I work for a military branch maintaining all the public DNS servers world-wide. All our recursive servers world-wide get hit with massive DNS spikes all at the same moment all over the world. A typical server can go from 900 queries per second to 30,000 in these spikes. All the requests are in the form of:
From what I understand, this has to do with the web gateway product and file reputation query. Apparently this is set somewhere in Universal (Zulu) time as it hits servers all over the planet at the same moment. I don't have access to Active Directory domain controllers so can someone tell me how this is configured and how it can possibly be configured to use local time rather than Universal time and possibly be set individually by controller? These large spikes trigger DDOS protections are and causing problems in our network.
as it hits servers all over the planet at the same moment.
it doesn't look for me as these DNS requests coming from the MWG, rather from ePO or other reporting solution or script that checks web/file reputation in batches. Can you correlate these spikes with times when reports are running?
They appear to be coming from the Global Threat Intelligence. I see there is a proxy server that can be set up so the clients don't go to the DNS server directly, but there is no indication whether the proxy server condenses the queries and stores the answer to prevent further queries, or whether it just relays the same repeated requests. Does anyone know?
Hope you are doing well.
Minimum TTL for DNS Cache=> 1 seconds
Maximum TTL for DNS Cache=> 3600 seconds
If MWG does a DNS query and gets a DNS response with TTL value in it it will cache the DNS response for that time.
Also in MWG DNS configuration by default minimum and maximum TTL value is their.
McAfee Web Gateway primarily uses tunnel.web.trustedsource.org for its GTI needs and it does so per client request, not in batches.
These requests belong to a different product vertical.
Check the link below, it might offer some pointers.