Thousand of request per seconds and/or DNS server Activities logging

[Serge Ayotte]

I am looking into solving a strange occurrence...

A Windows 2000 DC with DNS service (active directory integrated)
internal DNS server is set to forward any request to an external DNS
server, no problem there, BUT it seems that occasionally (once or
twice a week at the moment) the Windows DNS start requesting like
crazy for one domain (the first time it was for an A record of DOT
[.], strange enough with just that, then the second time was for a
valid domain name server).
THOUSANDS of request are sent to the external DNS in a few seconds
time.
And worst, from what I have seen with the current logging, it is as if
the server itself is requesting (i.e. I can't figure out if it's
another machine asking the internal DNS, and making it go crazy).

Anyone seen this behaviors before?


So next, I would like to make some checking/troubleshooting and
tracking down. I know of the LOGGING tab of the DNS server and enable
them, but the Log files a very LACKING in result (no date/time for the
request) and with my 2 servers, there seem to be a big difference in
sizes (the DC with PDC role goes to 3mn and the other just 900kb).

1-How can I get MORE DETAILS of the logging being done (more
specifically a date/time stamp on what IS getting recorded)
2-How can I adjust the size (or write over) settings for the logs?
(can't find anywhere)

Thanks in advance to any and all for infortation/pointers and help!

Serge Ayotte

 

[DJ]

Do you have root [.] zone on your DNS ?
If so - delete it. I guess it may cause the problem.

 

[Herb Martin]

Do you have root [.] zone on your DNS ?

If so - delete it. I guess it may cause the problem.

I don't understand this answer above -- is this some
known bug or can you explain, please....


If this isn't the problem, then I would suggest putting a
sniffer (NetMon, Ethereal, Windump, etc) on the DNS
forwarder or logging perhaps, to figure out which client
or other DNS server is originating these requests.

If it is a problem on THIS server, perhaps the Root Hints
file is in error and the DNS server is trying to find a new
one, obtain the "dot" root glue, etc.

 

[Jonathan de Boyne Pollard]

SA> 1-How can I get MORE DETAILS of the logging being done (more
SA> specifically a date/time stamp on what IS getting recorded)

It doesn't seem possible. However, it's not absolutely necessary
in order to diagnose your problem. It should be relatively easy to
find that point in the log immediately prior to where the server
starts sending the same query thousands of times per second. (-:

SA> 2-How can I adjust the size (or write over) settings for the logs?
SA> (can't find anywhere)

<URL:http://www.microsoft.com./technet/p...sag_DNS_pro_SetDebugLogOptions.asp?frame=true>

 

[Jonathan de Boyne Pollard]

D> Do you have root [.] zone on your DNS ?
D> If so - delete it. I guess it may cause the problem.

A "." "zone" isn't going to cause thousands of "A" queries for "." to be sent
to the forwardee. Indeed, quite the contrary: If he had a "." "zone" the
server _wouldn't_ be sending queries for "." anywhere else, because it would
have the answers ready to hand in its own database.

 

[Ace Fekay [MVP]]

In

Do you have root [.] zone on your DNS ?
If so - delete it. I guess it may cause the problem.

If he's got forwarding already set, then that means the Root zone has
already been deleted.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Ace Fekay [MVP]]

In

I am looking into solving a strange occurrence...

A Windows 2000 DC with DNS service (active directory integrated)
internal DNS server is set to forward any request to an external DNS
server, no problem there, BUT it seems that occasionally (once or
twice a week at the moment) the Windows DNS start requesting like
crazy for one domain (the first time it was for an A record of DOT
[.], strange enough with just that, then the second time was for a
valid domain name server).
THOUSANDS of request are sent to the external DNS in a few seconds
time.
And worst, from what I have seen with the current logging, it is as if
the server itself is requesting (i.e. I can't figure out if it's
another machine asking the internal DNS, and making it go crazy).

Anyone seen this behaviors before?


So next, I would like to make some checking/troubleshooting and
tracking down. I know of the LOGGING tab of the DNS server and enable
them, but the Log files a very LACKING in result (no date/time for the
request) and with my 2 servers, there seem to be a big difference in
sizes (the DC with PDC role goes to 3mn and the other just 900kb).

1-How can I get MORE DETAILS of the logging being done (more
specifically a date/time stamp on what IS getting recorded)
2-How can I adjust the size (or write over) settings for the logs?
(can't find anywhere)

Thanks in advance to any and all for infortation/pointers and help!

Serge Ayotte

Can't you post what domain that is and the IP that resolves to it?

One suggestion is to make sure Secure Cache Against Pollution is set.

To adjust logging levels, need to be done in the reg:
198408 - Microsoft DNS Server Registry Parameters, Part 1 of 3:
http://support.microsoft.com/?id=198408

And as Herb suggested, Netmon captures would help.

Longshot: If this server is on the Internet, someone else could be using it
as a forwarder or spoofing it. You can "Disable Recursion" (under the
Advanced tab) that would prevent it being used by another as a Forwarder.
This setting turns off the RA (recursion avail) bit.


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Serge Ayotte]

SA> 1-How can I get MORE DETAILS of the logging being done (more
SA> specifically a date/time stamp on what IS getting recorded)

It doesn't seem possible. However, it's not absolutely necessary
in order to diagnose your problem. It should be relatively easy to
find that point in the log immediately prior to where the server
starts sending the same query thousands of times per second. (-:

Yes, on that side it is not "so bad" but still would be useful to see
when it started logging and when it "rolled around"

SA> 2-How can I adjust the size (or write over) settings for the logs?
SA> (can't find anywhere)

<URL:http://www.microsoft.com./technet/p...sag_DNS_pro_SetDebugLogOptions.asp?frame=true>

Hummm. things are better in new version... Too bad I am on W2K
<smile>...


Thanks for your answers!

Serge

 

[Serge Ayotte]

In news:[email protected],

Can't you post what domain that is and the IP that resolves to it?

Like I mentioned, the first time it did this was with a A record
request for a domain called "." (dot, no quotes).
The second time was for a legal domain, and it was for it's name
server; ns1.togotel.net.tg
(Seems like the phone and internet provider in Togo... I was surprised

One suggestion is to make sure Secure Cache Against Pollution is set.

That was set at the creation of the domain many moons ago...

To adjust logging levels, need to be done in the reg:
198408 - Microsoft DNS Server Registry Parameters, Part 1 of 3:
http://support.microsoft.com/?id=198408

I knew of these articles, but wasn't to keen on "trying" NT 4 keys on
a W2K DC... Most of them seems to be there (and some controlled by the
DNS GUI), but still... Looks like I will have to go trough the 3

And as Herb suggested, Netmon captures would help.

Yes... I'll have to enable this and see...

Longshot: If this server is on the Internet, someone else could be using it
as a forwarder or spoofing it. You can "Disable Recursion" (under the
Advanced tab) that would prevent it being used by another as a Forwarder.
This setting turns off the RA (recursion avail) bit.

No it is not...
The "internal" server is W2K and a DC, and the Forwarder is a UNIX DNS
in a DMZ NOT accessible from the outside either...


Again, from what the "security chief" told me, the internal DNS kept
asking the Unix server, so I am wondering what the heck?

Thanks for the pointers...

Serge

 

[Serge Ayotte]

Do you have root [.] zone on your DNS ?
If so - delete it. I guess it may cause the problem.

I don't understand this answer above -- is this some
known bug or can you explain, please....


If this isn't the problem, then I would suggest putting a
sniffer (NetMon, Ethereal, Windump, etc) on the DNS
forwarder or logging perhaps, to figure out which client
or other DNS server is originating these requests.

If it is a problem on THIS server, perhaps the Root Hints
file is in error and the DNS server is trying to find a new
one, obtain the "dot" root glue, etc.

HUmmmm... OK the set-up (as mention in my reply post to Ace) is that
our internal server (W2K, DC) as forwarding enabled (no .zone at all,
and never where) so that all non-internal request are sent (as should
be) to a UNIX DNS in our DMZ. There is no resolution of DNS from the
outside world to any of our DNS servers.

The Unix server is the one that logged the thousands of request from
the W2K DNS, so logging at that one is enable.
Now internally, I have started logging after the first incident (the
one requesting the A record for the domain ".").
But now, I am trying to have a better "look" at the logs, but with the
lack of date/time it is a little hard, and I may have "incomplete"
logs by the time I know there was some abnormal activities and when I
go to stop the W2K dns, rename the log file and restart the DNS, since
I cannot find a way to limit size or "overwrite" size. Event viewer
DNS Server logs are really not useful, aside to tell me when I stopped
and started it...

I will activate Netmon till the next "hiccup" to see if we can get
something from that also.

Thanks for the tip and pointers!

Serge

 

[Herb Martin]

Thanks for the tip and pointers!

You are welcome.

HUmmmm... OK the set-up (as mention in my reply post to Ace) is that
our internal server (W2K, DC) as forwarding enabled (no .zone at all,
and never where) so that all non-internal request are sent (as should
be) to a UNIX DNS in our DMZ. There is no resolution of DNS from the
outside world to any of our DNS servers.

Ok, so presumably this is for cache consolidaton or to prevent
EACH and EVERY client from talking to the DMZ server.
And clearly you have no "." or forwarding would be disabled in
the GUI.

In this case, I would also select the "Do NOT use Recursion" on
the Forwarding tab -- IMPORTANT, there is another setting in
the Advanced tab that refers to recurion, do NOT disable that one.

Disable recursion (recursively following the DNS namespace down
from the root) ONLY on the Forwarder tab and then the internal
server will ONLY send requests to the Forwarder and will never
try to do it's own recursion by finding the root server, then the TLDs
etc.

[DNS from the outside in is an nearly completely separate issue but
you aren't doing that anyway so we can completely ignore it.]

The Unix server is the one that logged the thousands of request from
the W2K DNS, so logging at that one is enable.

Presumably the internal clients need something? (especially if we
make sure the internal server is not trying to ALSO do it's own
literal recursion but ONLY forwards to the DMS DNS.)

Now internally, I have started logging after the first incident (the
one requesting the A record for the domain ".").
But now, I am trying to have a better "look" at the logs, but with the
lack of date/time it is a little hard, and I may have "incomplete"
logs by the time I know there was some abnormal activities and when I
go to stop the W2K dns, rename the log file and restart the DNS, since
I cannot find a way to limit size or "overwrite" size. Event viewer
DNS Server logs are really not useful, aside to tell me when I stopped
and started it...

This is the reason I also suggested a network monitory (NetMon,
Ethereal, WinDump) as teh log may hide info from you.

CAUTION -- if you are not the TOP LEVEL admin, using a sniffer
or network monitor in an organization without authority may be cause
for DISMISSAL (they may fire you or yell at you.)

 

[Ace Fekay [MVP]]

There is actually an issue with fowarding to a BIND server. Not at my office
right now to dig up the article. I would need to wait till I get there later
to dig it up.

As far as Togo goes, try the Secure Cache setting. That should take care of
it. There are current issues, at it seems, concerning pollution and cache
due to the new IPV6 implementation. One of the other guys, NTCanuck, pointed
out there are issues going on right now in "DNS Land", as he put it ,
with regards to this. Search back from today's and yesterday's date for his
name in here and you can see the article.


--
--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Herb Martin]

There is actually an issue with fowarding to a BIND server. Not at my
office

right now to dig up the article. I would need to wait till I get there later
to dig it up.

Please post it when you get back there.

Mine is working fine but it is now dependent on forwarding
to a BIND server.

Thanks.

 

[Herb Martin]

Oops, false alarm! It had to do with zone transfers, not forwarding. I
need

more memory.

That sounds right.

 

[Jonathan de Boyne Pollard]

SA> There is no resolution of DNS from the
SA> outside world to any of our DNS servers.

You may not be providing _content_ DNS service to the rest of
Internet, but you may be providing _proxy_ DNS service. Is your DNS
server listening on an IP address that is reachable by the rest of
Internet. If so, correct that. The only entities that should be able
to even reach your DNS server are your own
customers/clients/colleagues/whatever.

<URL:http://homepages.tesco.net./~J.deBoynePollard/FGA/dns-server-roles.html#ProxyIP>

This will rule out the possibility that the cause of these "thousands"
of back-end queries is simply someone out on Internet sending
thousands of queries to the server's front-end.

And, while you are at it, check that the forwardee that you are
using is not multi-homed and sending its responses back from an
IP address that is different to the one where it is receiving
its queries. (My ISP made this very configuration mistake just
the other day, which is why I am reminded of it.)