However, I was seeing tons of iterative queries to other servers from the Wireshark packet capture. This meant that no queries should be sent from this server to any others besides the forwarder IPs. I knew based on the article Recursive and Iterative Queries that when forwarders are used the queries are always recursive. I was noticing TONS of DNS traffic going out to external DNS servers with the Wireshark DNS filter in place. (!ip.dst=192.168.0.0/16) and (!ip.dst=172.0.0.0/8) and (!ip.dst=10.0.0.0/8) It’s always a good idea to create capture filters instead of display filters with Wireshark and, in hindsight, I probably should have added some additional subnet rules to the capture filter.
I don’t care about any internal DNS activity just to external DNS servers. This display filter removes out all of the internal IPs I was seeing. I start the capture and then created a display filter. I then exclude my forwarders because I know DNS traffic will be going to those.
This capture filter narrows down the capture on UDP/53. With Wireshark now installed on this DNS server I opened it up and soon created a Wireshark DNS filter to narrow down interesting DNS activity as much as possible with this capture filter: udp port 53 and not host 8.8.8.8 and not host 4.2.2.2 and not host 4.2.2.3. Related: Making Sense of the Microsoft DNS Debug Log Build a Wireshark DNS Filter I didn’t think so but I thought I’d investigate. He needed me to figure out if this traffic was necessary to further open up DNS.
The network administrator had locked down outgoing DNS traffic only to the forwarders and was seeing a lot of hits on an ACL that was denying other DNS traffic to other public IPs. All of these DNS servers/domain controllers all have forwarders enabled on them using the typical 8.8.8.8, 4.2.2.2, and 4.2.2.3.Ī problem cropped up that unknown DNS traffic was being initiated from a DNS server out to the Internet. Why? Read on!Īt my client, they have an Active Directory domain with a few domain controllers which are also DNS servers. If you’ve got a DNS issue, a Wireshark DNS filter can be your best friend.
0 kommentar(er)
