Port 53 on our Firewall

  • Thread starter Thread starter Barry Scheelar \(Work\)
  • Start date Start date
B

Barry Scheelar \(Work\)

I have been watching traffic on my firewall recently and have been seeing
some things that cause me some concern. We have an 2 Internal DNS' that we
allow to make external requests we then have 28 internal servers that are
all set to forward requests to our 2 Main internal ones. Recently however I
have noticed various servers trying to make requests to external sites, they
are translated as; a.root-server.net,b.root-server.net ,c.root-server.net,
etc or IP 192.33.4.12 and 128.9.0.107. My first thought was this was some
kind of Virus/Worm/Trojan but I could find nothing on the net that matched
this behavior and all our AV stuff is up to date. The requests are always
being made on UDP port 53 and the firewall is denying them, but this adds
alot of useless info to my logs.

Can someone tell me what is going on and how to stop it?

Thank you in advance
Barry
 
BSW> Can someone tell me what is going on and how to stop it?

Your servers are behaving normally in the face of an unresponsive
forwardee. To "stop" this, either make your forwardee work more
quickly or reconfigure your forwarders so that they _only_ forward
and do not ever attempt to perform query resolution themselves.

<URL:http://homepages.tesco.net./~J.deBoynePollard/FGA/dns-monolithic-server-as-proxy.html#Microsoft>

I also suggest, since your first thought upon seeing a DNS server
trying to send queries to ICANN's "." content DNS servers was to
look for a worm or a trojan, a refresher visit to the "Understanding
DNS" section of the product documentation. (-:

<URL:http://www.microsoft.com/technet/pr...server/sag_DNS_und_HowDnsWorks.asp?frame=true>
 
Those are root dns servers. You should see this from your two
internal dns servers.

Make sure none of the other machines are running a dns server.

Barry Scheelar \(Work\) said:
I have been watching traffic on my firewall recently and have been seeing
some things that cause me some concern. We have an 2 Internal DNS' that we
allow to make external requests we then have 28 internal servers that are
all set to forward requests to our 2 Main internal ones. Recently however I
have noticed various servers trying to make requests to external sites, they
are translated as; a.root-server.net,b.root-server.net ,c.root-server.net,
etc or IP 192.33.4.12 and 128.9.0.107. My first thought was this was some
kind of Virus/Worm/Trojan but I could find nothing on the net that matched
this behavior and all our AV stuff is up to date. The requests are always
being made on UDP port 53 and the firewall is denying them, but this adds
alot of useless info to my logs.
Click to expand...
Can someone tell me what is going on and how to stop it?
Click to expand...
Thank you in advance
Barry
Click to expand...



--
 
In
Barry Scheelar (Work) said:
I have been watching traffic on my firewall recently and have been
seeing some things that cause me some concern. We have an 2 Internal
DNS' that we allow to make external requests we then have 28 internal
servers that are all set to forward requests to our 2 Main internal
ones. Recently however I have noticed various servers trying to make
requests to external sites, they are translated as;
a.root-server.net,b.root-server.net ,c.root-server.net, etc or IP
192.33.4.12 and 128.9.0.107. My first thought was this was some kind
of Virus/Worm/Trojan but I could find nothing on the net that matched
this behavior and all our AV stuff is up to date. The requests are
always being made on UDP port 53 and the firewall is denying them,
but this adds alot of useless info to my logs.

Can someone tell me what is going on and how to stop it?
Click to expand...

That is your other DNS servers using their root hints, you can ignore it or
on the Forwarders tab check the "Do not use recursion" box. That basically
disables DNS from using root hints and forces them to use the forwarders.
 
Those are the root hints on the Internet. These are required for DNS to function normally for Internet name resolution.

Thank you,
Mike Johnston
Microsoft Network Support

--

This posting is provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Note: For the benefit of the community-at-large, all responses to this message are best directed to the newsgroup/thread from which they originated.
 
Back
Top