Sunday, 14 November 2010

SBS2008 and the mysterious DNS drops: Resolved

I finally managed to get onto the router... a Draytek Vigor 2900... I looked through all the settings and found nothing timing out.

Looking through the Ethernet log... I could see one PC calling up numerous destinations on the internet, TCP/UDP port 16650 and destination in the 50,000s... 57874.?

I found out the PC name on the network and connected via Explorer to the admin share to look at Program Files and see if there were any nefarious software installed... 

BitTorrent... oh dear... Dates of the files appear to match the times of the DNS dropping out.

I was called at the time, their DNS has been down for 2 hours whilst I was investigating.  So I blocked all traffic from that PC's IP address to the internet.  Immediately I could browse to on the server.

My colleague gets a call from one member of staff... everyone's internet has come back except hers... he let her know we'd look into it...

So I blocked all traffic up from 1024 to 65535 from that IP address... at least she'll get mail, DNS, web surfing... but I think she might have a few more problems... downloading large files on company ISP.. killing an online application used by others that is the vital for the company... furthermore the size of the files over only 25 days could have had their ISP block all further traffic... Business Usage Policies n all that...

The router was still showing DNS calls to the internet... the Forwards were working.. but because of all the heavy torrent traffic, all DNS calls were timing out.  The DNS Forwarding has a timeout of 3 or 5 seconds.

BitTorrent is known to kill a connection when it's not been limited in the torrent app... 

So restarting the DNS Server on the SBS2008 box was simply killing the torrent connection and then it would all start going again .. and perhaps the only reason it's starting getting worse is because the user's PC was set to go directly via the router?  SBS2008 was limiting the Torrent connections.. once it was out of the picture the torrent was allowed to keep the connection killed and restarting the DNS Server no longer had a lasting effect.

Staff should be kept aware of the company's internet policy... and some should know better.

The answer is always so simple in retrospect.

No comments:

Post a comment