Reply

internal VMware Log Insight server is flooding an appliance with queries that return NXDOMAIN

New Member
Posts: 3
2627     0

Today 4/27 our VMware colleagues stood up a new internal Log Insight server.  Now periodically, several times a day we get an alert from the internal name server it uses "Possible DNS attack detected. Abnormal conditions: NXDOMAIN responses at 84%" followed a little while later (5 to 10 minutes) with the alert "DNS attack conditions have ended."

When questioned they replied "This is part of our Log Insight installation that does log collection and statistics" and "Log Insight is basically getting record of every single thing in a vCenter and trying to resolve it"

I know I can disable the alerting but I'd rather not. Does someone know if this is typical Log Insight behavior? Will this continue to occur? Or maybe it will slow down after some initial data collection? Is there a way to handle such query storms?   Thanks.  --Kevin O'Neil

Re: internal VMware Log Insight server is flooding an appliance with queries that return NXDOMAIN

Expert
Posts: 188
2628     0

This is quite a common problem with network management systems, they like to do a reverse lookup on every end-point IP address they detect. There's not much you can do other than get your reverse zones populated, or disable the alerting, or you could try and set up some response-rate limiting so you effectively throw away a lot of the queries coming from that device.

Paul Roberts
PCN (UK) Ltd

All opinions expressed are my own and not representative of PCN Inc./PCN (UK) Ltd. E&OE
Showing results for 
Search instead for 
Did you mean: 

Recommended for You