Identifying Source of UDP Queries to DNS

[Chad]

Archived from groups: microsoft.public.windowsnt.protocol.tcpip (More info?)

I posted this question on the DNS newsgroup, but since a
large part of my question is protocol related, I am
posting it here as well, but with a different description
and focus. Here is the problem:

A few times each week, my DNS server stops functioning due
to receiving more UDP Queries than it can respond to. The
DNS Manager reports UdpQueries as consistently being
higher than the UdpResponses. I guess you could say it
looks like a denial of service attack on my DNS server. I
solve the problem by stopping the Microsoft DNS Server
service for about 5 minutes. When I restart the service,
the problem is gone - providing the UdpQueries and
Responses remain equal.

I would like to identify the source of the UDP Queries
that are causing my DNS server to be unable to serve the
requests of all other PCs on my LAN. Can anyone suggest a
tool I could use to identify the source of these UDP
Queries? I have no experience with Packet analyzers, but
with a little help I am sure I could learn - if that is
the best approach.

Thank you.

-Chad

 

[Guest]

Archived from groups: microsoft.public.windowsnt.protocol.tcpip (More info?)

"Chad" <anonymous@discussions.microsoft.com> wrote in message
news:176ec01c42171$a8674de0$a001280a@phx.gbl...
> I posted this question on the DNS newsgroup, but since a
> large part of my question is protocol related, I am
> posting it here as well, but with a different description
> and focus. Here is the problem:
>
> A few times each week, my DNS server stops functioning due
> to receiving more UDP Queries than it can respond to. The
> DNS Manager reports UdpQueries as consistently being
> higher than the UdpResponses. I guess you could say it
> looks like a denial of service attack on my DNS server. I
> solve the problem by stopping the Microsoft DNS Server
> service for about 5 minutes. When I restart the service,
> the problem is gone - providing the UdpQueries and
> Responses remain equal.
>
> I would like to identify the source of the UDP Queries
> that are causing my DNS server to be unable to serve the
> requests of all other PCs on my LAN. Can anyone suggest a
> tool I could use to identify the source of these UDP
> Queries? I have no experience with Packet analyzers, but
> with a little help I am sure I could learn - if that is
> the best approach.
>
> Thank you.
>
> -Chad

The simplest answer I can offer of the top of my head would be to install a
software based firewall or hardware, and set the log option to watch
everything that goes through your service, if you have one perpetual
offender - add them to the blocked list.

Martin

 

[Chad]

Archived from groups: microsoft.public.windowsnt.protocol.tcpip (More info?)

Thank you for your suggestion, Martin. I guess my Cisco
PIX firewall could provide some valuable information and I
will take a look at the logs there. My concern is that if
the problem is on my LAN, the traffic would likely not be
passing through my firewall since those PCs are inside of
the Firewall. If the UDP queries don't pass through the
Firewall, then obviously they would not be logged. If I
misunderstood your suggestion, please let me know.

Thanks again for your thoughts.

-Chad


>The simplest answer I can offer of the top of my head
would be to install a
>software based firewall or hardware, and set the log
option to watch
>everything that goes through your service, if you have
one perpetual
>offender - add them to the blocked list.
>
>Martin
>
>
>.
>