[itdiscuss] Mass DNS requests from a VPN user

[Glenn Kelley]

try using wireshark in-between
setup a transparent bridge and listen using that
you will see all the port 53 traffic for sure - and who it is

for an easy transparent bridge - (and some fun security stuff to have)  
check out www.pfsense.org
its free - (makes a nice firewall as well in fact ... )

Hope that helps - if stuck skype me

_____________________________________________________________________________________
Glenn Kelley | Network Architect  | Vine Networks | www.VineHosting.com
Ohio NOC | 317 South North Street | Washington CH OH 43160
    Skype Messenger: vinehosting
Email: glenn at vinehosting.com
Phone: 740-206-1140 x 6900
Pplease don't print this e-mail unless you really need to.

On Aug 6, 2009, at 3:49 PM, Dayron Daugherty wrote:

>
>    Over the last couple of days I’ve noticed a HUGE spike in A  
> record DNS requests from our domain. We use OpenDNS and I check  
> stats often. We usually have about 5000-6000 A record resolves in a  
> day. The last 2 days we’ve had 25,000 – 26,000. Our AD servers are  
> set as DNS forwarders which then forward on to the OpenDNS servers.
>
> I’ve been able to isolate the source of the DNS bombardment to our  
> VPN server using good ol’ MS Network Monitor on our AD servers and  
> VPN server. However, all that shows in the trace is the VPN serve  
> requesting the DNS lookup and then it being forwarded off to  
> OpenDNS. It doesn’t show the client who requested it. Also I have  
> used DNS debugging logs and it shows roughly the same thing. Most  
> all local clients have admin rights removed from their PCs. This  
> almost completely removed even the smallest of malware issues we’d  
> get even with CA eTrust running and updated. In this case however,  
> most all our remote users are local admins of their laptops.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://optimus.thompsonic.com/pipermail/discuss/attachments/20090806/3d9259fb/attachment.htm