Question : Excessive outgoing DNS requests

We are running a W2K Domain in our office. We have been gettting excessive traffic coming in from a range of Earthlink DNS servers, eating up some of our bandwidth. After working with an Earthlink engineer, we discovered (to my surprise, of course) that the cause of the traffic was excessive DNS requests from our private network, which the Earthlink servers were responding to. Most of the outgoing traffic (and there's way more than normal) seems to be coming from our PDC, which all of the PCs on the private network use as their primary DNS. We have about 100 machines and two DCs on our LAN.

I need help trying to figure out why this is happening? I don't know where or how to begin trying to track this down. Can anyone guide through some troubleshooting? Arrggghhh.....

Answer : Excessive outgoing DNS requests

I would recommend using the native Windows 2000 Server "Network Monitor" tool for a simple packet dump. This utility should be available for installation directly from the installation CD. If you would prefer a more robust, and free tool, try www.ethereal.org.

Please be aware that many recent viruses block or disable antivirus software to avoid detection. I would suggest network-wide use of Network Associate's Stinger tool, found at: http://vil.nai.com/vil/stinger/. Most of these viruses do not recognize the Stinger tool, therefore, they cannot disable it.

Many mass-mailing viruses will typically utilize direct to MX SMTP connections to avoid any spam filtering on the outgoing mail server. If this is not the case, you stand a good chance of monitoring the spread of the virus by looking at your mail server logs. If you are seeing excessive undeliverable messages being returned to your company mail server, in which the original message headers indicate the messages were sent through your server, you can assume that you have an infected computer on your network. (Sorry if that sentence was confusing)

If you are using a managed switch within your network, you could open a terminal session and review to "top-talkers" to find out which leg of the network is utilizing the most network bandwidth. In some cases, the hardware may be able to breakdown usage by port (e.g. SMTP 25).

Try using Microsoft Baseline Security Analyzer (MBSA) to scan the entire network to ensure that all client and server OS's are patched. www.microsoft.com/mbsa

Microsoft just recently released version 2 of their network scanning tool called PortQry.exe that could help you scan some of the higher ports (1025+) throughout the network. Check it out here: http://www.microsoft.com/downloads/details.aspx?familyid=89811747-C74B-4638-A2D5-AC828BDC6983&displaylang=en

Many modern viruses install backdoor Trojans, proxy servers, and/or mail servers on these upper ports. Of course, if you have a linux box handy I would recommend using nmap instead.

Finally, you could implement QoS policies for certain segments of the network as a temporary solution to any network congestion caused by the viruses.

I hope some of these ideas help.

Random Solutions

dg834g netgear router - whats the default password

how to synch up LDAP to an Canon imagerunner 5185i

ldap query to creat a collection of all users on a certain homeserver

filesharing error windows XP Logon Failure User has not been granted the requested logon type

Access Security DVR from Behind ISA 2004 Over the Internet - Having Major Troubles!!!

Windows XP Routing Table for 2 Internet Connections

Directory Structure for Exchange 2007 Continous Cluster Replication

Visio 2000 vendor-specific stencils

NLB/NIC Teaming/DNS Round Robin

Gray subdomains/sites in AD integrated DNS on windows 2003