Strange DNS problems on LAN

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Hoping someone here has encountered this before.

Yesterday I noticed thousands of DNS queries bouncing around my LAN. They were all to internal hosts - no queries beyond the local DNS server other than bona fide ones made via the forwarder configured on the server. The DNS server is configured not to make zone transfers, and all the queries are UDP port 53 anyway, so that rules out some nefarious activity related to that. I'm still worried I've somehow been compromised but haven't seen anything in logfiles that indicates this yet - my network runs like clockwork and has done for over four years.

Ordinarily, my LAN clients are set to use the local DNS server as their primary (and only) DNS - the primary forwards DNS queries to the firewall which routes them out. When I started experiencing this yesterday I disconnected the internal DNS from the outside world by disabling recursion and gave the clients my ISP's nameservers. However, the clients are still making thousands of (seemingly) random queries for hosts on my LAN. At the lowest level it looks for all the world like worm-type behaviour, but none of the queries are for hosts outside my LAN, and there are no connections to external (publically routable) hosts either established or attempted - like you would expect to see from something looking for comms with an IRC channel for instance.

All AV and malware scans show up negative. When I run a process monitor I can't see anything that looks out of the ordinary - the PID responsible for issuing the queries belongs to the generic 'Network Service' process running under lsass - again another pointer to worm-like behaviour (Sasser) but I am patched up to the hilt so, unless its some piece of unknown scumware that someone has tricked onto my LAN I'm leaning towards there being a problem with DNS. I can't see anything obvious in the event logs and, tbh, I was planning on flattening and rebuilding over xmas anyway, but it would be nice if anyone has encountered a similar issue who could point me in the right direction just so that I can resolve it for now. Otherwise it means brining my rebuild forward a couple of weeks - something that I'd rather not do with a bust weekend ahead!

Network is mixed 2K/2K3 (told you it had been running a while!), clients are exclusively XPProSP2

Cheers

 

Hey Sparks

They're definitely legit - all for two DCs on the LAN except for the odd one or two querying the SOA record. No spurious hostnames that would make it look like a random internal scan of potential hosts

 

You haven't got a machine packet sniffing somewhere have you?

 

Aye - thought it might be the TTL but its the default already. Nowt funny in the caches either. Its a mystery I tells ya!

Looks like I'll be in flatten & reinstall country this weekend, so beers at home before the Hatton fight methinks! Might get the AD up & running before I get pissed - at least then my new domain won't be 'zbepulabu' or something...

 

Just out of curiosity, are all your clients doing this?