5 Replies Latest reply on Jul 13, 2017 3:19 PM by ekis

    NPM Server doing questionable PTR lookups

    Fred Lipton

      I set up a span port from a DNS server for our security team that was investigating possible botnet activity and came across some curious activity stemming from the server running our Solarwinds suite [NPM, NCM, NTA, SAM, et. al.].  Many of these ptr lookups were for external hosts that having nothing to do with our line of business.

       

      I was given a subset of the captured traffic to examine and cannot make sense of why the server was looking for DNS info for those addresses.  Some of them resolved to .edu and, more troubling, .mil domains.

       

      The server is Win08R2, virus scans cleanly and is dedicated to this app suite [including the MS-SQL db].  Has anyone seen this on their systems or know why the box would be interested in looking up reverse DNS entries for unrelated domain hosts?

       

      Pls/Thnx...Fred

        • Re: NPM Server doing questionable PTR lookups
          zzz

          NTA will use DNS for the labeling of endpoints on Netflow data. NPM will also use DNS for a Node's DNS field.

           

          It is likely that one of the netflows NTA is monitoring contained an endpoint for those domains. You can check this by searching for the Endpoint Domain on the search bar for NTA. This will also allow you to pinpoint exactly which nodes are in fact communicating to those domains.

            • Re: NPM Server doing questionable PTR lookups
              Fred Lipton

              That certainly makes a lot of sense.  I'll do a search for the Endpoint Domain as suggested to see where that leads me and will let you know the results.  Gotta love working on a mystery. Thnx...F

              • Re: NPM Server doing questionable PTR lookups
                kamalesh

                Hi ,

                we are facing the same issue  in our environment .please help us how to fix the and we did the following option to fix the prt lookup from npm but no luck still it is throwing dns queries

                 

                 

                disable the dns reverse lookup in server

                disable the nta persistant

                disable the netpath pathe server

                 

                Regards

                  • Re: NPM Server doing questionable PTR lookups
                    ekis

                    If you've already turned off whatever you can turn off within SolarWinds itself, try checking if there's anything else within the Windows OS that hosts SolarWinds that's sending out reverse dns lookups.

                    Remote in to the polling engine, and try using Netmon from Microsoft to run a packet capture (I'm more familiar with netmon, but I can also use wireshark)

                    It may help you in identifying what process name is doing the PTR. If the process name that does the PTR request is not a SolarWinds-related process, then try isolating that one process, figure out which app runs that process and continue from there.

                • Re: NPM Server doing questionable PTR lookups
                  ekis

                  Navigate to

                  Settings,

                  Polling Settings

                  Un-check "Perform reverse DNS lookup"

                  Hope this helps.