Why is WinSrv2008 DNS Server triggering UDP Floods?
I checked the logs on my NETGEAR firewall, and I am getting logs like this a lot: 2010 Oct 9 16:23:31 [FVX538] [kernel] UDP-FLOOD IN=LAN OUT=WAN SRC=10.xx.xx.xx DST=yy.yy.yy.yy PROTO=UDP SPT=57860 DPT=53 the source is my DNS server, running WinSrv 2008 R2, the destination is the ISP DNS server that is a forwarder for our network. The flooded messages are very regular, there were 52 messages at 6:46 AM, 9 messages at 10:51 AM, 12 messages at 12:11 PM, 18 messages at 14:19 PM, 11 messages at 14:43 PM, 13 messages at 16:23 PM, 33 message at 16:35 PM. None in the last 2 1/2 hours. What is causing this, any ideas? I feel the DNS server is doing something weird not the firewall, but I am not sure... thanks for your help!
October 9th, 2010 6:58pm

The most simple and quickest way to determine what traffic the DNS server is sending is to load either Network Monitor or Wireshark (packet capture software) on the server and look at the DNS UPD packets. The information can be found in the DNS portion of the packet. Visit: anITKB.com, an IT Knowledge Base.
Free Windows Admin Tool Kit Click here and download it now
October 9th, 2010 9:25pm

Hi Don Awalt, Thanks for posting here. In addiction with JM that if you suspect the domain name service caused this unknown connection issue ,you might also like to use DNS debug logging feature and check event log to monitor DNS activity. What about the DST addresses , are all these destination addresses the ISP DNS server ? Using server debug logging options http://technet.microsoft.com/en-us/library/cc776361(WS.10).aspx Thanks. Tiger Li Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
October 12th, 2010 12:40am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics