<html><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">good point <div><br><div apple-content-edited="true"> <span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0; "><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div><div style="text-align: center; margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><span class="Apple-style-span" style="color: rgb(0, 0, 128); font-size: 13px; font-weight: bold; ">_____________________________________________________________________________________</span></div><div style="text-align: center; margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><b><span style="font-size: 9pt; color: rgb(31, 73, 125); ">Glenn Kelley | Network Architect | Vine Networks | <a href="http://www.VineHosting.com">www.VineHosting.com</a> </span></b></div><div style="text-align: center; margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><span style="font-size: 9pt; color: rgb(31, 73, 125); ">Ohio NOC | 317 South North Street | Washington CH OH 43160<o:p></o:p></span></div><div style="text-align: center; margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><span style="font-size: 9pt; color: rgb(31, 73, 125); "> <b>Skype Messenger</b>: vinehosting<o:p></o:p></span></div><div style="text-align: center; margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><span style="font-size: 9pt; color: rgb(0, 51, 102); ">Email: <a href="mailto:glenn@vinehosting.com">glenn@vinehosting.com</a><o:p></o:p></span></div><div style="text-align: center; margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><span style="font-size: 9pt; color: rgb(31, 73, 125); ">Phone: 740-206-1140 x 6900</span></div><div style="text-align: center; margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; "><span style="font-size: 18pt; font-family: Webdings; color: green; ">P</span><span style="font-size: 7.5pt; color: green; ">please don't print this e-mail unless you really need to.</span></div></div></div></div></div></div></span></div></span> </div><br><div><div>On Aug 6, 2009, at 4:42 PM, Derek Schwab wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0; "><div lang="EN-US" link="blue" vlink="purple" style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div class="Section1"><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">You can also just mirror the switch port and listen on the mirrored port with wireshark. No need for a separate device/app.<o:p></o:p></span></div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "><o:p> </o:p></span></div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">-Derek<o:p></o:p></span></div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "><o:p> </o:p></span></div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "><o:p> </o:p></span></div><div><div style="border-right-style: none; border-bottom-style: none; border-left-style: none; border-width: initial; border-color: initial; border-top-style: solid; border-top-color: rgb(181, 196, 223); border-top-width: 1pt; padding-top: 3pt; padding-right: 0in; padding-bottom: 0in; padding-left: 0in; "><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><b><span style="font-size: 10pt; font-family: Tahoma, sans-serif; ">From:</span></b><span style="font-size: 10pt; font-family: Tahoma, sans-serif; "><span class="Apple-converted-space"> </span><a href="mailto:discuss-bounces@itdiscuss.org" style="color: blue; text-decoration: underline; ">discuss-bounces@itdiscuss.org</a><span class="Apple-converted-space"> </span>[<a href="mailto:discuss-bounces@itdiscuss.org" style="color: blue; text-decoration: underline; ">mailto:discuss-bounces@itdiscuss.org</a>]<span class="Apple-converted-space"> </span><b>On Behalf Of<span class="Apple-converted-space"> </span></b>Glenn Kelley<br><b>Sent:</b><span class="Apple-converted-space"> </span>Thursday, August 06, 2009 4:31 PM<br><b>To:</b><span class="Apple-converted-space"> </span>IT Discussion Forum<br><b>Subject:</b><span class="Apple-converted-space"> </span>Re: [itdiscuss] Mass DNS requests from a VPN user<o:p></o:p></span></div></div></div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">try using wireshark in-between <o:p></o:p></div><div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">setup a transparent bridge and listen using that <o:p></o:p></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">you will see all the port 53 traffic for sure - and who it is <o:p></o:p></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">for an easy transparent bridge - (and some fun security stuff to have) check out<span class="Apple-converted-space"> </span><a href="http://www.pfsense.org" style="color: blue; text-decoration: underline; ">www.pfsense.org</a> <o:p></o:p></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">its free - (makes a nice firewall as well in fact ... ) <o:p></o:p></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">Hope that helps - if stuck skype me <o:p></o:p></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div><div><div><div><div><div><div><div><div style="text-align: center; margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><span class="apple-style-span"><b><span style="font-size: 10pt; font-family: Calibri, sans-serif; color: navy; ">_____________________________________________________________________________________</span></b></span><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: black; "><o:p></o:p></span></div><div style="text-align: center; margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><b><span style="font-size: 9pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">Glenn Kelley | Network Architect | Vine Networks |<span class="Apple-converted-space"> </span><a href="http://www.VineHosting.com" style="color: blue; text-decoration: underline; ">www.VineHosting.com</a> </span></b><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: black; "><o:p></o:p></span></div><div style="text-align: center; margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 9pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">Ohio NOC | 317 South North Street | Washington CH OH 43160</span><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: black; "><o:p></o:p></span></div><div style="text-align: center; margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 9pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "> <b>Skype Messenger</b>: vinehosting</span><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: black; "><o:p></o:p></span></div><div style="text-align: center; margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 9pt; font-family: Calibri, sans-serif; color: rgb(0, 51, 102); ">Email:<span class="Apple-converted-space"> </span><a href="mailto:glenn@vinehosting.com" style="color: blue; text-decoration: underline; ">glenn@vinehosting.com</a></span><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: black; "><o:p></o:p></span></div><div style="text-align: center; margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 9pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">Phone: 740-206-1140 x 6900</span><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: black; "><o:p></o:p></span></div><div style="text-align: center; margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 18pt; font-family: Webdings; color: green; ">P</span><span style="font-size: 7.5pt; font-family: Calibri, sans-serif; color: green; ">please don't print this e-mail unless you really need to.</span><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: black; "><o:p></o:p></span></div></div></div></div></div></div></div></div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div><div><div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">On Aug 6, 2009, at 3:49 PM, Dayron Daugherty wrote:<o:p></o:p></div></div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><br><br><o:p></o:p></div><div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "><br> Over the last couple of days I’ve noticed a HUGE spike in A record DNS requests from our domain. We use OpenDNS and I check stats often. We usually have about 5000-6000 A record resolves in a day. The last 2 days we’ve had 25,000 – 26,000. Our AD servers are set as DNS forwarders which then forward on to the OpenDNS servers.</span><span style="color: black; "><o:p></o:p></span></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "> </span><span style="color: black; "><o:p></o:p></span></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">I’ve been able to isolate the source of the DNS bombardment to our VPN server using good ol’ MS Network Monitor on our AD servers and VPN server. However, all that shows in the trace is the VPN serve requesting the DNS lookup and then it being forwarded off to OpenDNS. It doesn’t show the client who requested it. Also I have used DNS debugging logs and it shows roughly the same thing. Most all local clients have admin rights removed from their PCs. This almost completely removed even the smallest of malware issues we’d get even with CA eTrust running and updated. In this case however, most all our remote users are local admins of their laptops.</span><span style="color: black; "><o:p></o:p></span></div></div></div><div style="margin-top: 0in; margin-right: 0in; margin-left: 0in; margin-bottom: 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div></div></div>_______________________________________________<br>it discuss mailing list:<span class="Apple-converted-space"> </span><a href="mailto:discuss@itdiscuss.org" style="color: blue; text-decoration: underline; ">discuss@itdiscuss.org</a><br>Mailing List:<span class="Apple-converted-space"> </span><a href="http://itdiscuss.org/discuss" style="color: blue; text-decoration: underline; ">http://itdiscuss.org/discuss</a><br>Web Discussion Board:<span class="Apple-converted-space"> </span><a href="http://itdiscuss.org/discuss-forum" style="color: blue; text-decoration: underline; ">http://itdiscuss.org/discuss-forum</a><br>Wiki:<span class="Apple-converted-space"> </span><a href="http://itdiscuss.org/wiki" style="color: blue; text-decoration: underline; ">http://itdiscuss.org/wiki</a><br>Internet Relay Chat:<span class="Apple-converted-space"> </span><a href="irc://irc.freenode.net/citrt" style="color: blue; text-decoration: underline; ">irc://irc.freenode.net/citrt</a><br></div></span></blockquote></div><br></div></body></html>