Mark Minasi's Tech Forum
Register Calendar Latest Topics Chat
 
 
 


Reply
  Author   Comment   Page 1 of 2      1   2   Next
Jon_AK

Avatar / Picture

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 30
Reply with quote  #1 
I have a Cisco ASA firewall on the windows network with a W2k8R2 domain controller.  The ASA syslog began exhibiting a rash of constant DNS failure messages but it isn't with our on-premise DNS server.  The error is indicating several attempts (8 each time about 3 - 5 minutes apart) to resolve to a DNS server at "skeegleapp.com".  I have checked all client machines, wireless router and clients, domain controller / DNS server configuration, shutdown everything totally except the domain controller and still get these DNS lookup errors.  Errors look like this:
3Jan 05 201709:37:22     user-identity: DNS lookup for http://www.skeegleapp.com failed, reason:UNKNOWN

3Jan 05 201709:37:22     user-identity: DNS lookup for http://www.skeegleapp.com failed, reason:Timeout or unresolvable

I'm working to run a packet trace on every client but a bit difficult to go from machine to machine.  Any ideas of a place to "poke around" and if there is a recommended program I can run from my admin workstation to search the network clients?
0
wkasdo

Avatar / Picture

Administrator
Registered:
Posts: 188
Reply with quote  #2 
Why does the query fail in the first place? This is an existing host. 

Code:

PS C:\> Resolve-DnsName -Name http://www.skeegleapp.com -Server 8.8.8.8

Name                           Type   TTL   Section    NameHost
----                           ----   ---   -------    --------
http://www.skeegleapp.com             CNAME  299   Answer     skeegleapp.com

Name                   : skeegleapp.com
QueryType              : SOA
TTL                    : 899
Section                : Authority
NameAdministrator      : awsdns-hostmaster.amazon.com
SerialNumber           : 1
TimeToZoneRefresh      : 7200
TimeToZoneFailureRetry : 900
TimeToExpiration       : 1209600
DefaultTTL             : 86400


PS C:\> Resolve-DnsName -Name skeegleapp.com -Server 8.8.8.8

Name              Type TTL   Section    PrimaryServer               NameAdministrator            SerialNumber
----              ---- ---   -------    -------------               -----------------            ------------
skeegleapp.com    SOA  899   Authority  ns-566.awsdns-06.net        awsdns-hostmaster.amazon.com

It seems to be a streaming app for IOS (iPhone).


__________________
[MSFT]; Blog: https://blogs.technet.microsoft.com/389thoughts/
0
Jon_AK

Avatar / Picture

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 30
Reply with quote  #3 
Would be nice if I knew more of powershell... I copied your PS command but generated an error about the DNS name containing an invalid character but anyway...

If this is an IOS streaming app, how would it continue to run if all computers were off?  That is the part that befuddles me.  Ran Wireshark for about 15 minutes but not sure if I set it up correctly to show where the originating request is coming from.
0
donoli

Senior Member
Registered:
Posts: 505
Reply with quote  #4 
There is something fishy about that domain.  If I try to ping it or run a traceroute to it, I get an unknown host error.

$traceroute skeegleapp.com
skeegleapp.com: Name or service not known


$ ping skeegleapp.com
ping: unknown host skeegleapp.com

If I run a whois, the response shows that it's a legit domain.

Domain Name: skeegleapp.com
Registry Domain ID: 1896936178_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.gandi.net
Registrar URL: http://www.gandi.net
Updated Date: 2015-04-21T09:58:02Z
Creation Date: 2015-01-19T21:07:54Z
Registrar Registration Expiration Date: 2018-01-19T21:07:54Z
Registrar: GANDI SAS
Registrar IANA ID: 81
Registrar Abuse Contact Email: abuse@support.gandi.net
Registrar Abuse Contact Phone: +33.170377661
Registrant Name: Florent de Bodman
Registrant Organization:
Registrant Street: 69 bis rue Brancion
Registrant City: Paris
Registrant State/Province: Ile-de-France
Registrant Postal Code: 75015
Registrant Country: FR
Registrant Phone: +33.608621500

If you think that it's a internal problem, maybe look at the DHCP client list in the router.   If you think that it's an external problem, you might want to contact them at the abuse email address above or any other method that you choose.



0
wkasdo

Avatar / Picture

Administrator
Registered:
Posts: 188
Reply with quote  #5 
> I copied your PS command but generated an error about the DNS name containing an invalid character but anyway...

That is because the forum software is interpreting code where it really shouldn't. It expands the "www" host to http.  Code should be: Resolve-DnsName -Name www .skeegleapp.com -Server 8.8.8.8.

Check your wireless access point for active devices.

__________________
[MSFT]; Blog: https://blogs.technet.microsoft.com/389thoughts/
0
donoli

Senior Member
Registered:
Posts: 505
Reply with quote  #6 
The Powershell command seems to fall short on that query compared to Unix & Linux commands.  Does it require http or www to be part of the command? 
0
wkasdo

Avatar / Picture

Administrator
Registered:
Posts: 188
Reply with quote  #7 
www is the hostname. The http part is added by the forum and should not be there.
__________________
[MSFT]; Blog: https://blogs.technet.microsoft.com/389thoughts/
0
Jon_AK

Avatar / Picture

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 30
Reply with quote  #8 
This one is a real problem.  Normally, I'm able to track down and find the culprit but no luck this time.  I picked up a program named "Remote Process Explorer" from Lizard Systems in order to check what is running on the client machines here but wind up with over half of them displaying the error "RPC server is unavailable".  Even with the necessary ports opened in the firewall it fails.  I can edit their registry, services and taskmanager from my workstation but their running tasks just won't get it.  Any other ideas?

I did figure out that the http:// part needed to be removed from the powershell commandline.
0
wkasdo

Avatar / Picture

Administrator
Registered:
Posts: 188
Reply with quote  #9 
We are a little short on details here, so let me make a few assumptions.

What is the primary DNS here? The Windows AD server, or your ASA device? Assuming the server (it should be), enable DNS debug logging. The logs will show which clients issued the query.

If the ASA is primary, enable port mirroring and use wireshark to capture DNS traffic. This again will show you where the query comes from.

Finally, I suspect a problem on your ASA config. The DNS query should resolve, and if it doesn't there must be a misconfiguration.

__________________
[MSFT]; Blog: https://blogs.technet.microsoft.com/389thoughts/
0
Jon_AK

Avatar / Picture

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 30
Reply with quote  #10 
AD server is the primary DNS.  Due to abuse by employees, all social media sites are blocked at the ASA firewall and this includes skeegle.  I unblocked it yesterday and the errors went away.  I have yet to review the Wireshark logs that I ran before I left for home in hopes to see which client is generating the DNS request.

0
donoli

Senior Member
Registered:
Posts: 505
Reply with quote  #11 
Quote:
www is the hostname.


I'm not so sure about that. Whenever I query a domain name, I never use anything other than the .com or .whatever.

Look at the output from the whois that I pasted in post #4.  Much more info is there that what powershell returned.

Here is the output of the host -aa command.

skeegleapp.com.         300     IN      MX      5 alt2.aspmx.l.google.com.
skeegleapp.com.         300     IN      MX      10 alt3.aspmx.l.google.com.
skeegleapp.com.         300     IN      MX      10 alt4.aspmx.l.google.com.
skeegleapp.com.         300     IN      MX      1 aspmx.l.google.com.
skeegleapp.com.         300     IN      MX      5 alt1.aspmx.l.google.com.
skeegleapp.com.         900     IN      SOA     ns-566.awsdns-06.net. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400
skeegleapp.com.         110422  IN      NS      ns-566.awsdns-06.net.
skeegleapp.com.         110422  IN      NS      ns-154.awsdns-19.com.
skeegleapp.com.         110422  IN      NS      ns-1825.awsdns-36.co.uk.
skeegleapp.com.         110422  IN      NS      ns-1529.awsdns-63.org.

;; AUTHORITY SECTION:
skeegleapp.com.         110422  IN      NS      ns-1529.awsdns-63.org.
skeegleapp.com.         110422  IN      NS      ns-566.awsdns-06.net.
skeegleapp.com.         110422  IN      NS      ns-154.awsdns-19.com.
skeegleapp.com.         110422  IN      NS      ns-1825.awsdns-36.co.uk.

;; ADDITIONAL SECTION:
aspmx.l.google.com.     273     IN      A       173.194.74.26
aspmx.l.google.com.     113     IN      AAAA    2607:f8b0:4001:c0e::1b
alt1.aspmx.l.google.com. 282    IN      A       173.194.68.27
alt1.aspmx.l.google.com. 18     IN      AAAA    2607:f8b0:400d:c0c::1a
alt2.aspmx.l.google.com. 282    IN      A       173.194.211.27

Quote:
"RPC server is unavailable".


That's could be because port 111 is closed & no port mapper is running.

If you want to try Wireshark again, add the proper filters.  For example, port 53.  That will capture only DNS (port 53) traffic.  For now that's the only filter that you need.
0
wkasdo

Avatar / Picture

Administrator
Registered:
Posts: 188
Reply with quote  #12 
>> www is the hostname.
> I'm not so sure about that. Whenever I query a domain name, I never use anything other than the .com or .whatever

Let me clarify. In an FQDN like www.skeegleapp.com. the "www" part is the hostname in a syntactical sense. In this case it's implemented as a CNAME pointing to nothing, registered under the zone of skeegleapp.com.

__________________
[MSFT]; Blog: https://blogs.technet.microsoft.com/389thoughts/
0
Jon_AK

Avatar / Picture

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 30
Reply with quote  #13 
I checked the Wireshark logs and they sort of match what the DNS debug logs show.  I checked up on the skeegle place and it is a european venture into private social networking among other things.  Not sure what is causing the client listed in the screen shot below to send out the DNS request.  I do have 8.8.8.8 and 8.8.4.4 listed as a DNS forwarder - came from a recommendation.  In the DNS log file below, there are also several hundred requests originating from the ASA to skeegleapp.com for DNS resolution.  I noticed that at the top of the DNS debug log that all the entries at the top of the file point to a DNS request to the sites that I have in the blocked list but it is happens only once.  I'm guessing that since the ASA cannot get a ping back from skeegleapp.com in order to verify the setting that it continues to send thinking it will eventually get a response.  Interesting thing is skeegleapp.com has been blocked for well over a year and this just not started to happen.
[image]

For the RPC server unavailable message, I did not know that port 111 had to be open.  I did check the services on the clients and they do have the RPC Endpoint Mapper service running.  I will try opening port 111 and hopefully that corrects the issue with that.
0
Jon_AK

Avatar / Picture

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 30
Reply with quote  #14 
Update:
I added Port 111 to the firewall but still get RPC server not available error.
0
donoli

Senior Member
Registered:
Posts: 505
Reply with quote  #15 
Jon_AK, you don't need port mapper.  Close port 111, on the router.  I only mentioned it because, of the error which could be from port 111 on skeegleapp's side. Is 192.168.2.100 a workstation?  If so, see what the user is doing.
0
Previous Topic | Next Topic
Print
Reply

Quick Navigation:

Easily create a Forum Website with Website Toolbox.