Unwanted DNS traffic

C

Chris Halgryn

Please help.

I'm running a Windows 2000 Server (SP3) connecting to the
Internet via an ISDN router. The ISDN router automatically
dials up to our local ISP whenever a connection is needed.
The problem is that I'm getting constant unwanted DNS
(port 53) traffic from our Windows 2000 server causing my
ISDN router to constantly dial up, in turn causing an
enormous telephone bill.

I've investigated the matter and tried to determine the
cause of the DNS traffic. Firstly I examined the MS DNS
Server running on our Windows 2000 Server. I've consulted
MS TechNet and tried all the tech notes available for
stopping unwanted DNS traffic caused by the DNS Server.
I've also tested by stopping the DNS Server service -still
no joy: I can still see constant DNS traffic even with the
DNS Server service stopped. Can I assume that the DNS
Server isn't the cause of the DNS traffic? If so, how can
I determine which application is causing the unwanted
traffic?

This is rather urgent as this problem is costing our
business a lot of money. Any suggestions would be greatly
appreciated.

Kind regards,
Chris Halgryn
 
K

Kevin Goodknecht

In
Chris Halgryn said:
Please help.

I'm running a Windows 2000 Server (SP3) connecting to the
Internet via an ISDN router. The ISDN router automatically
dials up to our local ISP whenever a connection is needed.
The problem is that I'm getting constant unwanted DNS
(port 53) traffic from our Windows 2000 server causing my
ISDN router to constantly dial up, in turn causing an
enormous telephone bill.

I've investigated the matter and tried to determine the
cause of the DNS traffic. Firstly I examined the MS DNS
Server running on our Windows 2000 Server. I've consulted
MS TechNet and tried all the tech notes available for
stopping unwanted DNS traffic caused by the DNS Server.
I've also tested by stopping the DNS Server service -still
no joy: I can still see constant DNS traffic even with the
DNS Server service stopped. Can I assume that the DNS
Server isn't the cause of the DNS traffic? If so, how can
I determine which application is causing the unwanted
traffic?

This is rather urgent as this problem is costing our
business a lot of money. Any suggestions would be greatly
appreciated.

Kind regards,
Chris Halgryn
Click to expand...

You should check the configuration of all clients using this server.
Things to look for External DNS listed some where.

Incorrect DNS suffix search list, i.e. if your local domain is domain.local
but you have domain.com in the DNS search list then the machine will add
domain.com to all DNS queries which your DNS server will forward to your
ISP. In other words you should only have your local DNS suffix in your
search list.

There may also be an internet app. such as Instant messaging running
somewhere.
 
M

Michael Johnston [MSFT]

Make sure that the server only points to itself for DNS. Verify that the correct DNS suffix is used on the server and that all local resources can be resolved by
the local DNS server. Take a look at the DNS traffic itself. What is the query for? By this, you may be able to determine what is causing the traffic.

Thank you,
Mike Johnston
Microsoft Network Support

--

This posting is provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Note: For the benefit of the community-at-large, all responses to this message are best directed to the newsgroup/thread from which they originated.
 
S

Steve Duff [MVP]

What names is it trying to resolve?

Steve Duff, MCSE
Ergodic Systems, Inc.
 
C

Chris Halgryn

-----Original Message-----
In

You should check the configuration of all clients using this server.
Things to look for External DNS listed some where.

Incorrect DNS suffix search list, i.e. if your local domain is domain.local
but you have domain.com in the DNS search list then the machine will add
domain.com to all DNS queries which your DNS server will forward to your
ISP. In other words you should only have your local DNS suffix in your
search list.

There may also be an internet app. such as Instant messaging running
somewhere.





.
Click to expand...

Hi Kevin,

Thank you for the prompt response.

I should have mentioned that I still get constant DNS
traffic even when all the other workstation on our small
network (less than 10 machines) are physically turned off.
That's how I know that the traffic is generated by our
Windows 2000 Server.

I will check my DNS search suffix list on the Server.

We don't have any internet apps, such as Instant
Messaging, installed on the Server.

Kind regards,
Chris Halgryn
 
C

Chris Halgryn

Hi Mike.

Thank you for the prompt response.

How do I look at the DNS traffic and determione what the
query was for?

Kind regards,
Chris Halgryn
 
M

Michael Johnston [MSFT]

Install Netmon on the DNS server, Add remove Programs>Add Remove Windows Componenets>Management and Monitoring Tools>Network Monitor
Tools. Take a trace and look at the DNS traffic that is causing the modem to dial.

Thanks,
Mike Johnston
Microsoft Network Support.

--

This posting is provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Note: For the benefit of the community-at-large, all responses to this message are best directed to the newsgroup/thread from which they originated.
 
A

Ace Fekay [MVP]

Kevin, I agree with the Instant Messaging running somewhere on the network.
That's usually the culprit. Maybe even adware programs running in the
background. Run Adware 6.0 to eliminate them. Email opened up checking ISP
mail in the background. Open browsers over night with ad pages constantly
updating. Weatherbug and other similar stuff running by your users
unknowingly. How about Kazaa?

May also want to look at these articles to see if they apply:

134985 - Browsing & Other Traffic Incur High Costs over ISDN Routers:
http://support.microsoft.com/?id=134985

258507 - ADsOpenObject(), ADsGetObject(), OpenDSObject() Functions May
Generate Incorrect DNS Queries:
http://support.microsoft.com/?id=258507

265395 - Windows 2000 Member Runs Discovery Every 15 Minutes with Possible
High Dial-on-Demand Line Costs:
http://support.microsoft.com/?id=265395

Windows 2000 Server Bug - Ras always dialing out issue and eating up
bandwidth and line costs:
http://www.win2000mag.net/Articles/Index.cfm?ArticleID=22362


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

icmp traffic between workstations and DNS server 5
DNS Issue 6
Best Practice DNS Structure 1
NT4 DNS on a 2003 domain 2
DNS Delegations 0
ISDN Router 1
Excessive DNS traffic 3
Windows 2000 DNS and Exchange Server 2003 problems 1

Top