I set up a span port from a DNS server for our security team that was investigating possible botnet activity and came across some curious activity stemming from the server running our Solarwinds suite [NPM, NCM, NTA, SAM, et. al.]. Many of these ptr lookups were for external hosts that having nothing to do with our line of business.
I was given a subset of the captured traffic to examine and cannot make sense of why the server was looking for DNS info for those addresses. Some of them resolved to .edu and, more troubling, .mil domains.
The server is Win08R2, virus scans cleanly and is dedicated to this app suite [including the MS-SQL db]. Has anyone seen this on their systems or know why the box would be interested in looking up reverse DNS entries for unrelated domain hosts?
Pls/Thnx...Fred