DNS Hijacked?

blubomber · May 26th, 2005, 03:13 PM

I was getting alot of DNS traffic going out of my network to the point that it was bringing everything to a crawl. I stopped the DNS server service on my primary DNS server while leaving the backup up. That seemed to have fixed the problem. Now though i need to get my primary DNS fixed because i cant leave it down all the time.

Any suggestions on how to clear this up? I ran spybot but that did not help.

Thanks for any help.

FatalException · May 26th, 2005, 08:29 PM

Why are you running a DNS server at your home? Do you have that many systems that you have to have DNS services running?

fourthbean · May 26th, 2005, 08:50 PM

Maybe he is not at home......I know I would not have a backup dns server for my house.

FatalException · May 26th, 2005, 08:57 PM

Well, if this is a large enough business to require both primary and backup DNS servers, then wouldn't it make sense that someone else there would have the technical know-how to resolve this issue? Perhaps he should contact this other person at his organization and see if they can resolve it since they are likely more familiar with the network than anyone on TechIMO is.

vass0922 · May 26th, 2005, 09:28 PM

If he's running this for a business, its very likely he's using active directory which demands DNS for internal communication.
In this case its very important to have a backup DNS server as even simple stuff like opening your mail will fail if he loses DNS.

Anyways.

I dont think spyware will be your issue seeing as I *hope* nobody is surfing the net on a network DNS server.
If its a windows box reinstall the latest SP and all of the hotfixes.
Run an antivirus to make sure you didn't get hit by a worm.

maybe run netstat -n and see what ports are open.
There should not be anything besides the normal.
I believe it woould be something like
135, 139, 445, 53... if there are any others post them so we can check.

blubomber · May 27th, 2005, 12:07 AM

vass0922...i did not think about netstat, thank you i will try that.

Yes, this is for my work and i am running a windows 2000 domain with AD. Good thing i did have the backup DNS because no one would be getting email or anything right now. I have a computer running ethereal right at my gateway and the captured packets are mostly DNS stuff. It is going to take me some time to weed through all the info. It is not just one site it is going to. I have also run Hijackthis and antivirus software which did not come up with anything. Also, all of my servers are in a locked room and i do all of my admin stuff from my desk.

I was just currious if anyone has come across a situation like this before. I guess i will just have to keep plugging away at it. Hope fully i can get it resolved tomorrow. i hate running on just one DNS server.

Thanks for the replies.

FatalException · May 27th, 2005, 01:16 AM

Could it possibly be a DDOS attack on your DNS servers? Has your organization received any threats regarding network services? Maybe someone out there has an army of zombie systems hitting your DNS server for some reason. It's also possible that someone out there mis-published their own DNS server data and listed your addresses instead. If a large ISP were to do this, that could create some serious traffic issues for you. Sorry I'm not being much help; I am not extremely familiar with this stuff, so I'm trying to think of what could be causing this based on the limited knowledgebase I do have.

blubomber · May 27th, 2005, 02:29 AM

My firewall does not allow incoming DNS and it blocks all DDOS attacks. It is my internal server that is the problem. With the DNS server service turned on, that is when it goes crazy. When the service is stopped, everything returns to normal. It all started on Tuesday of this week. I am gonna have to go back through all my firewall logs to see if there is anything that looks suspicious.

I am also not sure if anyone has seen a DNS server just go crazy for no reason. I am sure it is very rare if possible at all. But, it is stuff like this that keeps my job intersting.

darkenbinary · May 27th, 2005, 03:56 AM

Are the DNS requests all internal? If so try increasing the DNS timeout on the client side. It’s possible the clients aren't getting a response in a timely manner which causes them to query the server repetitively. Sometimes this issue can be caused by one machine. If your office doesn't contain a large amount of machines try shutting them down one by one, and then test to see if the issue goes away. You may be able to find the offending machine this way. This would not occur with the backup DNS if the server has a different IP, and the client is able to gain a response in a timely manner.

Bill in SD, CA · May 27th, 2005, 05:33 AM

Check for trojans with The Cleaner .

Update the definitions first.

Bill