Koozali.org: home of the SME Server

Contribs.org Forums => General Discussion => Topic started by: smiit on May 05, 2009, 06:21:04 PM

Title: [Solved] Excessive DNS Requests?
Post by: smiit on May 05, 2009, 06:21:04 PM

I received a message from my ISP's abuse department yesterday complaining of excessive DNS requests.  Never had a complaint from them in the 5 years we've been running SME.

Any suggestions on how I might analyze network traffic to figure out what's going on?

Should I concentrate on UDP 53 traffic or could it be any sort of rogue mail worm causing trouble on various ports?

Thanks in advance if anyone has any tips or usage examples using tcpdump, iptraf or nmap.

Title: Re: Excessive DNS Requests?
Post by: cactus on May 05, 2009, 07:13:34 PM

Quote from: smiit on May 05, 2009, 06:21:04 PM

I received a message from my ISP's abuse department yesterday complaining of excessive DNS requests.  Never had a complaint from them in the 5 years we've been running SME.

Any suggestions on how I might analyze network traffic to figure out what's going on?

Should I concentrate on UDP 53 traffic or could it be any sort of rogue mail worm causing trouble on various ports?

Thanks in advance if anyone has any tips or usage examples using tcpdump, iptraf or nmap.

AFAIK SME Server does it's own name resolution for itself and it's configured networks unless you have set a external DNS server through the admin console. Perhaps they are referring to that type of traffic?

Title: Re: [Solved] Excessive DNS Requests?
Post by: smiit on May 06, 2009, 03:21:05 PM

Just received an e-mail from the ISP - an error on their end kicked out the abuse warning - they now claim customers have outdated firmware on their provided routers and/or there still may be a rogue client machine flooding spam around.

Title: Re: [Solved] Excessive DNS Requests?
Post by: thomasch on May 07, 2009, 08:33:41 AM

Quote from: smiit on May 05, 2009, 06:21:04 PM

I received a message from my ISP's abuse department yesterday complaining of excessive DNS requests.  Never had a complaint from them in the 5 years we've been running SME.

Any suggestions on how I might analyze network traffic to figure out what's going on?

Should I concentrate on UDP 53 traffic or could it be any sort of rogue mail worm causing trouble on various ports?

Thanks in advance if anyone has any tips or usage examples using tcpdump, iptraf or nmap.

I 've seen DNS Flood Alert in my ADSL router when SMEserver querying a list of DNS server out there (hundreds). Maybe this kind of request that alerts yourISP for 'excessive DNS request'. Nothing to worry about though. This is by design.

thomas