Topic: High DNS traffic

[crazybob]

I am having what I think is a high amount of incoming dns traffic. I just noticed that inbound external network load is pretty much maxed, and IPtraf shows most of the traffic on port 53. Is there something I can do to try to throttle this down? A little research shows high inbound traffic started about the first part of May, and if remember correctly I may have done an update at that time. Earlier this week I upgraded to SME7.5

TIA

Bob

[CharlieBrady]

Is there something I can do to try to throttle this down?

Identify the cause of the problem, and then fix it.

A little research shows high inbound traffic started about the first part of May, and if remember correctly I may have done an update at that time. Earlier this week I upgraded to SME7.5

Don't report problems here - Please report bugs and potential bugs in the bug tracker

[Stefano]

IMHO there's no reason for inbound dns traffic, so I agree with Charlie, you should find the cause of the problem and report in bugzilla

[CharlieBrady]

IMHO there's no reason for inbound dns traffic...

Return DNS traffic is normal. If it is excessive, perhaps there is a client doing excessive DNS lookups. If the problem started during an update, there might be a problem with the software or configuration and that needs to be investigated in the bug tracker.

crzybob should know all this.

[piran]

I am having what I think is a high amount of incoming dns traffic.

Possibly a user or few have taken up the ClamAV for Windows
anti-virus-in-the-cloud 'service'? It seems to open a lot of
port 53 NAT sessions ~ apparently concurrently. This is
particularly noticeable after a workstation reboot and/or
activity on the latter associated with new, as yet
unassessed (for a/v purposes), programmes ~ again
with respect to whatever they have going on in the
cloud. Or not;~) Haven't noticed a particular problem.

[crazybob]

later tonight I am going to disconnect all local users for a while to see what happens. After that I will be reporting thing in bugzilla

 

[CharlieBrady]

later tonight I am going to disconnect all local users for a while to see what happens.

You shouldn't need to do that. EIther logs files or tools such as iptraf or tcpdump will identify what client or clients is generating the traffic.

[Stefano]

Return DNS traffic is normal.

indeed, but not on port  53 inbound IMO

[piran]

later tonight I am going to disconnect all local users for a while to see what happens. After that I will be reporting thing in bugzilla

 

One user (me) and look what happens after I've switched on
a single workstation... 104 NAT sessions most of which are
tied up with port 53 stuff. IP 174.129.205.133 is the Amazon
Elastic Compute Cloud (EC2) which is a zone I'd normally
want to block for one reason or another but it's ClamAV
for Windows inter-communicating. They have owned up
to using port 32137 before. Whatever is running on
my workstation is assessed transparently 'in the cloud'
dynamically and anything nasty going around causes
alarms. Currently 300,000+ machines/people logged on
with the cloud assessing from over 13 millions threats.

Probably not a bug/bugzilla thing just a 'keep under
observation' thing crazybob. The NAT sessions
decrease soon enough.

Sorry Stephano, hope the text log doesn't cost you
too much on your palmtop under the palms out there
on the beach... and stop eyeballing those bikinis;~)

status log from my router:
--------------------------------------------

Active NAT sessions between interface of types external and internal:

No. | Prot | Local IP: Port local/public | Remote IP: Port       | Idle (sec.)
----|------|-----------------------------|-----------------------|-------
1   | TCP  | 192.168.  1. 64:38107/38107 |  77. 67. 10.140:  443 | 48
2   | TCP  | 192.168.  1. 64:38380/38380 | 212.147.161.105:   80 | 65
3   | TCP  | 192.168.  1. 64:38426/38426 | 195.189.143.147:   80 | 4
4   | TCP  | 192.168.  1. 64:38419/38419 |  91.203. 99. 45:   80 | 11
5   | TCP  | 192.168.  1. 64:38418/38418 |  91.203. 99. 45:   80 | 17
6   | TCP  | 192.168.  1. 64:38425/38425 |  66.102.  9.113:  443 | 13
7   | UDP  | 192.168.  1. 64:32395/32395 | 207.245.225.130:   53 | 16
8   | UDP  | 192.168.  1. 64:49522/49522 |   8. 12.209. 51:   53 | 73
9   | UDP  | 192.168.  1. 64:61765/61765 | 205.234.220.146:   53 | 14
10  | UDP  | 192.168.  1. 64:39897/39897 | 213.236.208. 72:   53 | 19
11  | UDP  | 192.168.  1. 64:16589/16589 | 213.236.208. 72:   53 | 19
12  | UDP  | 192.168.  1. 64:13859/13859 | 213.236.208. 72:   53 | 20
13  | UDP  | 192.168.  1. 64:41847/41847 | 207. 19. 96. 18:   53 | 16
14  | UDP  | 192.168.  1. 64:42094/42094 |  85. 13.128.  3:   53 | 87
15  | UDP  | 192.168.  1. 64:17386/17386 | 192. 35. 51. 30:   53 | 64
16  | UDP  | 192.168.  1. 64: 8047/ 8047 | 216. 13.122. 23:   53 | 16
17  | UDP  | 192.168.  1. 64:46941/46941 | 192. 42. 93. 30:   53 | 16
18  | UDP  | 192.168.  1. 64:55286/55286 |  77. 67. 10.142: 3478 | 12
19  | UDP  | 192.168.  1. 64: 1465/ 1465 | 216.203. 45. 65:   53 | 15
20  | UDP  | 192.168.  1. 64:63299/63299 | 216.203. 45. 65:   53 | 15
21  | UDP  | 192.168.  1. 64:62496/62496 | 192.112. 36.  4:   53 | 17
22  | UDP  | 192.168.  1. 64:15464/15464 | 192.112. 36.  4:   53 | 20
23  | UDP  | 192.168.  1. 64:15634/15634 | 192. 54.112. 30:   53 | 64
24  | UDP  | 192.168.  1. 64:13166/13166 | 207. 19. 96. 22:   53 | 15
25  | UDP  | 192.168.  1. 64: 1865/ 1865 | 192. 55. 83. 30:   53 | 16
26  | UDP  | 192.168.  1. 64:65446/65446 | 192. 55. 83. 30:   53 | 65
27  | UDP  | 192.168.  1. 64:64081/64081 | 192. 52.178. 30:   53 | 15
28  | UDP  | 192.168.  1. 64:55891/55891 | 204. 74. 66.132:   53 | 64
29  | UDP  | 192.168.  1. 64:50452/50452 | 174.129.205.133:32137 | 68
30  | UDP  | 192.168.  1. 64:55496/55496 | 174.129.205.133:32137 | 65
31  | UDP  | 192.168.  1. 64:57999/57999 | 174.129.205.133:32137 | 72
32  | UDP  | 192.168.  1. 64:58000/58000 | 174.129.205.133:32137 | 70
33  | UDP  | 192.168.  1. 64:64319/64319 | 174.129.205.133:32137 | 68
34  | UDP  | 192.168.  1. 64:55495/55495 | 174.129.205.133:32137 | 68
35  | UDP  | 192.168.  1. 64:54749/54749 | 174.129.205.133:32137 | 73
36  | UDP  | 192.168.  1. 64:59626/59626 | 174.129.205.133:32137 | 24
37  | UDP  | 192.168.  1. 64:57998/57998 | 174.129.205.133:32137 | 68
38  | UDP  | 192.168.  1. 64:59625/59625 | 174.129.205.133:32137 | 25
39  | UDP  | 192.168.  1. 64:21299/21299 | 204. 74.108.  1:   53 | 74
40  | UDP  | 192.168.  1. 64: 5461/ 5461 | 204. 74.108.  1:   53 | 74
41  | UDP  | 192.168.  1. 64:65248/65248 |  69. 63.186. 49:   53 | 64
42  | UDP  | 192.168.  1. 64:33972/33972 |  69. 63.186. 49:   53 | 64
43  | UDP  | 192.168.  1. 64:56890/56890 |  69. 63.186. 49:   53 | 64
44  | UDP  | 192.168.  1. 64:35207/35207 |  69. 63.186. 49:   53 | 65
45  | UDP  | 192.168.  1. 64: 4568/ 4568 | 205.200. 16. 69:   53 | 16
46  | UDP  | 192.168.  1. 64:45354/45354 | 205.200. 16. 69:   53 | 16
47  | UDP  | 192.168.  1. 64:34347/34347 | 209.200.187.  4:   53 | 14
48  | UDP  | 192.168.  1. 64:23117/23117 |  69. 63.176.200:   53 | 63
49  | UDP  | 192.168.  1. 64:11915/11915 |  69. 63.176.200:   53 | 64
50  | UDP  | 192.168.  1. 64:28836/28836 |  69. 63.176.200:   53 | 64
51  | UDP  | 192.168.  1. 64:22174/22174 | 192. 58.128. 30:   53 | 65
52  | UDP  | 192.168.  1. 64:39663/39663 |  69. 63.176.200:   53 | 65
53  | UDP  | 192.168.  1. 64:24028/24028 | 192. 58.128. 30:   53 | 66
54  | UDP  | 192.168.  1. 64: 1257/ 1257 | 192.203.230. 10:   53 | 64
55  | UDP  | 192.168.  1. 64:22449/22449 | 204. 74. 67.132:   53 | 64
56  | UDP  | 192.168.  1. 64:15646/15646 | 204. 74. 67.132:   53 | 65
57  | UDP  | 192.168.  1. 64:40266/40266 |  72. 21.204.208:   53 | 73
58  | UDP  | 192.168.  1. 64:61038/61038 | 208. 16.208. 26:   53 | 15
59  | UDP  | 192.168.  1. 64:45911/45911 | 192. 33. 14. 30:   53 | 17
60  | UDP  | 192.168.  1. 64:51224/51224 | 192. 33. 14. 30:   53 | 65
61  | UDP  | 192.168.  1. 64:12697/12697 | 204. 74.114.  1:   53 | 74
62  | UDP  | 192.168.  1. 64:63801/63801 | 204. 74.114.  1:   53 | 74
63  | UDP  | 192.168.  1. 64:38723/38723 | 216.239. 36. 10:   53 | 74
64  | UDP  | 192.168.  1. 64:16074/16074 |  88.131. 66. 88:   53 | 17
65  | UDP  | 192.168.  1. 64: 3309/ 3309 |  88.131. 66. 88:   53 | 18
66  | UDP  | 192.168.  1. 64:33650/33650 |  88.131. 66. 88:   53 | 19
67  | UDP  | 192.168.  1. 64:19659/19659 | 199. 19. 56.  1:   53 | 14
68  | UDP  | 192.168.  1. 64:21552/21552 | 192. 31. 80. 30:   53 | 15
69  | UDP  | 192.168.  1. 64:55067/55067 | 192. 31. 80. 30:   53 | 16
70  | UDP  | 192.168.  1. 64:11968/11968 | 192. 31. 80. 30:   53 | 87
71  | UDP  | 192.168.  1. 64:18424/18424 |  66. 46.115. 73:   53 | 16
72  | UDP  | 192.168.  1. 64:10412/10412 | 192. 12. 94. 30:   53 | 20
73  | UDP  | 192.168.  1. 64: 1962/ 1962 |  69. 63.178. 21:   53 | 63
74  | UDP  | 192.168.  1. 64:30402/30402 |  69. 63.178. 21:   53 | 63
75  | UDP  | 192.168.  1. 64:54389/54389 |  69. 63.178. 21:   53 | 63
76  | UDP  | 192.168.  1. 64:39427/39427 |  69. 63.178. 21:   53 | 64
77  | UDP  | 192.168.  1. 64:61862/61862 |  69. 63.178. 21:   53 | 64
78  | UDP  | 192.168.  1. 64:55461/55461 |  69. 63.178. 21:   53 | 65
79  | UDP  | 192.168.  1. 64:55286/55286 | 209.107.220.173: 3478 | 76
80  | UDP  | 192.168.  1. 64:55284/55284 | 209.107.220.173: 3478 | 66
81  | UDP  | 192.168.  1. 64:43297/43297 | 195.189.143.101:   53 | 13
82  | UDP  | 192.168.  1. 64:51487/51487 | 195.189.143.101:   53 | 17
83  | UDP  | 192.168.  1. 64:31566/31566 |  64.255.180. 17:   53 | 18
84  | UDP  | 192.168.  1. 64:40097/40097 |  64.255.180. 17:   53 | 18
85  | UDP  | 192.168.  1. 64:19201/19201 |  69. 63.179. 22:   53 | 63
86  | UDP  | 192.168.  1. 64:32274/32274 | 192. 41.162. 30:   53 | 17
87  | UDP  | 192.168.  1. 64:62793/62793 | 204. 13.250. 26:   53 | 66
88  | UDP  | 192.168.  1. 64:40081/40081 | 204. 69.234.  1:   53 | 74
89  | UDP  | 192.168.  1. 64:39595/39595 | 199.249.120.  1:   53 | 87
90  | UDP  | 192.168.  1. 64:55286/55286 | 213.248.117.215: 3478 | 108
91  | UDP  | 192.168.  1. 64:15972/15972 | 128.  8. 10. 90:   53 | 15
92  | UDP  | 192.168.  1. 64:35794/35794 |  70. 84.168.162:   53 | 87
93  | UDP  | 192.168.  1. 64:18291/18291 | 192. 33.  4. 12:   53 | 64
94  | UDP  | 192.168.  1. 64: 3610/ 3610 | 192. 48. 79. 30:   53 | 65
95  | UDP  | 192.168.  1. 64:17853/17853 | 192. 33.  4. 12:   53 | 65
96  | UDP  | 192.168.  1. 64:44838/44838 |  68.142.255. 16:   53 | 66
97  | UDP  | 192.168.  1. 64:33778/33778 | 208. 94.148.  4:   53 | 14
98  | UDP  | 192.168.  1. 64:42359/42359 | 205.200. 16. 65:   53 | 16
99  | UDP  | 192.168.  1. 64:55519/55519 | 139.175. 55.245:   53 | 57
100 | UDP  | 192.168.  1. 64:38129/38129 |  69. 63.191. 91:   53 | 63
101 | UDP  | 192.168.  1. 64: 1955/ 1955 |  85. 13.128.  2:   53 | 87
102 | UDP  | 192.168.  1. 64:46726/46726 | 192.  5.  6. 30:   53 | 57
103 | UDP  | 192.168.  1. 64:33612/33612 | 208. 93.136. 11:   53 | 63
104 | UDP  | 192.168.  1. 64:47941/47941 | 208. 93.136. 11:   53 | 64

[piran]

I noticed that akamai technology is still 'calling home'.
Akamai seems to be part of the downloading mechanism
for Maya and they shouldn't still be calling home as I'm
now done downloading... After uninstalling Akamai from
the workstation the router status log now shows over
600 NAT sessions and just about ALL of them port 53.
Guess this is the cloud reassessing? Is this what you've
been observing crazybob?