DNS Server making thousands of queries for no apparent reason

[Eric Zierke]

I am working with a pair of DNS servers that are both periodically making
thousands of queries per minute to another name server to find the address
of a third name server. I have turned on all logging except full packets
and have caught the start of several of these bursts. I do not find an
initial query received that this name server would be authoritative for. It
always starts with sending a query and never sends a response back to
anywhere.

Both servers use root hints to resolve external name requests (why we aren't
using our ISPs DNS servers is a long story for another time...). There are
several subjects of the queries although it will usually concentrate on one
occassionally doing two or more concurrently. One example is a query to
4.2.49.2 to resolve ns1.mmc.com. It seems all but one of the subjects only
return partial answers. They respond with the name, but not an address (try
it, you'll see what I mean). If I clear the cache and do an nslookup for
ns1.mmc.com myself, in the logs I see the server query a root server, work
its way to 4.2.49.2 where it queries for ns1.mmc.com and returns the partial
answer to me. It does not continue trying except that my client will ask a
second time. When the server does it by itself, it keeps trying for several
minutes to hours and then suddenly stops.

I'm thinking some process on the server is initiating the query although
that would usually still result in a log entry showing the query received
from itself. How can I determine which process is doing this? Any other
ideas on why they might go nuts like this?

Both servers scan clean with TrendMicro. They are both also domain
controllers with little else on them.

Thanks in advance for you help.

Eric Z.

 

[Kevin D. Goodknecht [MVP]]

In

I am working with a pair of DNS servers that are both periodically
making thousands of queries per minute to another name server to find
the address of a third name server. I have turned on all logging
except full packets and have caught the start of several of these
bursts. I do not find an initial query received that this name
server would be authoritative for. It always starts with sending a
query and never sends a response back to anywhere.

Both servers use root hints to resolve external name requests (why we
aren't using our ISPs DNS servers is a long story for another
time...). There are several subjects of the queries although it will
usually concentrate on one occassionally doing two or more
concurrently. One example is a query to
4.2.49.2 to resolve ns1.mmc.com. It seems all but one of the
subjects only return partial answers. They respond with the name,
but not an address (try it, you'll see what I mean). If I clear the
cache and do an nslookup for ns1.mmc.com myself, in the logs I see
the server query a root server, work its way to 4.2.49.2 where it
queries for ns1.mmc.com and returns the partial answer to me. It
does not continue trying except that my client will ask a second
time. When the server does it by itself, it keeps trying for several
minutes to hours and then suddenly stops.

I'm thinking some process on the server is initiating the query
although that would usually still result in a log entry showing the
query received from itself. How can I determine which process is
doing this? Any other ideas on why they might go nuts like this?

Both servers scan clean with TrendMicro. They are both also domain
controllers with little else on them.

Thanks in advance for you help.

Eric Z.

Do you have a mail server?
The only record for the name is an mx record.

ns1.mmc.com

Server: kjweb.lsaol.com
Address: 192.168.0.2

Name: ns1.mmc.com

set type=all
ns1.mmc.com

Server: kjweb.lsaol.com
Address: 192.168.0.2

Non-authoritative answer:
ns1.mmc.com MX preference = 10, mail exchanger = mmc.com

mmc.com internet address = 216.182.10.234

 

[Eric Zierke]

We have several mail servers. I see queries from the mail servers in the
logs for many external mail servers. I don't see any that lead to the
rampantly repeated queries. If a mail server were not accepting the partial
answer, wouldn't I see the repeated queries received in the logs?

Thanks again,

Eric Z.

 

[Kevin D. Goodknecht [MVP]]

In

We have several mail servers. I see queries from the mail servers in
the logs for many external mail servers. I don't see any that lead
to the rampantly repeated queries. If a mail server were not
accepting the partial answer, wouldn't I see the repeated queries
received in the logs?

Thanks again,

I'm not sure, the only thing I can say is that there is something weird
going on when when the mail domain is ns1.mmc.com. There isn't an a record
for the name, no NS records, only an MX record. It is as if they have a
subdomain with only an MX record in it. Go figure?
Probably spam anyway.

 

[Ace Fekay [MVP]]

In

In
I'm not sure, the only thing I can say is that there is something
weird going on when when the mail domain is ns1.mmc.com. There isn't
an a record for the name, no NS records, only an MX record. It is as
if they have a subdomain with only an MX record in it. Go figure?
Probably spam anyway.

Using 4.2.49.2, when I ran a set type=all, it came back with the GTLDs. But
if I used 4.2.2.2, it comes back with the actual records. So I have a
feeling that 4.2.49.2 maybe a spam based nameserver, but then again, not
sure. Look below. I would probably ensure that Secure Cache against
pollution is set and use a forwarder, such as 4.2.2.2. Another thing that
can cause this excessive traffic is an AD single label DNS domain name.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

server 4.2.49.2

Default Server: dnsauth1.sys.gtei.net
Address: 4.2.49.2

mmc.com

Server: dnsauth1.sys.gtei.net
Address: 4.2.49.2

Name: mmc.com
Address: 216.182.10.234

set type=mx
mmc.com

Server: dnsauth1.sys.gtei.net
Address: 4.2.49.2

com nameserver = e.gtld-servers.net
com nameserver = d.gtld-servers.net
com nameserver = c.gtld-servers.net
com nameserver = j.gtld-servers.net
com nameserver = g.gtld-servers.net
com nameserver = a.gtld-servers.net
com nameserver = i.gtld-servers.net
com nameserver = h.gtld-servers.net
com nameserver = l.gtld-servers.net
com nameserver = b.gtld-servers.net
com nameserver = m.gtld-servers.net
com nameserver = f.gtld-servers.net
com nameserver = k.gtld-servers.net
e.gtld-servers.net internet address = 192.12.94.30
d.gtld-servers.net internet address = 192.31.80.30
c.gtld-servers.net internet address = 192.26.92.30
j.gtld-servers.net internet address = 192.48.79.30
g.gtld-servers.net internet address = 192.42.93.30
a.gtld-servers.net internet address = 192.5.6.30
i.gtld-servers.net internet address = 192.43.172.30
h.gtld-servers.net internet address = 192.54.112.30
l.gtld-servers.net internet address = 192.41.162.30
b.gtld-servers.net internet address = 192.33.14.30
m.gtld-servers.net internet address = 192.55.83.30
f.gtld-servers.net internet address = 192.35.51.30
k.gtld-servers.net internet address = 192.52.178.30

server 4.2.2.2

Default Server: vnsc-bak.sys.gtei.net
Address: 4.2.2.2

mmc.com

Server: vnsc-bak.sys.gtei.net
Address: 4.2.2.2

Non-authoritative answer:
mmc.com MX preference = 10, mail exchanger = mpower.marshmc.com
mmc.com MX preference = 10, mail exchanger = mpower2.marshmc.com
mmc.com MX preference = 10, mail exchanger = mpower3.marshmc.com

ns1.mmc.com

Server: vnsc-bak.sys.gtei.net
Address: 4.2.2.2

Non-authoritative answer:
ns1.mmc.com MX preference = 10, mail exchanger = mmc.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~






--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Eric Zierke]

Thank you both for your help. I'm not really concerned about actually
resolving these specific names, rather in finding out why our servers try so
many times to resolve them especially when I can't find anything asking a
question they could answer to start with.

If I figure it out, I'll post the answer back here.

Thanks again,

Eric Z.

"Ace Fekay [MVP]"

 

[Jonathan de Boyne Pollard]

EZ> One example is a query to 4.2.49.2 to resolve ns1.mmc.com.
EZ> It seems all but one of the subjects only return partial
EZ> answers. They respond with the name, but not an address
EZ> (try it, you'll see what I mean).

I've tried it, and I do not. All three of the "mmc.com." content DNS
servers return complete answers when queried about "ns1.mmc.com.".
For example:

[4.2.49.4:0035] -> [0.0.0.0:0000] 102
Header: 0000 1+0+1+0, R, AUTH, query, no_error
Question: ns1.mmc.com. IN A
Authority: mmc.com. IN SOA 3600 2004031917 3600 900 864000 3600 dnsauth1.sys.gtei.net. dnsadmin.level3.net.

EZ> I'm thinking some process on the server is initiating the query [...]

If a domain's delegation information uses "ns1.mmc.com." as one of the
intermediate domain names, then this will cause resolution of a query
against this domain name to be triggered.

 

[Ace Fekay [MVP]]

In

Thank you both for your help. I'm not really concerned about actually
resolving these specific names, rather in finding out why our servers
try so many times to resolve them especially when I can't find
anything asking a question they could answer to start with.

If I figure it out, I'll post the answer back here.

Thanks again,

Eric Z.

Hi Eric,

Not sure if I asked yet, but is your AD domain a single label name?



--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory