2

Our server (windows 2008 R2 server, fully patched) this morning was a bit slow.

Checking network activity I found several DNS sessions using quite a lot of bandwidth (10MB/sec per session). This was rather suspicious (I expect DNS traffic to be light) so I turned off DNS for the present.

Here is an image of some of the connections: list of DNS sessions

As you can see there is a varied list of hosts. Is this a vulnerability in DNS?

Quango
  • 229
  • 1
  • 4
  • 17
  • How did you measure those 10 MB/sec? Could you post a shot of that, too? – MichelZ Jul 17 '12 at 08:33
  • It's not a big zone - we have two sites, about five servers, five users on Active Directory. That's what makes me very suspicious. I didn't try sniffing the packets, I just turned it off, fast, in case it was a vulnerability. – Quango Jul 17 '12 at 08:45
  • The 10MB/sec was from the Resource Monitor / Network Activity list (not in the image I captured alas.. didn't want to leave it up longer than I had to). – Quango Jul 17 '12 at 08:54

1 Answers1

8

Could be someone using TCP over DNS to get over some internet restrictions. You can counter this by implementing split horizon DNS.

There is an interesting Q about this, over at Security.SE

enter image description here

Community
  • 1
Bart De Vos
  • 17,911
  • 6
  • 63
  • 82
  • Thanks for the suggestion - given the traffic volume this sounds like it might be what is going on - we had forwarders set up to redirect DNS queries externally and it may be they are using this. As DNS on these servers is for internal use we are blocking the AD ports. Port 53 wasn't open. – Quango Jul 17 '12 at 09:28