I am currently seeing a lot of UDP traffic from port 1118 on our DNS server to an outside DNS server. This is slowing our internet connection down. I thought DNS ran on port 53. Our DNS server has DNS forward entries. These IP's are the ones that our server is sending udp packests to. I tried unchecking the DNS forwarding but still getting the same issue. Any ideas? Or someone explane this to me. Thanx!!
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations bkrike on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Port 1118 UDP traffic to outside DNS servers
- Thread starter quell
- Start date
normally any client ( e.g. program requesting data remotely ) will do this by creating a ip adr, portnumber pair.
source ip, source port to target ip adr. target port.
on the internet these will/must allways be unique.
client allways creates connection with random high ( over 1024 ) portnumber, and target portnumber according to service, e.g. 53 for DNS or 80 for web.
it would seem that your DNs is using 1118 to connect to 53.
if you remove the forwarder, your DNS still needs to ask around for answers that it cannot find itself, typically from the "root hints" so when you remove your forwarder, you should see the target ip to change.
usually DNS tries to use UDP first, and if fail, tries with TCP.
Remember this when creating filters and firewalls.
mvh Nicolai
source ip, source port to target ip adr. target port.
on the internet these will/must allways be unique.
client allways creates connection with random high ( over 1024 ) portnumber, and target portnumber according to service, e.g. 53 for DNS or 80 for web.
it would seem that your DNs is using 1118 to connect to 53.
if you remove the forwarder, your DNS still needs to ask around for answers that it cannot find itself, typically from the "root hints" so when you remove your forwarder, you should see the target ip to change.
usually DNS tries to use UDP first, and if fail, tries with TCP.
Remember this when creating filters and firewalls.
mvh Nicolai
I'll elaborate on what Niksen said. A DNS server has port 53 open, waiting for clients to connect to it. The clients need to connect to the remote port 53 from a local port, which as Niksen said, is some port above 1024. Check your root hints in DNS to see if the addresses in there are the same that were in your forwarders. If so, then this is probably just normal DNS traffic. Also, how did you know that this traffic is slowing down your network?
- Thread starter
- #4
Thank you guys for your information. Here are the logs from my firewall. 192.168.0.7 is my dc/dns server.
>how did you know that this traffic is slowing down your network?
When ever employess see a slow down of the internet traffic (visiting web sites etc..) I go to my firewall and look at the connections and it has pages and pages of what is listed below. When internet traffic is running good the firewall does not have these connections so that leads me to believe that it is the DNS traffic slowing down my connection.
As you can see the traffic does not originate from port 53 or go to port 53 on the outside dns server. I have searched google and the rfc for anything on port 1118 with no luck. So I'm not for sure if this is DNS trafffic. The IP's are my ISP DNS Servers and are listed in my DNS. I'm not for sure what was going on but I rebooted the server and it seems to be working fine now. *knock on wood*
UDP out 66.128.96.3:15578 in 192.168.0.7:1118 idle 0:00:30 flags dD
UDP out 66.128.96.3:15613 in 192.168.0.7:1118 idle 0:00:30 flags dD
UDP out 66.128.96.3:7410 in 192.168.0.7:1118 idle 0:00:30 flags dD
UDP out 66.128.96.3:7576 in 192.168.0.7:1118 idle 0:00:30 flags dD
UDP out 66.128.96.3:15744 in 192.168.0.7:1118 idle 0:00:30 flags dD
UDP out 66.128.96.3:15791 in 192.168.0.7:1118 idle 0:00:30 flags dD
UDP out 66.128.96.3:15776 in 192.168.0.7:1118 idle 0:00:30 flags dD
UDP out 66.128.96.4:15791 in 192.168.0.7:1118 idle 0:00:30 flags dD
UDP out 66.128.96.4:15776 in 192.168.0.7:1118 idle 0:00:30 flags dD
UDP out 24.217.0.4:9770 in 192.168.0.7:1118 idle 0:01:15 flags D
UDP out 24.217.0.4:5725 in 192.168.0.7:1118 idle 0:01:11 flags D
UDP out 24.217.0.4:5696 in 192.168.0.7:1118 idle 0:01:14 flags D
>how did you know that this traffic is slowing down your network?
When ever employess see a slow down of the internet traffic (visiting web sites etc..) I go to my firewall and look at the connections and it has pages and pages of what is listed below. When internet traffic is running good the firewall does not have these connections so that leads me to believe that it is the DNS traffic slowing down my connection.
As you can see the traffic does not originate from port 53 or go to port 53 on the outside dns server. I have searched google and the rfc for anything on port 1118 with no luck. So I'm not for sure if this is DNS trafffic. The IP's are my ISP DNS Servers and are listed in my DNS. I'm not for sure what was going on but I rebooted the server and it seems to be working fine now. *knock on wood*
UDP out 66.128.96.3:15578 in 192.168.0.7:1118 idle 0:00:30 flags dD
UDP out 66.128.96.3:15613 in 192.168.0.7:1118 idle 0:00:30 flags dD
UDP out 66.128.96.3:7410 in 192.168.0.7:1118 idle 0:00:30 flags dD
UDP out 66.128.96.3:7576 in 192.168.0.7:1118 idle 0:00:30 flags dD
UDP out 66.128.96.3:15744 in 192.168.0.7:1118 idle 0:00:30 flags dD
UDP out 66.128.96.3:15791 in 192.168.0.7:1118 idle 0:00:30 flags dD
UDP out 66.128.96.3:15776 in 192.168.0.7:1118 idle 0:00:30 flags dD
UDP out 66.128.96.4:15791 in 192.168.0.7:1118 idle 0:00:30 flags dD
UDP out 66.128.96.4:15776 in 192.168.0.7:1118 idle 0:00:30 flags dD
UDP out 24.217.0.4:9770 in 192.168.0.7:1118 idle 0:01:15 flags D
UDP out 24.217.0.4:5725 in 192.168.0.7:1118 idle 0:01:11 flags D
UDP out 24.217.0.4:5696 in 192.168.0.7:1118 idle 0:01:14 flags D
- Thread starter
- #6
I have symantec corp edition installed on my server (192.168.0.7) and yes I did a scan (nothing) and I also did a netstat -an but nothing popped up out of the ordinery. I looked in the task manager and nothing strange there either..so I dunno not for sure. If it was a virus then why would it only attack my isp dns servers. I have a cisco pix 515 firewall and it blocks all ports but lets outbound traffic flow freely. I do not browse the internet with that server. Maybe if I could find out what those flags mean it would help. But no luck on that issue either.
HI.
I've seen such strange port usage on other places also, and I don't have an explanation why is it so.
However you should also check other applications running on the server - like SMTP mail server or web server.
These can also generate DNS related traffic .
You can use TCPVIEW from here to find out which process is involved:
Bye
Yizhar Hurwitz
I've seen such strange port usage on other places also, and I don't have an explanation why is it so.
However you should also check other applications running on the server - like SMTP mail server or web server.
These can also generate DNS related traffic .
You can use TCPVIEW from here to find out which process is involved:
Bye
Yizhar Hurwitz
- Thread starter
- #8
So,
Did you find an answer?
Which other Internet applications are running on the same server?
Yizhar Hurwitz
Did you find an answer?
Which other Internet applications are running on the same server?
Yizhar Hurwitz
- Thread starter
- #10
Hey Yizhar,
Thanx again for recommending that program. Its my new fav
That server is a DC, DNS, DHCP, WINS, IAS, TS Liscense Server and a file server. Here is what I found from that program:
DNS.EXE:1580 TCP USIFILE:domain USIFILE:0 LISTENING
DNS.EXE:1580 UDP USIFILE:domain *:*
DNS.EXE:1580 TCP USIFILE:14630 USIFILE:0 LISTENING
DNS.EXE:1580 TCP USIFILE:14630 localhost:ldap ESTABLISHED
DNS.EXE:1580 TCP USIFILE:1383 USIFILE:0 LISTENING
DNS.EXE:1580 UDP USIFILE:1380 *:*
DNS.EXE:1580 UDP USIFILE:1118 *:*
DNS.EXE:1580 UDP USIFILE:1117 *:*
DNS.EXE:1580 TCP USIFILE:1116 USIFILE:0 LISTENING
DNS.EXE:1580 UDP usifile.usi.com:domain *:*
However it has not been flooding the outside DNS servesrs like it was before the reboot. The firewall still shows some connections but not near as many as it was.
Thanx again for recommending that program. Its my new fav
That server is a DC, DNS, DHCP, WINS, IAS, TS Liscense Server and a file server. Here is what I found from that program:DNS.EXE:1580 TCP USIFILE:domain USIFILE:0 LISTENING
DNS.EXE:1580 UDP USIFILE:domain *:*
DNS.EXE:1580 TCP USIFILE:14630 USIFILE:0 LISTENING
DNS.EXE:1580 TCP USIFILE:14630 localhost:ldap ESTABLISHED
DNS.EXE:1580 TCP USIFILE:1383 USIFILE:0 LISTENING
DNS.EXE:1580 UDP USIFILE:1380 *:*
DNS.EXE:1580 UDP USIFILE:1118 *:*
DNS.EXE:1580 UDP USIFILE:1117 *:*
DNS.EXE:1580 TCP USIFILE:1116 USIFILE:0 LISTENING
DNS.EXE:1580 UDP usifile.usi.com:domain *:*
However it has not been flooding the outside DNS servesrs like it was before the reboot. The firewall still shows some connections but not near as many as it was.
- Thread starter
- #11
Yizhar: BTW Since your the PIX Firewall Master Would you happen to have a good link that would define the flags at the end of a sh conn entry? flags dD, flags D, etc.. I know there is a bunch more but I can not find a site that defines what they mean.
Would you happen to have a good link that would define the flags at the end of a sh conn entry? flags dD, flags D, etc.. I know there is a bunch more but I can not find a site that defines what they mean. HI.
You'll find the flags here:
But it does not say much...
Yizhar Hurwitz
You'll find the flags here:
But it does not say much...
Yizhar Hurwitz
- Status
Similar threads
- Locked
- Question
