Results 1 to 6 of 6
  1. #1
    Newbie
    Join Date
    Apr 2020
    Posts
    9

    Default Thousands of DNS Requests per minute

    Hi I noticed that I was getting upwards of 70K sessions per minute specifically DNS requests from my WAN interface. 6pm to 6am constantly. Almost every day.

    It looks like the IP address of the WAN interface is doing the DNS request. Has anyone seen this before? A reboot didn't help. on the untangle, is there any way I can capture the traffic to see what the DNS request is for?

    untangleDNS.png

    Thanks,
    Tho

  2. #2
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,514

    Default

    I think someone has a DNS loop...

    Untangle should be using something on the Internet for DNS... if you have an internal DNS server configured on a WAN interface... REMOVE IT.

    Everything behind Untangle should be either using Untangle, or something beyond Untangle to resolve.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  3. #3
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,469

  4. #4
    Newbie
    Join Date
    Apr 2020
    Posts
    9

    Default

    Quote Originally Posted by Jim.Alles View Post
    Thanks Jim! Exactly what I was looking for. Pointed me to the exact issue... and why the spikes were on a 12 hr cycle. Based on the FQDN it was trying to resolved, I figured it was coming from my work computer. Specifically the spikes would occur when my VPN timed out and it appears like all the applications I had running were trying to authenticate to the corp LDAP servers, which aren't available without VPN... will need to investigate why there is such a high volume of requests though.

    Also, it dawned on me the reason it looks like the untangle WAN IP is doing all the DNS requests is because my devices all point to the untangle as a DNS server.
    Jim.Alles likes this.

  5. #5
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Lake Tahoe
    Posts
    9,712

    Default

    Quote Originally Posted by untanglemeplz View Post
    Also, it dawned on me the reason it looks like the untangle WAN IP is doing all the DNS requests is because my devices all point to the untangle as a DNS server.
    LAN devices pointed to the LAN address of the Untangle is the common configuration which is correct.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  6. #6
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,514

    Default

    Wow... I've never seen so many requests actually be "legitimate" especially from a single host.

    Usually this happens when a client is using a DNS server behind Untangle, which is aimed at Untangle itself, and Untangle is aimed at the DNS server. Some of these servers will give up and fall back to root hints after the initial query faults. So things appear to work, but only after several requests run around in a circle!

    But yes, if you're watching port 53 traffic and you see a ton of stuff coming from one place, going to a specific DNS server then yeah... that's it. But that's a LOT of traffic... I'm less inclined to think you only have 1 machine doing it.
    CMcNaughton likes this.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2