<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Helvetica;
panose-1:2 0 5 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Webdings;
panose-1:5 3 1 2 1 5 9 6 7 3;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.apple-style-span
{mso-style-name:apple-style-span;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple style='word-wrap: break-word;
-webkit-nbsp-mode: space;-webkit-line-break: after-white-space'>
<div class=Section1>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>You can also just mirror the switch port and listen on the
mirrored port with wireshark. No need for a separate device/app.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>-Derek<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> discuss-bounces@itdiscuss.org
[mailto:discuss-bounces@itdiscuss.org] <b>On Behalf Of </b>Glenn Kelley<br>
<b>Sent:</b> Thursday, August 06, 2009 4:31 PM<br>
<b>To:</b> IT Discussion Forum<br>
<b>Subject:</b> Re: [itdiscuss] Mass DNS requests from a VPN user<o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>try using wireshark in-between <o:p></o:p></p>
<div>
<p class=MsoNormal>setup a transparent bridge and listen using that <o:p></o:p></p>
</div>
<div>
<p class=MsoNormal>you will see all the port 53 traffic for sure - and who it
is <o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>for an easy transparent bridge - (and some fun security
stuff to have) check out <a href="http://www.pfsense.org">www.pfsense.org</a> <o:p></o:p></p>
</div>
<div>
<p class=MsoNormal>its free - (makes a nice firewall as well in fact ...
) <o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>Hope that helps - if stuck skype me <o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><o:p> </o:p></p>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<p class=MsoNormal align=center style='text-align:center'><span
class=apple-style-span><b><span style='font-size:10.0pt;font-family:"Calibri","sans-serif";
color:navy'>_____________________________________________________________________________________</span></b></span><span
style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:black'><o:p></o:p></span></p>
<p class=MsoNormal align=center style='text-align:center'><b><span
style='font-size:9.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Glenn
Kelley | Network Architect | Vine Networks | <a
href="http://www.VineHosting.com">www.VineHosting.com</a> </span></b><span
style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:black'><o:p></o:p></span></p>
<p class=MsoNormal align=center style='text-align:center'><span
style='font-size:9.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Ohio
NOC | 317 South North Street | Washington CH OH 43160</span><span
style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:black'><o:p></o:p></span></p>
<p class=MsoNormal align=center style='text-align:center'><span
style='font-size:9.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> <b>Skype
Messenger</b>: vinehosting</span><span style='font-size:11.0pt;font-family:
"Calibri","sans-serif";color:black'><o:p></o:p></span></p>
<p class=MsoNormal align=center style='text-align:center'><span
style='font-size:9.0pt;font-family:"Calibri","sans-serif";color:#003366'>Email:
<a href="mailto:glenn@vinehosting.com">glenn@vinehosting.com</a></span><span
style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:black'><o:p></o:p></span></p>
<p class=MsoNormal align=center style='text-align:center'><span
style='font-size:9.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Phone:
740-206-1140 x 6900</span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:black'><o:p></o:p></span></p>
<p class=MsoNormal align=center style='text-align:center'><span
style='font-size:18.0pt;font-family:Webdings;color:green'>P</span><span
style='font-size:7.5pt;font-family:"Calibri","sans-serif";color:green'>please
don't print this e-mail unless you really need to.</span><span
style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:black'><o:p></o:p></span></p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<div>
<div>
<p class=MsoNormal>On Aug 6, 2009, at 3:49 PM, Dayron Daugherty wrote:<o:p></o:p></p>
</div>
<p class=MsoNormal><br>
<br>
<o:p></o:p></p>
<div>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><br>
Over the last couple of days I’ve noticed a HUGE spike in A record
DNS requests from our domain. We use OpenDNS and I check stats often. We
usually have about 5000-6000 A record resolves in a day. The last 2 days we’ve
had 25,000 – 26,000. Our AD servers are set as DNS forwarders which then
forward on to the OpenDNS servers.</span><span style='color:black'><o:p></o:p></span></p>
</div>
<div>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'> </span><span style='color:black'><o:p></o:p></span></p>
</div>
<div>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>I’ve been able to isolate the source of the DNS bombardment to
our VPN server using good ol’ MS Network Monitor on our AD servers and VPN
server. However, all that shows in the trace is the VPN serve requesting the
DNS lookup and then it being forwarded off to OpenDNS. It doesn’t show the
client who requested it. Also I have used DNS debugging logs and it shows
roughly the same thing. Most all local clients have admin rights removed from
their PCs. This almost completely removed even the smallest of malware issues
we’d get even with CA eTrust running and updated. In this case however, most
all our remote users are local admins of their laptops.</span><span
style='color:black'><o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
</div>
</body>
</html>