Server 2003 constantly making DNS requests

[ttmcmurry]

I was playing around with Wireshark and noticed I have a 2003 server that is contantly making DNS requests. Here's the scenario while I was troubleshooting:

I turned off all possible services and exited all applications except:

services running

Application Experience Lookup Service

ATI HotKey Poller

DCOM Server Process Launcher

DHCP Client

Event Log

Network Connections

Plug and Play

Remote Access Connection Manager

Remote Procedure Call (RPC)

Security Accounts Manager

Shell Hardware Detection

Telephony

Terminal Services

Themes

Windows Driver Foundation - User Mode Driver Framework

Windows Firewall / Internet Connection Sharing (ICS)

Windows Management Instrumentation

Wireless Configuration

Applications Running

ati2evxx

ati2evxx

csrss

ctfmon

dumpcap

explorer

lsass

mmc (Services.msc)

notepad (while I type this up)

rundll32

rundll32

services

smax4pnp

smss

svchost (7 copies)

system

taskmgr

winlogon

wireshark

wmiprvse

I used Windows Process Explorer to track down the svchost instances and they all corresponded to the services running at top, in other words, it all belonged there. But every few seconds or so the server accepts a UDP packet from somewhere on the public internet (it seems random) and then spits out queries and receives responses and moves on. This is going at such a slow pace that I can't attribute any CPU usage to whatever process is doing this.

I've applied the DNS Client patch KB951748 but that doesn't seem to be stopping it. Symantec Endpoint Protection (v11.0.2) is the AV software used on it in conjunction with Windows Firewall. Also tried using netstat -v -b to see if I could find what application might be making an external connection but can't find anything or it's happening so fast it's not displaying. This server is not a DNS server either. Even after a reboot or a NIC repair the DNS lookups continue.

Has anyone else seen this behavior?

Thanks for anyone's help.

Travis

issues_with_dns.zip

[CoffeeFiend]

You have a bittorrent client running (and a port is open for it in your D-Link router obviously). There's lots of computers sending UDP packets to you, all coming in on your port 31848 (try rule "udp && !dns" to see it better), and their contents is definitely bittorrent DHT traffic (we can even see the SHA-1 hash of the torrent itself, one could even tell what you're downloading from that). The DNS requests made are made for everyone connecting on your port 31848 (probably the BT client itself, so it can show you the reverse DNS address instead of just IP)

[ttmcmurry]

I think I get it -- bittorrent added this thing called the "DNA server" and I believe it's UPnP enabled. Even though I wasn't running bittorrent at all, this service connected to the router via UPnP, opened the ports, and started traffic.

For the record, I still haven't used bittorrent to download anything, I merely installed the software and that was enough to get this to start on its own.

This morning, I was running WireShark and turned my cable modem back on and noticed traffic coming from my computer to utorrent.com & bittorrent.com. Moments later the behavior started again. That got me to thinking "hmm, Bittorrent isn't running, so what is?" - and I recalled reading something on their website about a distributed download accelerator called DNA so I looked into it. WireShark was going crazy with the DNS lookups at that point.. so I uninstalled DNA server, saw more communication to the bittorrent servers and then the DNS lookups stopped.

I had, according to my router's WISH list, just under 300 open UDP sessions before that uninstall. Five minutes later, it was down to 13 active connections.

What's interesting to me is why when I blocked the ports from Symantec Multitier Protection's firewall, that the traffic was still permitted and would not block. Perhaps there is some kind of interaction between the firewall & upnp? Anyhow, I checked it over lunch now and the issue is gone. Thanks for pointing me in the right direction.

Travis