icmp traffic between workstations and DNS server

[jim Slifko]

I have been sniffing our networks lately to detect any
workstations that may still be affected by Blaster and
Welchia. I am noticing a large amount of icmp traffic
between the workstations and our DNS servers. Is this
normal? If so what is the purpose? We have access lists on
all of our routers to prevent icmp traffic. If
workstations need to ping the DNS boxes, what effect will
these access lists have on our DNS ability. We don't seem
to be suffering because of this.

 

[Marc Reynolds [MSFT]]

Hi Jim,

Are the DNS servers also DCs? If so what you are seeing could be slow link
detection. See 227260 How a Slow Link Is Detected for Processing User
Profiles and Group Policy
http://support.microsoft.com/?id=227260

Thanks,
Marc Reynolds
Microsoft Technical Support

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Herb Martin]

I have been sniffing our networks lately to detect any
workstations that may still be affected by Blaster and
Welchia. I am noticing a large amount of icmp traffic
between the workstations and our DNS servers. Is this
normal?

We don't know -- you would have needed to baseline the
network before hand when you new it was still fresh and
unsullied BUT...

There is no reason for DNS clients and servers to be doing
this unless they are doing something else (authorized or
unauthorized.)

If so what is the purpose? We have access lists on
all of our routers to prevent icmp traffic. If
workstations need to ping the DNS boxes, what effect will
these access lists have on our DNS ability. We don't seem
to be suffering because of this.

DNS uses mostly UDP port 53 on the server, (no ICMP), and
some TCP port 53 on the server side. (Zone transfers and large
messages may use TCP.)

 

[Jonathan de Boyne Pollard]

jS> I am noticing a large amount of icmp traffic
jS> between the workstations and our DNS servers.

You are conflating a service with the machine that runs the server process(es)
that provide that service.

jS> Is this normal?

In the absence of clairvoyance, how can we tell ? ICMP isn't normally
involved in the DNS protocol. But there's no evidence that you have given to
us indicating that this traffic has anything to do with DNS service. You
haven't even told us what this ICMP traffic actually _is_. Is it "destination
unreachable" ? ... "echo request" ? ... "time exceeded" ? ... "source quench"
? ...

 

[Jim]

No need to be rude Johnny. Funny, but someone else got the
jist of my question and acctually provided some usefull
info. Must be nice to have so much time on your hands that
you can try to intimidate others in newsgroups with your
mighty knowledge.

-----Original Message-----
jS> I am noticing a large amount of icmp traffic
jS> between the workstations and our DNS servers.

You are conflating a service with the machine that runs the server process(es)
that provide that service.

jS> Is this normal?

In the absence of clairvoyance, how can we tell ? ICMP isn't normally
involved in the DNS protocol. But there's no evidence that you have given to
us indicating that this traffic has anything to do with DNS service. You
haven't even told us what this ICMP traffic actually _is_. Is it "destination
unreachable" ? ... "echo request" ? ... "time

exceeded" ? ... "source quench"

 

[jim]

Thanks, I'll look at that.