Topic: DNSCache/TinyDNS problem

[MarkR]

hi all,

I have a problem with my SME server, every now and then the lan side of the server are not able to surf the net?!? they can access the SME server smb/intranet www/etc with no probs.

the only thing that i have noticed is that there is a lot of UDP packets from the SME to various ip's (port 53 only)to the net, after a while it stops and everyone can surf.

If anyone has any ideas, it would be much appreciated

thanks
mark

[cc_skavenger]

I've had this problem also, it has always turned out to be a workstation with a virus.  I have been trying to figure out a way to make the dns a little "stronger" so that it can survive a dns flood, but no such luck.

[MarkR]

thanks cc_skavenger

is there an easy way to find out which pc is sending the dns flood?

[cc_skavenger]

There usually is a log (messages log) of some lan ip scrolling through several times repeatedly with port 53 listed...I mean several listings in a row.

[MarkR]

the message log has the following in.

Aug  4 22:21:07 reygateway kernel: denylog:IN=eth1 OUT= MAC=00:06:4f:0d:72:4e:00:85:a0:01:01:00:08:00 SRC=81.134.34.124 DST=192.168.1.2 LEN=48 TOS=0x00 PREC=0x00 TTL=120 ID=16241 DF PROTO=TCP SPT=3307 DPT=445 WINDOW=16384 RES=0x00 SYN URGP=0
Aug  4 22:21:10 reygateway kernel: denylog:IN=eth1 OUT= MAC=00:06:4f:0d:72:4e:00:85:a0:01:01:00:08:00 SRC=81.134.34.124 DST=192.168.1.2 LEN=48 TOS=0x00 PREC=0x00 TTL=120 ID=17028 DF PROTO=TCP SPT=3307 DPT=445 WINDOW=16384 RES=0x00 SYN URGP=0
Aug  4 22:21:15 reygateway kernel: denylog:IN=eth1 OUT= MAC=00:06:4f:0d:72:4e:00:85:a0:01:01:00:08:00 SRC=81.134.240.107 DST=192.168.1.2 LEN=48 TOS=0x00 PREC=0x00 TTL=120 ID=32814 DF PROTO=TCP SPT=4139 DPT=135 WINDOW=16384 RES=0x00 SYN URGP=0
Aug  4 22:21:18 reygateway kernel: denylog:IN=eth1 OUT= MAC=00:06:4f:0d:72:4e:00:85:a0:01:01:00:08:00 SRC=81.134.240.107 DST=192.168.1.2 LEN=48 TOS=0x00 PREC=0x00 TTL=120 ID=32993 DF PROTO=TCP SPT=4139 DPT=135 WINDOW=16384 RES=0x00 SYN URGP=0
etc/etc/etc/etc/etc/etc/etc.......

apart from eth1 ip, no internal ip address is listed !?!

[MarkR]

Hi all,

can dnscache be disabled..... to stop this dns flood?

[Brave Dave]

IpTraf will tell you where the queries are comming from