01-19-2017 07:53 AM
Hi, Best regards, we currently have problems with TCP connections in active DNS which are in SYN_RECV state, these connections could be passed to ESTABLISHED tcp 0 0 dnscan02.mnc004.mcc7:domain 18.104.22.168:15005 SYN_RECV
tcp 0 0 dnscan02.mnc004.mcc7:domain 22.214.171.124:15012 SYN_RECV
tcp 0 0 dnscan02.mnc004.mcc7:domain 126.96.36.199:15003 SYN_RECV
04-24-2017 11:50 AM
The TCP state SYN_RECV indicates that a TCP handshake was started but never completed. You may need to review the connection from the system referenced and see if this might be due to an unstable/unreliable connection, malicious (DOS) attempt or other system issue.
These should timeout on their own but if there are frequent TCP connections from the remote system (common for secondary name servers where frequent zone transfers occur), you may see these frequently appear in the connections table and it may seem like they're stale when in fact it is normal system activity. The name that resolved here looks like an internal one so I would assume that this is normal and not something malicious but Traffic Captures and system logs can be used to help verify what exactly is being sent back and forth.