[itdiscuss] Mass DNS requests from a VPN user
Dayron Daugherty
ddaugherty at precept.org
Thu Aug 6 15:49:28 EDT 2009
Hello all,
Over the last couple of days I've noticed a HUGE spike in A record
DNS requests from our domain. We use OpenDNS and I check stats often. We
usually have about 5000-6000 A record resolves in a day. The last 2 days
we've had 25,000 - 26,000. Our AD servers are set as DNS forwarders
which then forward on to the OpenDNS servers.
I've been able to isolate the source of the DNS bombardment to our VPN
server using good ol' MS Network Monitor on our AD servers and VPN
server. However, all that shows in the trace is the VPN serve requesting
the DNS lookup and then it being forwarded off to OpenDNS. It doesn't
show the client who requested it. Also I have used DNS debugging logs
and it shows roughly the same thing. Most all local clients have admin
rights removed from their PCs. This almost completely removed even the
smallest of malware issues we'd get even with CA eTrust running and
updated. In this case however, most all our remote users are local
admins of their laptops.
My next course of action is to remote in to each of our remote users
laptops and begin searching for the issue which will some time, but will
resolve the issue one I find which client is the cause. In the meantime
of my client by client search, does anyone have any other advice or
freely available tools that might help me isolate the issue? I've
considered using WireShark, but I'm a little leery of installing it on a
DC or VPN server. Has anyone used WireShark on a Windows 2003 DC or RRAS
box?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://optimus.thompsonic.com/pipermail/discuss/attachments/20090806/570e1708/attachment.htm
More information about the discuss
mailing list