04-27-2021 05:14 PM
Today 4/27 our VMware colleagues stood up a new internal Log Insight server. Now periodically, several times a day we get an alert from the internal name server it uses "Possible DNS attack detected. Abnormal conditions: NXDOMAIN responses at 84%" followed a little while later (5 to 10 minutes) with the alert "DNS attack conditions have ended."
When questioned they replied "This is part of our Log Insight installation that does log collection and statistics" and "Log Insight is basically getting record of every single thing in a vCenter and trying to resolve it"
I know I can disable the alerting but I'd rather not. Does someone know if this is typical Log Insight behavior? Will this continue to occur? Or maybe it will slow down after some initial data collection? Is there a way to handle such query storms? Thanks. --Kevin O'Neil
04-29-2021 03:41 AM
This is quite a common problem with network management systems, they like to do a reverse lookup on every end-point IP address they detect. There's not much you can do other than get your reverse zones populated, or disable the alerting, or you could try and set up some response-rate limiting so you effectively throw away a lot of the queries coming from that device.
PCN (UK) Ltd
All opinions expressed are my own and not representative of PCN Inc./PCN (UK) Ltd. E&OE