data usage has sky-rocketed. Our small business sits behind an Cisco ASA5510 firewall, and after lots of checks I've come down to the conclusion of our firewall continually bombarded with DNS queries (port 53). 

This is a sample of the continuous logs stream we get :
4|Apr 28 2009|22:48:01|106023|216.239.34.10|53|210.54.xxx.xxx|46211|Deny udp src outside:216.239.34.10/53 dst inside:210.54.xxx.xxx/46211 by access-group "outside_acl" [0x386cf24f, 0x0]

Monitoring our Internet Service it equates to 30Mb per hour continuously which is around 20Gb per month.

There is only a few ips that are hitting us, and it doesn’t seem random, just continuous. When i check the offending ip's the seem to end up back as various Name Servers - the above one is goggle. Can anyone shed any light on why this would be happening and if anything can be done. It started in Dec, and as far as I'm aware nothing had changed to our systems.

Create new topic

mjb

923 posts

Ultimate Geek

Trusted

  # 211041 30-Apr-2009 21:09
Send private message

Something is specifying your IP address as a nameserver.

You'll need to capture the requests to discover what domain it is, and find out where in DNS it's pointing at your IP.

That's the most likely scenario.




contentsofsignaturemaysettleduringshipping

Hawkes Bay
8477 posts

Uber Geek

Mod Emeritus
Trusted
Lifetime subscriber

  # 211044 30-Apr-2009 21:22
Send private message

Is changing your ip an option?


Doesnt fix the original issue, but will relieve all your symptoms!







 
 
 
 


mjb

923 posts

Ultimate Geek

Trusted

  # 211045 30-Apr-2009 21:23
Send private message

lol, good answer - I'm so used to having a static IP that I forget that 99% have a semi-dynamic IP :)




contentsofsignaturemaysettleduringshipping

2584 posts

Uber Geek

Mod Emeritus
Trusted
Lifetime subscriber

# 211046 30-Apr-2009 21:26
Send private message

lol maybe it is Telstras DNS server... the transparent one that is not working properly...

http://www.geekzone.co.nz/forums.asp?ForumId=44&TopicId=29955







Media centre PC - Case Silverstone LC16M with 2 X 80mm AcoustiFan DustPROOF, MOBO Gigabyte MA785GT-UD3H, CPU AMD X2 240 under volted, RAM 4 Gig DDR3 1033, HDD 120Gig System/512Gig data, Tuners 2 X Hauppauge HVR-3000, 1 X HVR-2200, Video Palit GT 220, Sound Realtek 886A HD (onboard), Optical LiteOn DH-401S Blue-ray using TotalMedia Theatre Power Corsair VX Series, 450W ATX PSU OS Windows 7 x64



84 posts

Master Geek


  # 211135 1-May-2009 08:55
Send private message

thanks for that

changing ip's is not really an option. we have 10 ips all set up starting with our router, then firewall, the progressing thru the mail server, web server and various other apps servers. i will have to keep digging. we are using Telecoms CID (corporate Internet Direct) servic, which has been rock solid for the past 5 years without any drop-outs at all. just annoying that our traffic has started increasing and blowing our data plans.

mjb

923 posts

Ultimate Geek

Trusted

  # 211140 1-May-2009 09:34
Send private message

Seriously, traffic capture time. that will usually end up being very enlightening.




contentsofsignaturemaysettleduringshipping

637 posts

Ultimate Geek

Trusted

  # 212749 6-May-2009 07:13
Send private message

Agree with a traffic capture; although the log output says to me you are receiving DNS responses from a server. It looks like you're sending DNS queries to those server(s) and then discarding the responses - I'd be checking all my PCs to see what they're sending out to the Internet. It's possible that someone is infected with a DNS based trojan/worm.

 
 
 
 




84 posts

Master Geek


  # 212767 6-May-2009 08:45
Send private message

thanks for your advice. after initially querying my provider 6 weeks ago about this and been told, it appeared to be a problem beyond there control, i re-raised a ticket last week. magically get a reply from them saying, that again, looks like nothing is wrong, but 10 mins prior to the email arriving all the DNS bombardment magically stopped. bit too much of a coincidence if you ask me.

Create new topic



Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Arlo unveils its first video doorbell
Posted 21-Oct-2019 08:27

New Zealand students shortlisted for James Dyson Award
Posted 21-Oct-2019 08:18

Norton LifeLock Launches Norton 360
Posted 21-Oct-2019 08:11

Microsoft New Zealand Partner Awards results
Posted 18-Oct-2019 10:18

Logitech introduces new Made for Google keyboard and mouse devices
Posted 16-Oct-2019 13:36

MATTR launches to accelerate decentralised identity
Posted 16-Oct-2019 10:28

Vodafone X-Squad powers up for customers
Posted 16-Oct-2019 08:15

D Link ANZ launches EXO Smart Mesh Wi Fi Routers with McAfee protection
Posted 15-Oct-2019 11:31

Major Japanese retailer partners with smart New Zealand technology IMAGR
Posted 14-Oct-2019 10:29

Ola pioneers one-time passcode feature to fight rideshare fraud
Posted 14-Oct-2019 10:24

Spark Sport new home of NZC matches from 2020
Posted 10-Oct-2019 09:59

Meet Nola, Noel Leeming's new digital employee
Posted 4-Oct-2019 08:07

Registrations for Sprout Accelerator open for 2020 season
Posted 4-Oct-2019 08:02

Teletrac Navman welcomes AI tech leader Jens Meggers as new President
Posted 4-Oct-2019 07:41

Vodafone makes voice of 4G (VoLTE) official
Posted 4-Oct-2019 07:36


Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.