[unisog] DNS queries from Windows clients for every udp/137 and udp/138 broadcast they hear?

Michael Holstein michael.holstein at csuohio.edu
Tue Sep 27 16:40:26 GMT 2005


Sounds like you might have "enable DNS to use WINS resolution" turned on 
  (URLs may wrap) :

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/serverhelp/e9989cf0-dd32-4cba-8098-f137bc154ac9.mspx

Or more correctly, the "reverse lookup" part of the above :

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/edf68cca-86f1-4b89-8e44-79f768963e95.mspx

Regards,

Michael Holstein CISSP GCIA
Cleveland State University


Irwin Tillman wrote:
> In recent weeks, I've seeing an increasing volume in DNS traffic from some Windows machines
> in a pattern that I've not seen before.  
> 
> Because the affected machine are almost entirely student machines,
> I thought I checked with unisog folks to see if they've seen the
> pattern before.
> 
> 
> Each of the affected machines is sending a two DNS lookups for every 
> UDP broadcast packet it hears involving NetBIOS ports 137 or 138.
> 
> E.g. if a machine (say 10.1.57.8) on network (say 10.1.0.0/16) broadcasts:
> 
>     IP 10.1.57.8.137 > 10.1.255.255.137: NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
> 
> Then each affected Window machine (say 10.1.3.4) on the same network
> issues the following two lookups to the DNS server (say 192.168.1.1):
> 
>    IP 10.1.3.4.3638 > 192.168.1.1.53: 2+ PTR? 8.57.1.10.in-addr.arpa.
>    IP 10.1.3.4.3639 > 192.168.1.1.53  2+ PTR? 255.255.1.10.in-addr.arpa.
> 
> 
> Other characteristics:
> 
> * The DNS server responds to the first query with the name corresponding
> to the PTR record, with a 12-hour TTL.  The affected Windows machine
> does not cache this, because the next time it sees a similar packet
> from the same machine A, it repeats the query.
> 
> * The DNS server responds to the second query with an NXDOMAIN response;
> the requested IP address is the all-1's style subnet directed broadcast
> address for the subnet, a value that is not particularly useful to look up in DNS.
> The negative caching TTL is 10 minutes.
> The affected Windows machine
> does not cache this, because the next time it sees a similar packet
> from any machine it repeats the query.
> 
> * All the affected Windows machines sending the DNS queries have three DNS servers (learned via DHCP).
> Unexpectedly, all send these queries not to the first DNS server in the list, but to the third.
> 
> 
> Naturally, this DNS behavior doesn't scale.  
> If there are X such NetBIOS-over-IP broadcasts per second on the network,
> and Y affected Windows machines, the DNS server will receive 2 * X * Y 
> DNS queries per second.
> I see the number Y  (the number of affected Windows machines) growing here;
> it's already resulted in quadrupling the DNS query rate to some DNS servers here.
> 
> Does anyone know what causes some Windows machines to produce this
> unfortunate DNS behavior?  
> 
> / Irwin Tillman, OIT Network Systems, Princeton University
> 
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog
> 


More information about the unisog mailing list