• State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 38 subscribers
  • Views 670 views
  • Users 0 members are here
Options
Related
This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

NPM Server doing questionable PTR lookups

fredlipton

I set up a span port from a DNS server for our security team that was investigating possible botnet activity and came across some curious activity stemming from the server running our Solarwinds suite [NPM, NCM, NTA, SAM, et. al.].  Many of these ptr lookups were for external hosts that having nothing to do with our line of business.

I was given a subset of the captured traffic to examine and cannot make sense of why the server was looking for DNS info for those addresses.  Some of them resolved to .edu and, more troubling, .mil domains.

The server is Win08R2, virus scans cleanly and is dedicated to this app suite [including the MS-SQL db].  Has anyone seen this on their systems or know why the box would be interested in looking up reverse DNS entries for unrelated domain hosts?

Pls/Thnx...Fred

  • 0

    NTA will use DNS for the labeling of endpoints on Netflow data. NPM will also use DNS for a Node's DNS field.

    It is likely that one of the netflows NTA is monitoring contained an endpoint for those domains. You can check this by searching for the Endpoint Domain on the search bar for NTA. This will also allow you to pinpoint exactly which nodes are in fact communicating to those domains.

  • 0 in reply to zzz

    That certainly makes a lot of sense.  I'll do a search for the Endpoint Domain as suggested to see where that leads me and will let you know the results.  Gotta love working on a mystery. Thnx...F

  • 0 in reply to zzz

    Hi ,

    we are facing the same issue  in our environment .please help us how to fix the and we did the following option to fix the prt lookup from npm but no luck still it is throwing dns queries

    disable the dns reverse lookup in server

    disable the nta persistant

    disable the netpath pathe server

    Regards

  • 0

    Navigate to

    Settings,

    Polling Settings

    Un-check "Perform reverse DNS lookup"

    Hope this helps.

  • 0 in reply to kamalesh

    If you've already turned off whatever you can turn off within SolarWinds itself, try checking if there's anything else within the Windows OS that hosts SolarWinds that's sending out reverse dns lookups.

    Remote in to the polling engine, and try using Netmon from Microsoft to run a packet capture (I'm more familiar with netmon, but I can also use wireshark)

    It may help you in identifying what process name is doing the PTR. If the process name that does the PTR request is not a SolarWinds-related process, then try isolating that one process, figure out which app runs that process and continue from there.

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 195,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.

SolarWinds Customer Success Center Certification Media Vault Link Accounts
About THWACK Blogs For Government Edit Settings Free Tools & Trials
Legal Documents Terms of Use Privacy California Privacy Rights Security Information
©2024 SolarWinds Worldwide, LLC. All Rights Reserved.