Is our server accessing isdn line?

Cyrus

just got our telephone bill for the past month, fone up 300 yoyos on the previous

this is made up of 300 worth of isdn calls, 128 hrs at the evening time and 96 hrs at the weekend along with the normal 120 or so daytime hours

only thing is there is never anyone here at the evenings or weekends, the only oc left on is the server.

the isdn modem has been flickering constantly even if no one is online and we reckon the line must be in use all the time for some reason

a call to eircom indicated that from the 12th of august our isdn line has started to become active at 2 and 3 in the morning

if i click on the last ten calls menu i get this:

Outgoing Data - 64K eircom 0 seconds DNS query from Server for _LDAP._TCP.DC._MSDCS.****(our co name )
Outgoing Data - 64K eircom 0 seconds DNS query from Server for _KERBEROS._TCP.DC._MSDCS.****
Outgoing Data - 64K eircom 0 seconds DNS query from Server for 8EE3D362-0430-43CB-B8AD-9B023CFDBAFC._MSDCS.*****
Outgoing Data - 64K eircom 0 seconds DNS query from Server for _LDAP._TCP.77D43FD5-0951-4753-B4E6-10002BADC901.DOMAINS._MSDCS.
Outgoing Data - 64K eircom 0 seconds DNS query from Server for _LDAP._TCP.GC._MSDCS.****
Outgoing Data - 64K eircom 0 seconds DNS query from Server for _KPASSWD._UDP.***
Outgoing Data - 64K eircom 0 seconds DNS query from Server for _LDAP._TCP.PDC._MSDCS.****
Outgoing Data - 64K eircom 0 seconds DNS query from Server for _LDAP._TCP.*****

anyone any idea whats goin on?

cheers

Frank Grimes

Something's accessing the internet from either the server or the lan.
Use a firewall to log and see what's going on.

Serbian

Probably someone coming in late after a night on the piss and downloading filthy porn

Could it possibly be a trojan on one of the machines? I reckon you should run a virus scan on all PC's and make sure there are no viruses on them, as if they are Trojans then they will try and establish a connection with the internet to feedback the info they are getting.

For now, just turn off the router or unplug the line when you leave in the evenings.

spongebob

24 Hour Timer Units are simple and effective.

The firewall will still log the outbound connection effort.

Ports 135 136 137 138 139 69 should always be blocked both directions while you are at the firewall

iano

The DNS data that you have seen in your log is all to do with Microsoft Active Directory and Microsoft's extensions to DNS.

This indicates a problem with your Server configuration.
This type of traffic should NEVER be sent to your ISP's DNS servers, it should be internal to your network.

You absolutely need to sort this out or it will cost you a lot of money.

There are a whole range of books etc. on the topic, including a load from Microsoft at: http://www.microsoft.com/windows2000/technologies/communications/dns/default.asp
(They even include a training course that can be downloaded and made into a CD!)

You have probably made the #1 common mistake, i.e. "The domain controller is not pointing to itself for DNS resolution on all network interfaces." See the answers and discussion at http://support.microsoft.com/default.aspx?scid=kb;en-us;291382
Sorting this out should resolve your issue and save your money.

Hope this helps,
Ian.

Cyrus

thanks for that iano,

now to have a go at the fella who set it up

how do i go about changing the domain controller to point at itslef?

Cyrus

anyone know

iano

Cyrus,
Sorry about that - away for the weekend.

For each Network Interface (Start -> Control Panel -> Network), you need to make sure that the DNS server setting is 127.0.0.1 and not "server assigned" or your ISPs address.

You also need to have the DNS service running and correctly configured on your server.

To check, open a command prompt (Start -> Run -> cmd) and:
1. ipconfig /all - check the DNS settings for all active interfaces. Make sure that any dial-up interfaces are active so that you chack them as well.
2. nslookup - make sure that your server is resolving names.
A quick test is " ping www.cisco.com " . If the name resolves into an ip address, then your DNS is OK.

All client machines should point to your server for DNS in order to allow Microsoft services to run fully (such as network logon).

Hope this helps,
Ian.

sirlinux

To be 100% correct it should be the LAN ip address of the network card, though 127.0.0.1 will work fine. When you turn on your DNS server, you should only make your DNS server only listen on the LAN ip address as well.

Originally posted by iano
Cyrus,
Sorry about that - away for the weekend.

For each Network Interface (Start -> Control Panel -> Network), you need to make sure that the DNS server setting is 127.0.0.1 and not "server assigned" or your ISPs address.

You also need to have the DNS service running and correctly configured on your server.

To check, open a command prompt (Start -> Run -> cmd) and:
1. ipconfig /all - check the DNS settings for all active interfaces. Make sure that any dial-up interfaces are active so that you chack them as well.
2. nslookup - make sure that your server is resolving names.
A quick test is " ping www.cisco.com " . If the name resolves into an ip address, then your DNS is OK.

All client machines should point to your server for DNS in order to allow Microsoft services to run fully (such as network logon).

Hope this helps,
Ian.

Cyrus

thanks so much for the help fellas

LoLth

Do you have windows 2000 machines on your network?

if you do they can cause persistent dial outs as they scan for updates or try to send keepalive packets on the network (for some reason they send it to everything , even outside the LAN).

If there is no Domain:

One suggesting is adding Netbui to the win2k boxes (supposed to solve it but I have yet to see it as the final solution).

If there is a domain:
set up DNS forwarding so that all DNS requests must goto the server *before* being passed on to the internet. No Pc on in the domain should have the DNS setting of the ISP, only the IP of the server. Win2k machines have been seen to go and dial up internet when checking DNS even for a printing job!

hope it helps

Cyrus

hmm i cant seem to change the ip address to the one given, it says loopback addresses arent allowed?

it is win 2000 server btw, our system seems to be run through a 3com lan modem so the dns is set to the ip address of the modem, any ideas

sirlinux

Set the ip address to be the one of the server. Is dns server installed on the server? If not install it. Then in DNS set the forwarder to your 3com lan modem if you want to answer unknown queries, even if you dont set forwarders it should still work pulling up the link for non local DNS. Also you may need to reconfigure your DNS setting in your DHCP server if you are using DHCP to point to your server for DNS, it's importantant for 2000 domain information for the clients.
If you paid someone to set this up you should be going back them, this stuff is basics.

Cyrus

thanks for the reply,

we did pay and hes in trouble, unfortunately networks arent my area of expertise, i can build, tweak overclock, watercool etc any type of pc u like but networking at the moment is over my head

i must read up on it

oh and i know silly qn but what cmd do i use to get the servers ip addy?

sirlinux

Quick and easy, press start, then run, type in cmd and press enter, you get a dos type box, type ipconfig and press enter and it will list your adaptors and ip addresses, im assuming you only have one.

sirlinux

start here to learn some basics:

http://www.windows2000faq.com/

LoLth

in command prompt:

ipconfig (on server, reports the ip address).

the switch /all gives a more detailed report.

iano

As sirlinux correctly stated, microsoft don't allow 127.0.0.x Set it to the LAN IP address of your server (i.e. the address "IP address" in the box above the DNS settings for an ethernet interface etc.)

I do agree that you should be a bit miffed with your consultant!

However, it is always a good idea to monitor any dial-up connection for unusual patterns or usage.
You would be amazed at the number of people who spend huge amounts on Internet calls only to discover DDNS is trying to update an ISP server.