[itdiscuss] Mass DNS requests from a VPN user

Dayron Daugherty ddaugherty at precept.org
Fri Aug 7 10:28:17 EDT 2009 

Thanks for the recommendations. I believe my switch has mirroring
capabilities. 

 

From: discuss-bounces at itdiscuss.org
[mailto:discuss-bounces at itdiscuss.org] On Behalf Of Glenn Kelley
Sent: Thursday, August 06, 2009 4:56 PM
To: IT Discussion Forum
Subject: Re: [itdiscuss] Mass DNS requests from a VPN user

 

good point 

 

________________________________________________________________________
_____________

Glenn Kelley | Network Architect  | Vine Networks | www.VineHosting.com 

Ohio NOC | 317 South North Street | Washington CH OH 43160

   Skype Messenger: vinehosting

Email: glenn at vinehosting.com

Phone: 740-206-1140 x 6900

Pplease don't print this e-mail unless you really need to.

 

On Aug 6, 2009, at 4:42 PM, Derek Schwab wrote:





You can also just mirror the switch port and listen on the mirrored port
with wireshark. No need for a separate device/app.

 

-Derek

 

 

From: discuss-bounces at itdiscuss.org
[mailto:discuss-bounces at itdiscuss.org] On Behalf Of Glenn Kelley
Sent: Thursday, August 06, 2009 4:31 PM
To: IT Discussion Forum
Subject: Re: [itdiscuss] Mass DNS requests from a VPN user

 

try using wireshark in-between 

setup a transparent bridge and listen using that 

you will see all the port 53 traffic for sure - and who it is 

 

for an easy transparent bridge - (and some fun security stuff to have)
check out www.pfsense.org 

its free - (makes a nice firewall as well in fact ... ) 

 

Hope that helps - if stuck skype me 

 

________________________________________________________________________
_____________

Glenn Kelley | Network Architect  | Vine Networks | www.VineHosting.com 

Ohio NOC | 317 South North Street | Washington CH OH 43160

   Skype Messenger: vinehosting

Email: glenn at vinehosting.com

Phone: 740-206-1140 x 6900

Pplease don't print this e-mail unless you really need to.

 

On Aug 6, 2009, at 3:49 PM, Dayron Daugherty wrote:







   Over the last couple of days I've noticed a HUGE spike in A record
DNS requests from our domain. We use OpenDNS and I check stats often. We
usually have about 5000-6000 A record resolves in a day. The last 2 days
we've had 25,000 - 26,000. Our AD servers are set as DNS forwarders
which then forward on to the OpenDNS servers.

 

I've been able to isolate the source of the DNS bombardment to our VPN
server using good ol' MS Network Monitor on our AD servers and VPN
server. However, all that shows in the trace is the VPN serve requesting
the DNS lookup and then it being forwarded off to OpenDNS. It doesn't
show the client who requested it. Also I have used DNS debugging logs
and it shows roughly the same thing. Most all local clients have admin
rights removed from their PCs. This almost completely removed even the
smallest of malware issues we'd get even with CA eTrust running and
updated. In this case however, most all our remote users are local
admins of their laptops.

 

_______________________________________________
it discuss mailing list: discuss at itdiscuss.org
Mailing List: http://itdiscuss.org/discuss
Web Discussion Board: http://itdiscuss.org/discuss-forum
Wiki: http://itdiscuss.org/wiki
Internet Relay Chat: irc://irc.freenode.net/citrt

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://optimus.thompsonic.com/pipermail/discuss/attachments/20090807/c074224b/attachment-0001.htm

More information about the discuss mailing list