[unisog] DNS queries from Windows clients for every udp/137 and udp/138 broadcast they hear?

Michael Holstein michael.holstein at csuohio.edu
Tue Sep 27 16:40:26 GMT 2005

Sounds like you might have "enable DNS to use WINS resolution" turned on 
  (URLs may wrap) :


Or more correctly, the "reverse lookup" part of the above :



Michael Holstein CISSP GCIA
Cleveland State University

Irwin Tillman wrote:
> In recent weeks, I've seeing an increasing volume in DNS traffic from some Windows machines
> in a pattern that I've not seen before.  
> Because the affected machine are almost entirely student machines,
> I thought I checked with unisog folks to see if they've seen the
> pattern before.
> Each of the affected machines is sending a two DNS lookups for every 
> UDP broadcast packet it hears involving NetBIOS ports 137 or 138.
> E.g. if a machine (say on network (say broadcasts:
> Then each affected Window machine (say on the same network
> issues the following two lookups to the DNS server (say
>    IP > 2+ PTR?
>    IP >  2+ PTR?
> Other characteristics:
> * The DNS server responds to the first query with the name corresponding
> to the PTR record, with a 12-hour TTL.  The affected Windows machine
> does not cache this, because the next time it sees a similar packet
> from the same machine A, it repeats the query.
> * The DNS server responds to the second query with an NXDOMAIN response;
> the requested IP address is the all-1's style subnet directed broadcast
> address for the subnet, a value that is not particularly useful to look up in DNS.
> The negative caching TTL is 10 minutes.
> The affected Windows machine
> does not cache this, because the next time it sees a similar packet
> from any machine it repeats the query.
> * All the affected Windows machines sending the DNS queries have three DNS servers (learned via DHCP).
> Unexpectedly, all send these queries not to the first DNS server in the list, but to the third.
> Naturally, this DNS behavior doesn't scale.  
> If there are X such NetBIOS-over-IP broadcasts per second on the network,
> and Y affected Windows machines, the DNS server will receive 2 * X * Y 
> DNS queries per second.
> I see the number Y  (the number of affected Windows machines) growing here;
> it's already resulted in quadrupling the DNS query rate to some DNS servers here.
> Does anyone know what causes some Windows machines to produce this
> unfortunate DNS behavior?  
> / Irwin Tillman, OIT Network Systems, Princeton University
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog

More information about the unisog mailing list