Share via

dns.exe (Windows DNS Server) generating outbound connections to non-DNS ports — seeking guidance on possible causes

Shabana Thasneem 1 Reputation point
2026-05-02T08:06:43.4433333+00:00

Environment:

  • Windows Server 2022
  • Role: Internal DNS Server (Active Directory integrated)
  • Monitoring: Sysmon Event ID 3 (Network Connection)
  • Our Sysmon logs show that C:\Windows\System32\dns.exe running as NT AUTHORITY\SYSTEM is generating outbound network connections to ports outside what we would expect for a DNS service. Over a 60-day monitoring period we captured 764 network connection events from this process.
  • multiple inbound connections to dns servers are also threre from these ports to server via process dns.exe.
  • RuleName: [rule] UtcTime: 2026-04-xx xx:xx:xx ProcessGuid: {db19de14-xxxx-xxxx-xxxx-000000001600} ProcessId: 3748 Image: C:\Windows\System32\dns.exe User: NT AUTHORITY\SYSTEM Protocol: udp Initiated: true SourceIp: [internal DNS server IP] SourcePort: 53 DestinationIp: [internal IP] DestinationPort: 4444
  • file hash and parent child process checked and everything appears to be clean.
  • Does the Windows DNS Server service (dns.exe) have any legitimate built-in feature — such as a monitoring agent, telemetry component, update mechanism, or integrated security feature — that would cause it to make outbound connections on ports like 1080, 3128, or 4444?
  • Has Microsoft documented any known behaviour where the DNS service generates connections to internal hosts on non-DNS ports as part of Active Directory health checking or replication monitoring? The destination ports observed include:
Port Common Association Protocol Event count
1080 SOCKS proxy UDP 435 (combined with 3128/8080)
-------- -------- -------- --------
1080 SOCKS proxy UDP 435 (combined with 3128/8080)
3128 HTTP proxy (Squid) UDP
4444 Metasploit default UDP 107
5900 VNC UDP multiple
3389 RDP TCP multiple
9001 Tor ORPort UDP flagged
Windows for business | Windows Server | Networking | Software-defined networking

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Tracy Le 7,490 Reputation points Independent Advisor
    2026-05-05T17:34:30.9233333+00:00

    Hi Shabana Thasneem,

    I’m just checking back to see if you’ve had a chance to investigate the Destination IPs from those Sysmon logs.

    Were you able to confirm if those weird outbound connections were indeed just DNS responses returning to internal scanners or potentially infected machines? If you've identified the specific source causing those requests or if you need any further help analyzing the traffic patterns, please let me know.

    If the explanation helped clarify that "Sysmon illusion" for your team, please feel free to click "Accept Answer".

    Tracy.

    0 comments
  2. Tracy Le 7,490 Reputation points Independent Advisor
    2026-05-02T09:30:54.1933333+00:00

    Hi Shabana Thasneem,

    Microsoft DNS does not have a "secret telemetry feature" connecting to Metasploit port 4444 or Tor port 9001. Your dns.exe and the server are completely clean. What you are seeing is a classic Sysmon logging illusion. You are looking a DNS responses, not outbound attacks.

    Here is the technical reality of your log (SourcePort: 53 DestinationPort: 4444): Because UDP is a stateless protocol, when a client machine sends a DNS query to your server's Port 53, it originates from an ephemeral (dynamic) source port on the client side. If a client purposefully (or accidentally) sends a query from its own port 4444, your DNS server is obligated to send the answer back to port 4444. Sysmon simply logs dns.exe generating this reply packet, and analysts often misinterpret it as a malicious outbound connection.

    The "Destination IPs" in your logs are the actual culprits. They are likely:

    Internal vulnerability scanners (Nessus, Qualys, Nmap, etc.) intentionally crafting packets with weird source ports to map your network.

    Infected internal machines running port scans or malware that happen to query your DNS server using those specific ports.

    Stop investigating the DNS server. Look at the DestinationIp in those logs. Go to that specific client machine and use Sysmon/Netstat to find out what process is generating those weird outbound DNS requests.

    If this helps clarify the behavior, please click "Accept Answer".

    Tracy Le.

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.