Millions of dns-queries

UCS - Univention Corporate Server
1

Hello,
we see Millions of DNS-Queries on our Firewall from our Domaincontroller and its Backup.

I really don´t think this is a normal behaviour.

All outbound DNS-Traffic is blocked. Only our internal Servers are allowed.
There are only internal DNS-Servers configured on our Domaincontrollers.

Sorry for the following long Output, but this does not even show one Second. (The Ips 161 and 217 are the UCS Servers)

Any hints are very apreciated.

Thank you!

Mar 14 16:02:23 fw30 filterlog: 169,,,1520604093,ix0,match,block,in,4,0x0,,64,63364,0,none,17,udp,86,192.168.0.161,185.65.88.5,43398,53,66
Mar 14 16:02:23 fw30 filterlog: 169,,,1520604093,ix0,match,block,in,4,0x0,,64,50844,0,none,17,udp,86,192.168.0.161,178.23.81.4,14448,53,66
Mar 14 16:02:23 fw30 filterlog: 169,,,1520604093,ix0,match,block,in,4,0x0,,64,36730,0,none,17,udp,86,192.168.0.217,185.65.88.5,17559,53,66
Mar 14 16:02:23 fw30 filterlog: 169,,,1520604093,ix0,match,block,in,4,0x0,,64,16815,0,none,17,udp,86,192.168.0.217,178.23.81.4,26175,53,66
Mar 14 16:02:23 fw30 filterlog: 169,,,1520604093,ix0,match,block,in,4,0x0,,64,228,0,none,17,udp,86,192.168.0.217,91.234.229.10,26878,53,66
Mar 14 16:02:23 fw30 filterlog: 169,,,1520604093,ix0,match,block,in,4,0x0,,128,25830,0,none,17,udp,75,192.168.0.122,128.8.10.90,51497,53,55
Mar 14 16:02:23 fw30 filterlog: 169,,,1520604093,ix0,match,block,in,4,0x0,,64,36731,0,none,17,udp,86,192.168.0.217,185.65.88.5,41348,53,66
Mar 14 16:02:23 fw30 filterlog: 169,,,1520604093,ix0,match,block,in,4,0x0,,64,50845,0,none,17,udp,86,192.168.0.161,178.23.81.4,35598,53,66
Mar 14 16:02:23 fw30 filterlog: 169,,,1520604093,ix0,match,block,in,4,0x0,,64,16816,0,none,17,udp,86,192.168.0.217,178.23.81.4,17260,53,66
Mar 14 16:02:23 fw30 filterlog: 169,,,1520604093,ix0,match,block,in,4,0x0,,64,63366,0,none,17,udp,86,192.168.0.161,185.65.88.5,19521,53,66
Mar 14 16:02:23 fw30 filterlog: 169,,,1520604093,ix0,match,block,in,4,0x0,,64,50846,0,none,17,udp,86,192.168.0.161,178.23.81.4,7454,53,66
Mar 14 16:02:23 fw30 filterlog: 169,,,1520604093,ix0,match,block,in,4,0x0,,64,36559,0,none,17,udp,86,192.168.0.161,91.234.229.10,48501,53,66
Mar 14 16:02:23 fw30 filterlog: 169,,,1520604093,ix0,match,block,in,4,0x0,,64,16817,0,none,17,udp,86,192.168.0.217,178.23.81.4,53207,53,66
Mar 14 16:02:23 fw30 filterlog: 169,,,1520604093,ix0,match,block,in,4,0x0,,64,230,0,none,17,udp,86,192.168.0.217,91.234.229.10,52738,53,66
Mar 14 16:02:23 fw30 filterlog: 169,,,1520604093,ix0,match,block,in,4,0x0,,64,50847,0,none,17,udp,86,192.168.0.161,178.23.81.4,10423,53,66
Mar 14 16:02:23 fw30 filterlog: 169,,,1520604093,ix0,match,block,in,4,0x0,,64,36560,0,none,17,udp,86,192.168.0.161,91.234.229.10,37208,53,66
Mar 14 16:02:23 fw30 filterlog: 169,,,1520604093,ix0,match,block,in,4,0x0,,64,36733,0,none,17,udp,86,192.168.0.217,185.65.88.5,64356,53,66
Mar 14 16:02:23 fw30 filterlog: 169,,,1520604093,ix0,match,block,in,4,0x0,,64,231,0,none,17,udp,86,192.168.0.217,91.234.229.10,55383,53,66
Mar 14 16:02:23 fw30 filterlog: 169,,,1520604093,ix0,match,block,in,4,0x0,,128,25846,0,DF,17,udp,75,192.168.0.122,192.33.4.12,51001,53,55
Mar 14 16:02:23 fw30 filterlog: 169,,,1520604093,ix0,match,block,in,4,0x0,,64,63368,0,none,17,udp,86,192.168.0.161,185.65.88.5,6295,53,66
Mar 14 16:02:23 fw30 filterlog: 169,,,1520604093,ix0,match,block,in,4,0x0,,64,36561,0,none,17,udp,86,192.168.0.161,91.234.229.10,49878,53,66
Mar 14 16:02:23 fw30 filterlog: 169,,,1520604093,ix0,match,block,in,4,0x0,,64,36734,0,none,17,udp,86,192.168.0.217,185.65.88.5,20238,53,66
Mar 14 16:02:23 fw30 filterlog: 169,,,1520604093,ix0,match,block,in,4,0x0,,64,16819,0,none,17,udp,86,192.168.0.217,178.23.81.4,60785,53,66
Mar 14 16:02:23 fw30 filterlog: 169,,,1520604093,ix0,match,block,in,4,0x0,,64,232,0,none,17,udp,86,192.168.0.217,91.234.229.10,33302,53,66
Mar 14 16:02:23 fw30 filterlog: 169,,,1520604093,ix0,match,block,in,4,0x0,,64,50849,0,none,17,udp,86,192.168.0.161,178.23.81.4,22236,53,66
Mar 14 16:02:23 fw30 filterlog: 169,,,1520604093,ix0,match,block,in,4,0x0,,64,36735,0,none,17,udp,86,192.168.0.217,185.65.88.5,14864,53,66
Mar 14 16:02:23 fw30 filterlog: 169,,,1520604093,ix0,match,block,in,4,0x0,,64,36562,0,none,17,udp,86,192.168.0.161,91.234.229.10,38617,53,66
Mar 14 16:02:23 fw30 filterlog: 169,,,1520604093,ix0,match,block,in,4,0x0,,64,16820,0,none,17,udp,86,192.168.0.217,178.23.81.4,43622,53,66
Mar 14 16:02:23 fw30 filterlog: 169,,,1520604093,ix0,match,block,in,4,0x0,,64,233,0,none,17,udp,86,192.168.0.217,91.234.229.10,15084,53,66
Mar 14 16:02:23 fw30 filterlog: 169,,,1520604093,ix0,match,block,in,4,0x0,,128,25856,0,none,17,udp,75,192.168.0.122,192.112.36.4,52075,53,55
Mar 14 16:02:23 fw30 filterlog: 169,,,1520604093,ix0,match,block,in,4,0x0,,64,50850,0,none,17,udp,86,192.168.0.161,178.23.81.4,61441,53,66
Mar 14 16:02:23 fw30 filterlog: 169,,,1520604093,ix0,match,block,in,4,0x0,,64,36736,0,none,17,udp,86,192.168.0.217,185.65.88.5,60455,53,66
Mar 14 16:02:23 fw30 filterlog: 169,,,1520604093,ix0,match,block,in,4,0x0,,64,36563,0,none,17,udp,86,192.168.0.161,91.234.229.10,9237,53,66
Mar 14 16:02:23 fw30 filterlog: 169,,,1520604093,ix0,match,block,in,4,0x0,,64,16821,0,none,17,udp,86,192.168.0.217,178.23.81.4,17481,53,66
Mar 14 16:02:23 fw30 filterlog: 169,,,1520604093,ix0,match,block,in,4,0x0,,64,63371,0,none,17,udp,86,192.168.0.161,185.65.88.5,8188,53,66
Mar 14 16:02:23 fw30 filterlog: 169,,,1520604093,ix0,match,block,in,4,0x0,,64,50851,0,none,17,udp,86,192.168.0.161,178.23.81.4,60496,53,66
Mar 14 16:02:23 fw30 filterlog: 169,,,1520604093,ix0,match,block,in,4,0x0,,64,36737,0,none,17,udp,86,192.168.0.217,185.65.88.5,17916,53,66
Mar 14 16:02:23 fw30 filterlog: 169,,,1520604093,ix0,match,block,in,4,0x0,,64,36564,0,none,17,udp,86,192.168.0.161,91.234.229.10,23429,53,66
Mar 14 16:02:23 fw30 filterlog: 169,,,1520604093,ix0,match,block,in,4,0x0,,64,16822,0,none,17,udp,86,192.168.0.217,178.23.81.4,32733,53,66
Mar 14 16:02:23 fw30 filterlog: 169,,,1520604093,ix0,match,block,in,4,0x0,,64,235,0,none,17,udp,86,192.168.0.217,91.234.229.10,2031,53,66
Mar 14 16:02:23 fw30 filterlog: 169,,,1520604093,ix0,match,block,in,4,0x0,,64,63372,0,none,17,udp,86,192.168.0.161,185.65.88.5,39537,53,66
Mar 14 16:02:23 fw30 filterlog: 169,,,1520604093,ix0,match,block,in,4,0x0,,64,50852,0,none,17,udp,86,192.168.0.161,178.23.81.4,15270,53,66
Mar 14 16:02:23 fw30 filterlog: 169,,,1520604093,ix0,match,block,in,4,0x0,,64,36738,0,none,17,udp,86,192.168.0.217,185.65.88.5,55830,53,66
Mar 14 16:02:23 fw30 filterlog: 169,,,1520604093,ix0,match,block,in,4,0x0,,64,16823,0,none,17,udp,86,192.168.0.217,178.23.81.4,54209,53,66
Mar 14 16:02:23 fw30 filterlog: 169,,,1520604093,ix0,match,block,in,4,0x0,,64,236,0,none,17,udp,86,192.168.0.217,91.234.229.10,59922,53,66
Mar 14 16:02:23 fw30 filterlog: 169,,,1520604093,ix0,match,block,in,4,0x0,,64,63373,0,none,17,udp,86,192.168.0.161,185.65.88.5,10587,53,66
Mar 14 16:02:23 fw30 filterlog: 169,,,1520604093,ix0,match,block,in,4,0x0,,64,50853,0,none,17,udp,86,192.168.0.161,178.23.81.4,44804,53,66
Mar 14 16:02:23 fw30 filterlog: 169,,,1520604093,ix0,match,block,in,4,0x0,,64,36566,0,none,17,udp,86,192.168.0.161,91.234.229.10,23179,53,66
Mar 14 16:02:23 fw30 filterlog: 169,,,1520604093,ix0,match,block,in,4,0x0,,64,16824,0,none,17,udp,86,192.168.0.217,178.23.81.4,62317,53,66
Mar 14 16:02:23 fw30 filterlog: 169,,,1520604093,ix0,match,block,in,4,0x0,,64,237,0,none,17,udp,86,192.168.0.217,91.234.229.10,23569,53,66
Mar 14 16:02:23 fw30 filterlog: 169,,,1520604093,ix0,match,block,in,4,0x0,,64,63374,0,none,17,udp,86,192.168.0.161,185.65.88.5,27552,53,66
Mar 14 16:02:23 fw30 filterlog: 169,,,1520604093,ix0,match,block,in,4,0x0,,128,25872,0,none,17,udp,75,192.168.0.122,192.5.5.241,52487,53,55
Mar 14 16:02:23 fw30 filterlog: 169,,,1520604093,ix0,match,block,in,4,0x0,,64,36740,0,none,17,udp,86,192.168.0.217,185.65.88.5,41960,53,66
Mar 14 16:02:23 fw30 filterlog: 169,,,1520604093,ix0,match,block,in,4,0x0,,64,36567,0,none,17,udp,86,192.168.0.161,91.234.229.10,32741,53,66
Mar 14 16:02:23 fw30 filterlog: 169,,,1520604093,ix0,match,block,in,4,0x0,,64,16825,0,none,17,udp,86,192.168.0.217,178.23.81.4,16362,53,66
Mar 14 16:02:23 fw30 filterlog: 169,,,1520604093,ix0,match,block,in,4,0x0,,64,238,0,none,17,udp,86,192.168.0.217,91.234.229.10,32707,53,66
Mar 14 16:02:23 fw30 filterlog: 169,,,1520604093,ix0,match,block,in,4,0x0,,64,63375,0,none,17,udp,86,192.168.0.161,185.65.88.5,33260,53,66
Mar 14 16:02:23 fw30 filterlog: 169,,,1520604093,ix0,match,block,in,4,0x0,,64,36741,0,none,17,udp,86,192.168.0.217,185.65.88.5,20076,53,66
Mar 14 16:02:23 fw30 filterlog: 169,,,1520604093,ix0,match,block,in,4,0x0,,64,36568,0,none,17,udp,86,192.168.0.161,91.234.229.10,39934,53,66
Mar 14 16:02:23 fw30 filterlog: 169,,,1520604093,ix0,match,block,in,4,0x0,,64,16827,0,none,17,udp,86,192.168.0.217,178.23.81.4,44002,53,66
Mar 14 16:02:23 fw30 filterlog: 169,,,1520604093,ix0,match,block,in,4,0x0,,64,240,0,none,17,udp,86,192.168.0.217,91.234.229.10,29163,53,66
Mar 14 16:02:23 fw30 filterlog: 169,,,1520604093,ix0,match,block,in,4,0x0,,128,25880,0,DF,17,udp,75,192.168.0.122,198.41.0.4,51810,53,55
Mar 14 16:02:23 fw30 filterlog: 169,,,1520604093,ix0,match,block,in,4,0x0,,64,50856,0,none,17,udp,86,192.168.0.161,178.23.81.4,47378,53,66
Mar 14 16:02:23 fw30 filterlog: 169,,,1520604093,ix0,match,block,in,4,0x0,,64,36569,0,none,17,udp,86,192.168.0.161,91.234.229.10,25263,53,66
Mar 14 16:02:23 fw30 filterlog: 169,,,1520604093,ix0,match,block,in,4,0x0,,64,36742,0,none,17,udp,86,192.168.0.217,185.65.88.5,15683,53,66
Mar 14 16:02:23 fw30 filterlog: 169,,,1520604093,ix0,match,block,in,4,0x0,,64,16828,0,none,17,udp,86,192.168.0.217,178.23.81.4,5397,53,66
Mar 14 16:02:23 fw30 filterlog: 169,,,1520604093,ix0,match,block,in,4,0x0,,64,63377,0,none,17,udp,86,192.168.0.161,185.65.88.5,9024,53,66
Mar 14 16:02:23 fw30 filterlog: 169,,,1520604093,ix0,match,block,in,4,0x0,,64,50857,0,none,17,udp,86,192.168.0.161,178.23.81.4,38701,53,66
Mar 14 16:02:23 fw30 filterlog: 169,,,1520604093,ix0,match,block,in,4,0x0,,64,36570,0,none,17,udp,86,192.168.0.161,91.234.229.10,26393,53,66
Mar 14 16:02:23 fw30 filterlog: 169,,,1520604093,ix0,match,block,in,4,0x0,,64,16829,0,none,17,udp,86,192.168.0.217,178.23.81.4,58615,53,66
Mar 14 16:02:23 fw30 filterlog: 169,,,1520604093,ix0,match,block,in,4,0x0,,64,242,0,none,17,udp,86,192.168.0.217,91.234.229.10,11509,53,66
Mar 14 16:02:23 fw30 filterlog: 169,,,1520604093,ix0,match,block,in,4,0x0,,128,25895,0,none,17,udp,75,192.168.0.122,192.112.36.4,50876,53,55
Mar 14 16:02:23 fw30 filterlog: 169,,,1520604093,ix0,match,block,in,4,0x0,,64,36745,0,none,17,udp,86,192.168.0.217,185.65.88.5,17059,53,66
Mar 14 16:02:23 fw30 filterlog: 169,,,1520604093,ix0,match,block,in,4,0x0,,64,50858,0,none,17,udp,86,192.168.0.161,178.23.81.4,54486,53,66
Mar 14 16:02:23 fw30 filterlog: 169,,,1520604093,ix0,match,block,in,4,0x0,,64,16830,0,none,17,udp,86,192.168.0.217,178.23.81.4,33843,53,66
Mar 14 16:02:23 fw30 filterlog: 169,,,1520604093,ix0,match,block,in,4,0x0,,64,243,0,none,17,udp,86,192.168.0.217,91.234.229.10,64263,53,66
Mar 14 16:02:23 fw30 filterlog: 169,,,1520604093,ix0,match,block,in,4,0x0,,64,63379,0,none,17,udp,86,192.168.0.161,185.65.88.5,10046,53,66
Mar 14 16:02:23 fw30 filterlog: 169,,,1520604093,ix0,match,block,in,4,0x0,,64,50859,0,none,17,udp,86,192.168.0.161,178.23.81.4,42970,53,66
Mar 14 16:02:23 fw30 filterlog: 169,,,1520604093,ix0,match,block,in,4,0x0,,64,36572,0,none,17,udp,86,192.168.0.161,91.234.229.10,27996,53,66
Mar 14 16:02:23 fw30 filterlog: 169,,,1520604093,ix0,match,block,in,4,0x0,,64,16831,0,none,17,udp,86,192.168.0.217,178.23.81.4,35492,53,66
Mar 14 16:02:23 fw30 filterlog: 169,,,1520604093,ix0,match,block,in,4,0x0,,64,244,0,none,17,udp,86,192.168.0.217,91.234.229.10,45611,53,66
Mar 14 16:02:23 fw30 filterlog: 169,,,1520604093,ix0,match,block,in,4,0x0,,128,25897,0,none,17,udp,75,192.168.0.122,192.5.5.241,52147,53,55
Mar 14 16:02:23 fw30 filterlog: 169,,,1520604093,ix0,match,block,in,4,0x0,,64,50860,0,none,17,udp,86,192.168.0.161,178.23.81.4,6889,53,66
Mar 14 16:02:23 fw30 filterlog: 169,,,1520604093,ix0,match,block,in,4,0x0,,64,36747,0,none,17,udp,86,192.168.0.217,185.65.88.5,55333,53,66
Mar 14 16:02:23 fw30 filterlog: 169,,,1520604093,ix0,match,block,in,4,0x0,,64,36573,0,none,17,udp,86,192.168.0.161,91.234.229.10,60101,53,66
Mar 14 16:02:23 fw30 filterlog: 169,,,1520604093,ix0,match,block,in,4,0x0,,64,16832,0,none,17,udp,86,192.168.0.217,178.23.81.4,3327,53,66
Mar 14 16:02:23 fw30 filterlog: 169,,,1520604093,ix0,match,block,in,4,0x0,,64,245,0,none,17,udp,86,192.168.0.217,91.234.229.10,7939,53,66
Mar 14 16:02:23 fw30 filterlog: 169,,,1520604093,ix0,match,block,in,4,0x0,,64,50861,0,none,17,udp,86,192.168.0.161,178.23.81.4,18461,53,66
Mar 14 16:02:23 fw30 filterlog: 169,,,1520604093,ix0,match,block,in,4,0x0,,64,36574,0,none,17,udp,86,192.168.0.161,91.234.229.10,33534,53,66
Mar 14 16:02:23 fw30 filterlog: 169,,,1520604093,ix0,match,block,in,4,0x0,,64,36748,0,none,17,udp,86,192.168.0.217,185.65.88.5,4631,53,66
Mar 14 16:02:23 fw30 filterlog: 169,,,1520604093,ix0,match,block,in,4,0x0,,64,16833,0,none,17,udp,86,192.168.0.217,178.23.81.4,50021,53,66
Mar 14 16:02:23 fw30 filterlog: 169,,,1520604093,ix0,match,block,in,4,0x0,,64,247,0,none,17,udp,86,192.168.0.217,91.234.229.10,59281,53,66
2

Hey,

first you should probably check which addresses they’re trying to resolve. Run something like tcpdump -n -i any udp port 53 on your DC Master. That should output lines such as this:

16:23:51.108824 IP 192.168.191.3.51819 > 192.168.191.253.53: 27749+ A? client.teamviewer.com. (39)
16:23:51.108834 IP 192.168.191.3.52531 > 192.168.191.253.53: 18683+ AAAA? client.teamviewer.com. (39)

Which host names/records are requested over and over again?

Kind regards,
mosu

3

Hi,

thanks for reply.

I have no Idea how to read this:

16:27:20.608846 IP 192.168.0.217.53 > 192.168.0.120.65273: 46079 ServFail 0/0/1 (58)
16:27:20.609984 IP 192.168.0.120.49961 > 192.168.0.217.53: 2419+ [1au] A? bounce-thomas-krenn.xortex.at. (58)
16:27:20.610661 IP 192.168.0.217.19294 > 192.168.0.246.53: 17150+ A? bounce-thomas-krenn.xortex.at. (47)
16:27:20.611211 IP 192.168.0.246.53 > 192.168.0.217.19294: 17150 0/3/0 (101)
16:27:20.612176 IP 192.168.0.217.45108 > 185.65.88.5.53: 61032 [1au] A? bounce-thomas-krenn.xortex.at. (58)
16:27:20.612891 IP 192.168.0.217.13541 > 178.23.81.4.53: 16911 [1au] A? bounce-thomas-krenn.xortex.at. (58)
16:27:20.613558 IP 192.168.0.217.60384 > 91.234.229.10.53: 29108 [1au] A? bounce-thomas-krenn.xortex.at. (58)
16:27:20.614175 IP 192.168.0.217.53 > 192.168.0.120.49961: 2419 ServFail 0/0/1 (58)
16:27:20.615334 IP 192.168.0.120.65418 > 192.168.0.217.53: 6138+ [1au] A? bounce-thomas-krenn.xortex.at. (58)
16:27:20.615742 IP 192.168.0.217.12105 > 192.168.0.246.53: 1501+ A? bounce-thomas-krenn.xortex.at. (47)
16:27:20.616511 IP 192.168.0.246.53 > 192.168.0.217.12105: 1501 0/3/0 (101)
16:27:20.616921 IP 192.168.0.217.62029 > 185.65.88.5.53: 14639 [1au] A? bounce-thomas-krenn.xortex.at. (58)
16:27:20.617681 IP 192.168.0.217.37021 > 178.23.81.4.53: 88 [1au] A? bounce-thomas-krenn.xortex.at. (58)
16:27:20.618947 IP 192.168.0.217.14394 > 91.234.229.10.53: 10338 [1au] A? bounce-thomas-krenn.xortex.at. (58)
16:27:20.619619 IP 192.168.0.217.53 > 192.168.0.120.65418: 6138 ServFail 0/0/1 (58)
16:27:20.620778 IP 192.168.0.120.50182 > 192.168.0.217.53: 10253+ [1au] A? bounce-thomas-krenn.xortex.at. (58)
16:27:20.621663 IP 192.168.0.217.22375 > 192.168.0.246.53: 21096+ A? bounce-thomas-krenn.xortex.at. (47)
16:27:20.622405 IP 192.168.0.246.53 > 192.168.0.217.22375: 21096 0/3/0 (101)
16:27:20.623014 IP 192.168.0.217.7482 > 185.65.88.5.53: 58301 [1au] A? bounce-thomas-krenn.xortex.at. (58)
16:27:20.623790 IP 192.168.0.217.16373 > 178.23.81.4.53: 57058 [1au] A? bounce-thomas-krenn.xortex.at. (58)
16:27:20.624527 IP 192.168.0.217.44995 > 91.234.229.10.53: 30316 [1au] A? bounce-thomas-krenn.xortex.at. (58)
16:27:20.625231 IP 192.168.0.217.53 > 192.168.0.120.50182: 10253 ServFail 0/0/1 (58)
16:27:20.626306 IP 192.168.0.120.49494 > 192.168.0.217.53: 14068+ [1au] A? bounce-thomas-krenn.xortex.at. (58)
16:27:20.626772 IP 192.168.0.217.56779 > 192.168.0.246.53: 27313+ A? bounce-thomas-krenn.xortex.at. (47)
16:27:20.627377 IP 192.168.0.246.53 > 192.168.0.217.56779: 27313 0/3/0 (101)
16:27:20.627993 IP 192.168.0.217.53881 > 185.65.88.5.53: 3404 [1au] A? bounce-thomas-krenn.xortex.at. (58)
16:27:20.628602 IP 192.168.0.217.24367 > 178.23.81.4.53: 22 [1au] A? bounce-thomas-krenn.xortex.at. (58)
16:27:20.629184 IP 192.168.0.217.27092 > 91.234.229.10.53: 37797 [1au] A? bounce-thomas-krenn.xortex.at. (58)
16:27:20.629686 IP 192.168.0.217.53 > 192.168.0.120.49494: 14068 ServFail 0/0/1 (58)
16:27:20.630865 IP 192.168.0.120.64214 > 192.168.0.217.53: 58159+ [1au] A? bounce-thomas-krenn.xortex.at. (58)
16:27:20.631277 IP 192.168.0.217.10594 > 192.168.0.246.53: 65271+ A? bounce-thomas-krenn.xortex.at. (47)
16:27:20.631780 IP 192.168.0.246.53 > 192.168.0.217.10594: 65271 0/3/0 (101)
16:27:20.632369 IP 192.168.0.217.21692 > 185.65.88.5.53: 43974 [1au] A? bounce-thomas-krenn.xortex.at. (58)
16:27:20.632989 IP 192.168.0.217.32837 > 178.23.81.4.53: 6705 [1au] A? bounce-thomas-krenn.xortex.at. (58)
16:27:20.633581 IP 192.168.0.217.27690 > 91.234.229.10.53: 32548 [1au] A? bounce-thomas-krenn.xortex.at. (58)
16:27:20.634134 IP 192.168.0.217.53 > 192.168.0.120.64214: 58159 ServFail 0/0/1 (58)
^C
10013 packets captured
10018 packets received by filter
0 packets dropped by kernel

this thing ran only a few seconds.

I see high cpu Usage from

32068 root 20 0 645M 115M 16332 S 63.9 2.9 16h48:36 /usr/sbin/named -c /etc/bind/named.conf.samba4 -f -d 0

Regards
Matthias

4

Hey,

well, this means that some application is trying to resolve the address bounce-thomas-krenn.xortex.at over and over again. I assume that 192.168.0.217 is the address of the machine you were running tcpdump on, right (the DC Mater or DC Backup)? So what happens is:

An application running on the host 192.168.0.120 sends a DNS request to the DNS server running on your DC Master querying bounce-thomas-krenn.xortex.at.

The DNS server on your DC Master doesn’t know the answer and forwards a DNS server on the internal host 192.168.0.246. That one then says “well, I don’t know…”.

As your DC Master doesn’t know the answer yet, it now contacts three external DNS servers and asks them.

Basically you’ll have to figure out which application on 192.168.0.120 triggers those queries in the first place. Everything else is just a result of 192.168.0.120 asking for that record.

Kind regards,
mosu

5

Hey mosu,

thank you very much for this great explanation!

The host 0.120 is a W2008r2 Domaincontroller for a foreign Domain. We have no idea why it started to talk with the Univention-controller. The DNS-service on the Windows Controller was running with high-cpu. A restart of its DNS-Service immediately stopped this traffic.

What i still do not understand why and where does my Univention Domaincontroller know three external DNS-Servers. I took more than on look into my Registry and i can not figure out why this happens. The only external DNS which is configured is the one running on our Firewall.

Kind regards,
Matthias