DNS excessive zone transfers

Hello,

I have set up two internal DNS servers for our small network, which also has a persistent connection to the web. The primary internal DNS is WIN2k/SP2 with three zones; two Type: primary, one Type:AD All three set for dynamic updates, and for internal use only. The internal secondary DNS is WinNT4/SP6a and points to the internal primary.

The network environment is mixed with win98/nt4/w2k
DNS appears to be working except for Zone transfers, which occur every two minutes (+/- a few seconds)

Every "TWO MINUTES" Event ID 6001 will be written to Event Viewer\Dns Server

Event Type: Information
Event Source: DNS
Event Category: None
Event ID: 6001
Date: 7/2/2002
Time: 1:19:21 PM
User: N/A
Computer: P0035
Description:
The DNS server successfully completed transfer of zone
222.168.192.in-addr.arpa to DNS server at 192.168.222.41.

After receiving (20) events of ID:6001, Event ID 9999 will get
written...just like clockwork.

Event Type: Warning
Event Source: DNS
Event Category: None
Event ID: 9999
Date: 7/2/2002
Time: 1:19:21 PM
User: N/A
Computer: P0035
Description:
The DNS server has encountered numerous run-time events. These are usually
caused by the reception of bad or unexpected packets, or from problems with
or excessive replication traffic. The data is the number of suppressed
events encountered in the last 15 minute interval.
Data:
0000: 14 00 00 00 ....

I have turned on logging but can't seem to find any errors, nor does anything ring a bell after spending two days reading MS-KB.
These are the only events being written to Event Viewer. I have also tried turning off Dynamic updates and restarted DNS...No Change.

Need some assistance

 

You are going to get a zone transfer everytime there is a record update, which could happen a lot with active directory and multiple domain controllers. This will happen when a host registers itself with DNS.
If this zone is an Internet zone, then you should only allow zone transfers to "trusted" DNS servers. Otherwise a hacker could spoof a client on your network by knowing your entire network layout.

 

Two zones contain just host records for mail and www. I set these update only internally.
The third is the AD zone for internal computers "pmg.local "

The zone that keeps updating is the in-addr.arpa. from Primary to Secondary.

I understand about updating records, but our internal network consists of +/- 20 computers. DHCP is set to lease ip's for three days.

Our LAN has only two DC's.
Primary DC is win2k with DHCP/WINS/DNS
Backup DC is nt4 sp6a with DHCP/WINS/DNS

I am in that migration phase. Moving slow because it is a production network.

thanks

 

This problem sounds very "virus-like" to me. Take a look at This CERN Incident Report for a possibility and to give you some thoughts on things to check.

In general, you will do better I think if you can put DNS on Win2K machines. Granted, you may not have much legit zone change activity but with 2K, you can get incremental rather than full as NT4 requires. And I'm not really convinced the two systems play well together as DNS servers.

in-addr.arpa zone-updates don't sound like they are much needed on your system.

 

Why not put in static entries in your DNS table for each of the IP addresses in your DHCP scope. ISP's use this for their reverse DNS all the time. It really doesn't matter for clients.
Also you could block DNS updates unless they come from the DHCP server. (DHCP proxy will update the record). That way you know it's just your clients that are updating the zone. Each time a client reboots, or lease expires, they will renew their IP with the DHCP server. When that happens, they will try and update their DNS record also.

 

Thanks,

I'll look into both sugesstions and report back.

 

24jedi - something else that finally caught my attention. From a look at DNS Events 2000 thru 9999 which was posted for NT4 SP4 but may well still be valid (can't see a DNS machine right now) -

I would think you should see an event ID 6000 along with the 6001 you mention if the zone transfers were started by any of the usual means.