DNS excessive traffic root hints

  • Thread starter Thread starter Howard Ambler
  • Start date Start date
H

Howard Ambler

All,

I have been getting constant continous execessive traffic to root servers
for the last few weeks from the dns.exe process. The server is at Windows
2000 SP4 with the latest patches and ver 5.0.2195.6715 of dns.exe.

Everything is configured for standard domain setup and is giving the same
behaviour if I use forwarders instead of root hints.

The Network monitor output is below for the queries it is sending and
receiving continously.

Can anyone tell me if this is an MS bug or a configuration error?
-----------------------------------------------------------
-----------------------------------------------------------
165 12.984375 LOCAL 000F24ABEFC0 DNS 0x3A7E:Std Qry for . of type Host
Addr on class INET addr. SILSCRS01 193.0.14.129 IP
Frame: Base frame properties
Frame: Time of capture = 2/9/2005 11:26:13.796
Frame: Time delta from previous physical frame: 0 microseconds
Frame: Frame number: 165
Frame: Total frame length: 59 bytes
Frame: Capture frame length: 59 bytes
Frame: Frame data: Number of data bytes remaining = 59 (0x003B)
ETHERNET: ETYPE = 0x0800 : Protocol = IP: DOD Internet Protocol
ETHERNET: Destination address : 000F24ABEFC0
ETHERNET: .......0 = Individual address
ETHERNET: ......0. = Universally administered address
ETHERNET: Source address : 000BCDAFC9E3
ETHERNET: .......0 = No routing information present
ETHERNET: ......0. = Universally administered address
ETHERNET: Frame Length : 59 (0x003B)
ETHERNET: Ethernet Type : 0x0800 (IP: DOD Internet Protocol)
ETHERNET: Ethernet Data: Number of data bytes remaining = 45 (0x002D)
IP: ID = 0xA772; Proto = UDP; Len: 45
IP: Version = 4 (0x4)
IP: Header Length = 20 (0x14)
IP: Precedence = Routine
IP: Type of Service = Normal Service
IP: Total Length = 45 (0x2D)
IP: Identification = 42866 (0xA772)
IP: Flags Summary = 0 (0x0)
IP: .......0 = Last fragment in datagram
IP: ......0. = May fragment datagram if necessary
IP: Fragment Offset = 0 (0x0) bytes
IP: Time to Live = 128 (0x80)
IP: Protocol = UDP - User Datagram
IP: Checksum = ERROR: CheckSum is 0x0000, Should be 0x0222
IP: Source Address = 192.168.1.2
IP: Destination Address = 193.0.14.129
IP: Data: Number of data bytes remaining = 25 (0x0019)
UDP: Src Port: Unknown, (1179); Dst Port: DNS (53); Length = 25 (0x19)
UDP: Source Port = 0x049B
UDP: Destination Port = DNS
UDP: Total length = 25 (0x19) bytes
UDP: UDP Checksum = 0x2D41
UDP: Data: Number of data bytes remaining = 17 (0x0011)
DNS: 0x3A7E:Std Qry for . of type Host Addr on class INET addr.
DNS: Query Identifier = 14974 (0x3A7E)
DNS: DNS Flags = Query, OpCode - Std Qry, RCode - No error
DNS: 0............... = Request
DNS: .0000........... = Standard Query
DNS: .....0.......... = Server not authority for domain
DNS: ......0......... = Message complete
DNS: .......0........ = Iterative query desired
DNS: ........0....... = No recursive queries
DNS: .........000.... = Reserved
DNS: ............0000 = No error
DNS: Question Entry Count = 1 (0x1)
DNS: Answer Entry Count = 0 (0x0)
DNS: Name Server Count = 0 (0x0)
DNS: Additional Records Count = 0 (0x0)
DNS: Question Section: . of type Host Addr on class INET addr.
DNS: Question Name: .
DNS: Question Type = Host Address
DNS: Question Class = Internet address class
00000: 00 0F 24 AB EF C0 00 0B CD AF C9 E3 08 00 45 00 ..$....E.
00010: 00 2D A7 72 00 00 80 11 00 00 C0 A8 01 02 C1 00 .-r..?......
00020: 0E 81 04 9B 00 35 00 19 2D 41 3A 7E 00 00 00 01 ..?.5..-A:~....
00030: 00 00 00 00 00 00 00 00 01 00 01 ...........
----------------------------------------------------------
163 12.984375 000F24ABEFC0 LOCAL DNS 0xA3E:Std Qry Resp. Auth. NS is . of
type SOA on class INET addr. 193.0.14.129 SILSCRS01 IP
Frame: Base frame properties
Frame: Time of capture = 2/9/2005 11:26:13.796
Frame: Time delta from previous physical frame: 0 microseconds
Frame: Frame number: 163
Frame: Total frame length: 134 bytes
Frame: Capture frame length: 134 bytes
Frame: Frame data: Number of data bytes remaining = 134 (0x0086)
ETHERNET: ETYPE = 0x0800 : Protocol = IP: DOD Internet Protocol
ETHERNET: Destination address : 000BCDAFC9E3
ETHERNET: .......0 = Individual address
ETHERNET: ......0. = Universally administered address
ETHERNET: Source address : 000F24ABEFC0
ETHERNET: .......0 = No routing information present
ETHERNET: ......0. = Universally administered address
ETHERNET: Frame Length : 134 (0x0086)
ETHERNET: Ethernet Type : 0x0800 (IP: DOD Internet Protocol)
ETHERNET: Ethernet Data: Number of data bytes remaining = 120 (0x0078)
IP: ID = 0x0; Proto = UDP; Len: 120
IP: Version = 4 (0x4)
IP: Header Length = 20 (0x14)
IP: Precedence = Routine
IP: Type of Service = Normal Service
IP: Total Length = 120 (0x78)
IP: Identification = 0 (0x0)
IP: Flags Summary = 2 (0x2)
IP: .......0 = Last fragment in datagram
IP: ......1. = Cannot fragment datagram
IP: Fragment Offset = 0 (0x0) bytes
IP: Time to Live = 58 (0x3A)
IP: Protocol = UDP - User Datagram
IP: Checksum = 0xAF49
IP: Source Address = 193.0.14.129
IP: Destination Address = 192.168.1.2
IP: Data: Number of data bytes remaining = 100 (0x0064)
UDP: Src Port: DNS, (53); Dst Port: Unknown (1179); Length = 100 (0x64)
UDP: Source Port = DNS
UDP: Destination Port = 0x049B
UDP: Total length = 100 (0x64) bytes
UDP: UDP Checksum = 0x7342
UDP: Data: Number of data bytes remaining = 92 (0x005C)
DNS: 0xA3E:Std Qry Resp. Auth. NS is . of type SOA on class INET addr.
DNS: Query Identifier = 2622 (0xA3E)
DNS: DNS Flags = Response, OpCode - Std Qry, AA Bits Set, RCode - No
error
DNS: 1............... = Response
DNS: .0000........... = Standard Query
DNS: .....1.......... = Server authority for domain
DNS: ......0......... = Message complete
DNS: .......0........ = Iterative query desired
DNS: ........0....... = No recursive queries
DNS: .........000.... = Reserved
DNS: ............0000 = No error
DNS: Question Entry Count = 1 (0x1)
DNS: Answer Entry Count = 0 (0x0)
DNS: Name Server Count = 1 (0x1)
DNS: Additional Records Count = 0 (0x0)
DNS: Question Section: . of type Host Addr on class INET addr.
DNS: Question Name: .
DNS: Question Type = Host Address
DNS: Question Class = Internet address class
DNS: Authority Section: . of type SOA on class INET addr.
DNS: Resource Name: .
DNS: Resource Type = Start of zone of authority
DNS: Resource Class = Internet address class
DNS: Time To Live = 86400 (0x15180)
DNS: Resource Data Length = 64 (0x40)
DNS: Primary Name Server: a.root-servers.net.
DNS: Responsible Authorative Mailbox: nstld.verisign-grs.com.
DNS: Version number = 2005020801 (0x77823081)
DNS: Refresh Interval = 1800 (0x708)
DNS: Retry interval = 900 (0x384)
DNS: Expiration Limit = 604800 (0x93A80)
DNS: Minimum TTL = 86400 (0x15180)
00000: 00 0B CD AF C9 E3 00 0F 24 AB EF C0 08 00 45 00 ....$..E.
00010: 00 78 00 00 40 00 3A 11 AF 49 C1 00 0E 81 C0 A8 .x..@.:.I..
00020: 01 02 00 35 04 9B 00 64 73 42 0A 3E 84 00 00 01 ...5.?.dsB.>?...
00030: 00 00 00 01 00 00 00 00 01 00 01 00 00 06 00 01 ................
00040: 00 01 51 80 00 40 01 61 0C 72 6F 6F 74 2D 73 65 [email protected]
00050: 72 76 65 72 73 03 6E 65 74 00 05 6E 73 74 6C 64 rvers.net..nstld
00060: 0C 76 65 72 69 73 69 67 6E 2D 67 72 73 03 63 6F .verisign-grs.co
00070: 6D 00 77 82 30 81 00 00 07 08 00 00 03 84 00 09 m.w?0.......?..
00080: 3A 80 00 01 51 80 :?..Q?
 
In
Howard Ambler said:
All,

I have been getting constant continous execessive traffic
to root servers for the last few weeks from the dns.exe
process. The server is at Windows 2000 SP4 with the
latest patches and ver 5.0.2195.6715 of dns.exe.

Everything is configured for standard domain setup and is
giving the same behaviour if I use forwarders instead of
root hints.

The Network monitor output is below for the queries it is
sending and receiving continously.

Can anyone tell me if this is an MS bug or a
configuration error?
Click to expand...

One of your clients may have an incorrect DNS suffix in the DNS suffix
search list.
Incorrect in the fact that the DNS suffix is appended by the DNS client. If
you don't have a zone for the DNS suffix being appended, the DNS server will
forward or use recursion to find the authoritative DNS server for this DNS
suffix.

running ipconfig /all from a command prompt will list the DNS suffixes being
appended. The DNS fuffix search list is pulled from the Primary and
Connection specific DNS suffix, or it can be manually configured.
 
In
One of your clients may have an incorrect DNS suffix in the DNS suffix
search list.
Incorrect in the fact that the DNS suffix is appended by the DNS
client. If you don't have a zone for the DNS suffix being appended,
the DNS server will forward or use recursion to find the
authoritative DNS server for this DNS suffix.

running ipconfig /all from a command prompt will list the DNS
suffixes being appended. The DNS fuffix search list is pulled from
the Primary and Connection specific DNS suffix, or it can be manually
configured.
Click to expand...

To add, this can be caused by a single label name lookup. If AD is
configured with a single label name, this can cause this as well, hence why
W2kSP4 and later OS will not register into DNS to avoid the excessive Root
lookups.

I can't tell by the netmon capture if this is the case, nor did Howard
provide any configuration information about his system, since all I see is
the dot (".") lookup in the query request in the capture, therefore that is
why I base this assumption.

For Howard, a single label name example is:
"domain"

And a proper formed name is:
"domain.net", "domain.com", etc.


--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.
 
Yesterday this behaviour stopped altogether and then started again at 8am
this morning. I am even more baffled.

Our domain name is silverscreendvddom.com our netbios domain name is
SILVERSCREENDVD.

The AD zone is configured as silverscreendvddom.com

The suffix in ipconfig is below

Windows 2000 IP Configuration

Host Name . . . . . . . . . . . . : silscrs01
Primary DNS Suffix . . . . . . . : silverscreendvddom.com
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : silverscreendvddom.com

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : HP NC7760 Gigabit Server Adapter
Physical Address. . . . . . . . . : 00-0B-CD-AF-C9-E3
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.1.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.254
DNS Servers . . . . . . . . . . . : 192.168.1.2

I've been through article
http://support.microsoft.com/default.aspx?scid=kb;en-us;300684 but to not
avail.

Thanks


"Ace Fekay [MVP]"
 
In
Howard Ambler said:
Yesterday this behaviour stopped altogether and then started again at
8am this morning. I am even more baffled.

Our domain name is silverscreendvddom.com our netbios domain name is
SILVERSCREENDVD.

The AD zone is configured as silverscreendvddom.com

The suffix in ipconfig is below

Windows 2000 IP Configuration

Host Name . . . . . . . . . . . . : silscrs01
Primary DNS Suffix . . . . . . . : silverscreendvddom.com
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : silverscreendvddom.com

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : HP NC7760 Gigabit Server
Adapter Physical Address. . . . . . . . . : 00-0B-CD-AF-C9-E3
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.1.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.254
DNS Servers . . . . . . . . . . . : 192.168.1.2

I've been through article
http://support.microsoft.com/default.aspx?scid=kb;en-us;300684 but to
not avail.

Thanks
Click to expand...

Thanks for posting that info. Looks good.

Can you determine exactly what name is being queried?

Also, are you using a forwarder? That should eliminate it on your end, but
then again, we would like to see exactly what is being queried.

Ace
 
The query is the same as the original posting.

I have attached the relevant bit from the DNS log..........

Snd 192.58.128.30 25c9 Q [0000 NOERROR] (0)
UDP question info at 00EC964C
Socket = 400
Remote addr 192.58.128.30, port 53
Time Query=0, Queued=0, Expire=0
Buf length = 0x0200 (512)
Msg length = 0x0011 (17)
Message:
XID 0x25c9
Flags 0x0000
QR 0 (question)
OPCODE 0 (QUERY)
AA 0
TC 0
RD 0
RA 0
Z 0
RCODE 0 (NOERROR)
QCOUNT 0x1
ACOUNT 0x0
NSCOUNT 0x0
ARCOUNT 0x0
Offset = 0x000c, RR count = 0
Name "(0)"
QTYPE A (1)
QCLASS 1
ANSWER SECTION:
AUTHORITY SECTION:
ADDITIONAL SECTION:

Rcv 192.58.128.30 3d9c R Q [0084 A NOERROR] (0)
UDP response info at 00F204DC
Socket = 400
Remote addr 192.58.128.30, port 53
Time Query=1095627, Queued=0, Expire=0
Buf length = 0x0200 (512)
Msg length = 0x005c (92)
Message:
XID 0x3d9c
Flags 0x8400
QR 1 (response)
OPCODE 0 (QUERY)
AA 1
TC 0
RD 0
RA 0
Z 0
RCODE 0 (NOERROR)
QCOUNT 0x1
ACOUNT 0x0
NSCOUNT 0x1
ARCOUNT 0x0
Offset = 0x000c, RR count = 0
Name "(0)"
QTYPE A (1)
QCLASS 1
ANSWER SECTION:
AUTHORITY SECTION:
Offset = 0x0011, RR count = 0
Name "(0)"
TYPE SOA (6)
CLASS 1
TTL 86400
DLEN 64
DATA
PrimaryServer: (1)A(12)ROOT-SERVERS(3)NET(0)
Administrator: (5)NSTLD(12)VERISIGN-GRS(3)COM(0)
SerialNo = 2005020701
Refresh = 1800
Retry = 900
Expire = 604800
MinimumTTL = 86400
ADDITIONAL SECTION:



"Ace Fekay [MVP]"
 
In
Howard Ambler said:
The query is the same as the original posting.

I have attached the relevant bit from the DNS log..........
Click to expand...

<snip>

This one looks as if it has an empty message (query):
Message:
Click to expand...

The previous ones in your original post were querying a root server:
Name: j.root-servers.net
Address: 192.58.128.30

It seems it's baffling me. I remember there was someone else with the same
issue 4-5 months ago, but I cannot remember what transpired. You said it
started at 8:00 am? Does that coincide with users logging on and beginning
to work?

If that is the case, is there anyway you can pinpoint (netmon) what client
machine it's coming from? Look for a query for a dot zone (for starters).

Can I assume you have Secure Cache enabled under DNS properties?

Any errors in your Event log(s)?


Ace
 
Secure cache enabled.

No errors in error log.

It started again today about 9.30 again, but didn't happen at all yesterday.

I can't see any inbound DNS queries on network monitor unless its
originating form somewhere else?

I'll see if there's any other suspicious traffic.

Howard

"Ace Fekay [MVP]"
 
In
Howard Ambler said:
Secure cache enabled.

No errors in error log.

It started again today about 9.30 again, but didn't happen at all
yesterday.
I can't see any inbound DNS queries on network monitor unless its
originating form somewhere else?

I'll see if there's any other suspicious traffic.

Howard
Click to expand...

Inbound traffic? You mean from the outside world to your DNS server? I was
thinking something internally querying. If this DNS is just for internal
use, and you have a firewall, have you disallowed inbound traffic, but
allowed 'established' connections? (That is the setting in a Cisco Ip access
list to allow inbound responses only if originated from the internal
subnet).

Ace
 
To clarify,

There no DNS traffic inbound form the LOCAL network to the DNS server.

It does indeed seem all the queries are being generated by the server
itself.

Again it has stopped for the last two days.

As I can't link it to client activity I can't work out why it only happens
during the working day and not every day.

The only thing I can think of is that some other service is being triggered
by something on the network which uses DNS excessivly to do with security
etc

Howard

"Ace Fekay [MVP]"
 
In
Howard Ambler said:
To clarify,

There no DNS traffic inbound form the LOCAL network to the DNS server.

It does indeed seem all the queries are being generated by the server
itself.

Again it has stopped for the last two days.

As I can't link it to client activity I can't work out why it only
happens during the working day and not every day.

The only thing I can think of is that some other service is being
triggered by something on the network which uses DNS excessivly to do
with security etc

Howard
Click to expand...

I don't remember if I asked, and this thread is getting longer to search
back, but what zones are created in DNS?

Do you have a forwarder configured?

Ace
 
one zone created:

silverscreendvddom.com

Forwarders are configured, it happens whether forwarders are configured or
not.

I think this article may be the culprit however (it fits with the strange
behaviour) and I am just waiting for the MS fix now.

http://support.microsoft.com/?kbid=873441

I'll post on my findings, although I'm not sure if this will sort it out.

Thanks for the help thus far.

Howard



"Ace Fekay [MVP]"
 
In
Howard Ambler said:
one zone created:

silverscreendvddom.com

Forwarders are configured, it happens whether forwarders are
configured or not.

I think this article may be the culprit however (it fits with the
strange behaviour) and I am just waiting for the MS fix now.

http://support.microsoft.com/?kbid=873441

I'll post on my findings, although I'm not sure if this will sort it
out.
Thanks for the help thus far.

Howard
Click to expand...

You are welcome. Please do post back if that fixed it.

Ace
 
Was there a result?

We are having similar problems. We are running caching DNSs using Windows
2000 SP4 DNS. There is a lot of traffic (30+% = ~300 requests/second) that
is queried going to/from one of the root servers. The question section is
empty as per the Netmon trace in original post of the 9/Feb/2005. There
seems to be an affinity for the f.root-server but if that server is
temporarily made unreachable another one is used.

Background: We are an internet service provider running internet reachable
caching DNSs for our customers. This problem does not arise with BIND 8.4.6
but BIND is slower due to single threading (even in V9) so we have to switch
to W2K DNS. The machines are HP DL360s, dual CPU. There are both public and
private LANs with the servers on a 2K3 Active directory. The front end has
no DNS suffix.

Greg.
 
Greg said:
Was there a result?

We are having similar problems. We are running caching DNSs using
Windows 2000 SP4 DNS. There is a lot of traffic (30+% = ~300
requests/second) that is queried going to/from one of the root
servers. The question section is empty as per the Netmon trace in
original post of the 9/Feb/2005. There seems to be an affinity for
the f.root-server but if that server is temporarily made unreachable
another one is used.

Background: We are an internet service provider running internet
reachable caching DNSs for our customers. This problem does not
arise with BIND 8.4.6 but BIND is slower due to single threading
(even in V9) so we have to switch to W2K DNS. The machines are HP
DL360s, dual CPU. There are both public and private LANs with the
servers on a 2K3 Active directory. The front end has no DNS suffix.

Greg.
Click to expand...

Hi Greg,

Other than having a single label domain name (which may have a factor with
this), have you looked into this free hotfix?

http://support.microsoft.com/?kbid=873441


--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Paramount: What's up with taking Enterprise off the air??
Infinite Diversities in Infinite Combinations.
=================================
 
Back
Top