Technical Discussion
  >> Security Related Issues


Register (or login) on our website and you will not see this ad.


  Print Thread
Standard User BJP
(newbie) Mon 12-May-14 21:04:05
Print Post

strange dns problems


[link to this post]
 
This may, or may not be a security issue.
I have recently noticed web pages being very slow to complete loading and began to suspect a dns problem. I recent had to replace the dsl router as my old speedtouch was dying, the new draytek can give me info on NAT connections.

First I noticed quite a lot of port 53 dns connections to my dns provider (OpenDNS for a little protection) when either PC starts up. I'm a little puzzled by ~20 connections before any browser activity (even on the main linux PC).

Now running Namebench, it tells me that only 0.1% of dns servers are working correctly (on the fast test so far)!

Does anyone know what might be happening?

BJP

Edited by BJP (Mon 12-May-14 21:17:43)

Standard User Pipexer
(eat-sleep-adslguide) Mon 12-May-14 21:34:38
Print Post

Re: strange dns problems


[re: BJP] [link to this post]
 
What Draytek model? Draytek DNS implementation is pretty good... I'd point your machines to the router as DNS and you can still specify OpenDNS for your draytek to use if you really want.

OpenDNS = Not keen myself..

The PC will probably be doing things like Windows Update, etc, etc, I wouldn't get alarmed too much... Most of us wouldn't see this as the DNS would be getting pointed to the router rather than nameservers on the internet.

Try GRC DNS Benchmark: https://www.grc.com/dns/benchmark.htm

Zen 8000 Pro

Edited by Pipexer (Mon 12-May-14 21:35:49)

Standard User BJP
(newbie) Mon 12-May-14 22:23:51
Print Post

Re: strange dns problems


[re: Pipexer] [link to this post]
 
Hi Pipexer, I understand your point about using the router to resolve, I tend to configure each machine so if the router gets dns hacked, they still have a chance. Yes, I am completely paranoid about the internet!

I kind of expected the Windows PC to have a lot of connections, and the linux box to check the ubuntu repositories, but so many from the linux one?

I just tried Namebench, but forgot to set the default nameserver from 127.0.0.1 to something meaningful, so I suppose the results are contaminated by cacheing.

I suppose I lose the opportunity to use the Draytek Vigor's dns cache by pointing outside, maybe that's causing my problems?

BJP


Register (or login) on our website and you will not see this ad.

Standard User Pipexer
(eat-sleep-adslguide) Tue 13-May-14 18:49:06
Print Post

Re: strange dns problems


[re: BJP] [link to this post]
 
Draytek routers aren't going to be hacked anytime soon so I'd certainly recommend putting everything back to the draytek as DNS and then the draytek by default will use your ISPs DNS servers, but you can override this in the router. Either way this will get some local network caching for you and things should improve performance-wise.

Unfortunately I can't comment on your Linux box... But I don't think you have too much to worry about actually, a few DNS requests in NAT table isn't an issue.

What you may like to do is enable Data Flow Monitor on your draytek and check what data is going in and out, and also look at the history, to see if anything abnormal.

Zen 8000 Pro

Edited by Pipexer (Tue 13-May-14 18:49:39)

Standard User BJP
(newbie) Tue 13-May-14 22:13:14
Print Post

Re: strange dns problems


[re: Pipexer] [link to this post]
 
In reply to a post by Pipexer:
Draytek routers aren't going to be hacked anytime soon...

Actually were they not hacked recently along with Hawei ones, which doesn't give me as much confidence? Besides, I suspect the only real difference between home routers and a semi-business one like this is that they keep the firmware updated a bit longer.

I've not got around to making the changes yet, but I ran Namelist and the GRC equivalent you mentioned and I'm beginning to wonder if my lost DNS queries are partly some ddos defence mechanism.

I'll post again when I figure it out, but thanks for the suggestions.

BJP
Standard User BJP
(newbie) Wed 14-May-14 23:28:54
Print Post

Re: strange dns problems


[re: BJP] [link to this post]
 
I've solved a lot of my webpage loading problems by using auto-allocated dns and pointing devices up the chain to the Draytek.

But I still have strange results from the GRC dns tool, "less than 25% of nameservers are responding". Similarly from Namebench on the linux box, "strange, less than 0.1% of nameservers are responding."

But I don't understand what's happening there. Maybe because of dns amplification attacks?

BJP
Standard User caffn8me
(knowledge is power) Fri 16-May-14 01:18:40
Print Post

Re: strange dns problems


[re: BJP] [link to this post]
 
I have noticed a number of slow or unresponsive DNS servers over the past few days - far more than usual. I use my own up to date DNS servers which work perfectly. It's remote DNS servers which are sometimes not responding. I've had lookup failures for amazon.co.uk, city-link.co.uk and several other well known sites too. Outages last a short period of a few minutes.

I think the likeliest culprit is some form of distributed denial of service attack. These have been seen in the past few days; http://www.itproportal.com/2014/05/13/enormous-dns-d...

Sarah

--
If I can't drink my bowl of coffee three times daily, then in my torment, I will shrivel up like a piece of roast goat

Spiders on coffee - Badass spiders on drugs
  Print Thread

Jump to