In this article
Use this article to identify the source device of excessive DNS query traffic and take action to stop the unintended queries. This steps is important for security, quality control, and billing accuracy purposes.
Infected, frozen, or otherwise problematic endpoints can send massive amounts of DNS queries or continually send DNS queries to malicious destinations.
Resolve the issue
There are a few different methods outlined below to locate the source device. At a high level, no matter which method works to find the source, the same basic steps will resolve the issue: match the source IP address to the Hostname and MAC address in the DHCP server.
If the device is known: inspect it to find out which application is causing the issue. If the application isn't needed, remove it. Otherwise, alter the app settings to reduce the number of DNS requests.
If the device is not known: block the MAC address or LAN IP address from sending DNS queries until the user makes themselves known to you.
Navigate through the sections below for different methods to complete this search.
Roaming Client Reporting
DNSFilter reporting can easily identify the source device if the organization uses Roaming Clients.
- From the DNSFilter dashboard, navigate to Reporting and select Insights
- Scroll down to All threats by domain
- The excessive request domain should be the top of the list
- Select the domain name
- Select the drop down caret to view the request's associated Roaming Client
Block, remove, or update the application settings as needed to resolve the issue.
Windows DNS logging
If you are using Active Directory, there are two ways that you can view the source IP address and query contents:
DNS server debug logs
DNS Query Sniffer
DNS Query Sniffer is a tool that prints DNS query/response information in a spreadsheet-style view, and allows easy exporting of the data. You can download this here
Linux DNS logging
A linux machine can also be used to log query traffic on the network, and there are several software applications available that can do a dump of traffic:
dnstop
dnstop is great and quick tool for getting exactly the output you need to identify a problematic endpoint when using BIND as a DNS forwarder. We recommend this introduction article to dnstop.
tcpdump
The classic network sniffer. Using tcpdump will allow you to easily view all DNS queries and responses if you’re using a Linux server for DNS forwarding, or just want to monitor the DNS queries on the computer/server itself.
An example command for monitoring all outbound DNS queries is (assuming eth0 is your primary network adapter):
tcpdump -i eth0 'dst port 53'
There’s a table of flags and options on packetlife.net.
Other methods
The classic network sniffer. Using tcpdump will allow you to easily view all DNS queries and responses if you’re using a Linux server for DNS forwarding, or just want to monitor the DNS queries on the computer/server itself.
If you’re using a router or firewall as a DNS forwarder, or not using DNS forwarding and assigning DNSFilter IPs directly via DHCP, you’ll need to use any tools or utilities provided by your router or firewall to view the DNS traffic. You’ll need to both determine if such tools are available (not normally on low-cost consumer routers), and how to use them by consulting with documentation or support resources from the manufacturer.
Comments
0 comments
Please sign in to leave a comment.