We have an internal AD-integrated internal DNS zone (ff.ffbs.net) that is now showing up on Netflow Node Details for our Internet-connected router. Last week this zone wasn't showing up, so we were able to get a more clear picture of the web browsing habits of our employees. Now it shows over 60% of our traffic coming from that domain, and when I drill down on that domain, it shows over 95% of the traffic is received by our main firewall's outside IP address.
What could have happened to introduce our internal zone into the top domains view in Netflow? What can I do to clear things up so it makes more sense?
Also, what determines the listing for domains? Does it take into account the source IPs or destination IPs of the flows, or both? How does this change when there are multiple interfaces being watched for netflow vs. just watching a single interface on a router?