3 Replies Latest reply on Sep 23, 2014 9:53 AM by james.fraasch

    How to Stop Solarwinds DNS Queries

    james.fraasch

      I have NPM along with UDT and NTA.  It seems that each of these individually has a function that allows for DNS Queries or Reverse DNS lookup.

       

      The scenario is that I have a closed system.  That is, there is no connection to the internet for security reasons.  However, I have a DC and BDC that are running DNS these are the servers also running Solarwinds with FoE.  What happens is we have a number of devices that are showing up in the NTA that automatically tries to resolve hostnames to IP addresses.  Even when I disable this functionality (and the "reverse lookup" functionality on the main Admin Settings section) I still get a boat load of DNS queries from Solarwinds.

       

      The DNS Root Hints file has a list of "last resort" servers to send queries to by default so it looks like after a couple of fails, the queries are sent to Japan or somewhere else for final resolution.  Well, Security Team caught on to this and saw my servers sending a bunch of **** to Japan and had a cow.


      How do I stop this madness?  I don't need Solarwinds to query DNS and there are too many hosts (more than 1500) to put in a host file locally plus that wouldn't solve the issue with NTA anyway.


      I am at a loss and three days in Solarwinds basically has punted the tech support case.  Literally, the engineer said he was too busy and would get back to me.


      Any help or direction would be greatly appreciated.


      James

        • Re: How to Stop Solarwinds DNS Queries
          HolyGuacamole

          I'm not sure if it will help, but there are some dns settings in the settings, NTA settings section. The one that you refer to only governs node management (not endpoints) to the best of my knowledge

          • Re: How to Stop Solarwinds DNS Queries
            RichardLetts

            three-fold solution:

             

            1. if your  DNS servers don't have internet connectivity remove the root server list from them so they don't know how to resolve addresses outside their domain.

            [these are not servers of last resort, they are the root name servers.]

            Your servers should immediately return NXdomain and will improve performance.

             

            2. If these DNS servers don't have access to any other DNS servers then disable recursion on them; they will not then try to contact other DNS servers to answer queries on behalf of clients.

            Disable Recursion on the DNS Server

             

            3. assuming you've windows firewall enabled block port 53 TCP and UDP outbound from those servers to IP addresses not on your network

            this is an ugly hack that will cause delays in DNS resolution, but no worse than you already have.

            You might do this anyway as it prevents breakage should someone re-add the root hints or re-enable recursion.

             

            /RjL

              • Re: How to Stop Solarwinds DNS Queries
                james.fraasch

                Richard,

                I think you hit the nail on the head.

                 

                There were two issues:

                1. Solarwinds queries the HECK out of DNS especially with IPAM, Netflow running.

                2. Being that this is a closed network, the Root Hints file had the DNS servers was sending queries out to Japan (or wherever outside the local network).

                 

                Removing the servers from the root hints file is the answer here.