WSA - DNS Query Logging/Flooding Entry - '(6)server(0)' & '.server.'

widarsson · ‎03-05-2020

I've got the attention and it's been located a very large amount of entries on the Windows Server caused by the WSA Virtual Appliance. (4xWSA's / Transparant mode)
S300V : (Two appliances)
Version: 10.5.3-025
S600V (Two appliances)
Version: 10.5.3-025

- Two DNS-servers are configured with priority "0" on both settings on all WSA's.
- The Query/error is seen from all WSA's in the loggings on both DNS-servers.

Sending Queries for ".server." .

Some entries to million entries.

3/5/2020 11:46:23 AM 0D78 PACKET 0000000004ACDCE0 UDP Rcv 10.100.10.8 f90f Q [0001 D NOERROR] A (6)server(0)

3/5/2020 11:46:23 AM 0D78 PACKET 00000000046CA2C0 UDP Rcv 10.100.10.9 054b Q [0001 D NOERROR] A (6)server(0)

3/5/2020 11:46:23 AM 0D74 PACKET 0000000004ACDCE0 UDP Rcv 10.100.10.8 ea2b Q [0001 D NOERROR] A (6)server(0)

What is the answer why the WSA queries this?
The query from the LOG is ".server." that whats getting flooded in Microsoft DNS Server.

We don't want to shutdown logging on the DNS-server and its not possible to filter of my knowledge on the DNS-server, it's not a performance issue, but a customer is asking why and reason for this query. It's noice-traffic.

Best Regards,

David

Cristian Matei · ‎03-05-2020

Hi,

That is a valid DNS message format, "NOERROR" means there was no error, "A" means the query was for a host record, "server" is the domain and this is weird. can you do a packet capture to look in the header?

Regards,

Cristian Matei.