We have been having periodic mail problems sending to a certain domain that goes away if I restart dns and restart my exchange server (the domain is the queue indicates: Unable to bind to the destination server in DNS)... but inevitably rears its ugly head. I think my dns cache is corrupting so I go searching for dns problems. I am getting this in my dns logs: Event Type: Warning Event Source: DNS Event Category: None Event ID: 5504 Date: 2/8/2002 Time: 1:54:14 AM User: N/A Computer: TATL0S07 Description: The DNS server encountered an invalid domain name in a packet from 207.14.100.134. The packet is rejected. periodically, 4 times every 2 seconds in intervals of 5 minutes (thousands of events). If I check EventID.net this is the response: Description DNS Server encountered invalid domain name in packet from <IP address>. Packet is rejected. Comments A.G. As the message is suggesting, the DNS server has received an invalid domain name. By invalid it means that it contains invalid characters. MS DNS only supports 0-9, a-z, A-Z, . (dot), and - (hyphen) as part of a domain name. Some other DNS servers may not strictly enforce RFC 952 (DOD INTERNET HOST TABLE SPECIFICATION) so invalid names reach the DNS server and the 5504 message is recorded. Usually this happens when Forwarders are used by the DNS server. Microsoft suggested to one user to turn off the forwarder in order to eliminate these messages. There used to be a Knowledge Base article "Q246797 - DNS EVENT IDS 5504, 9999, AND 5000 FILL EVENT VIEWER" but is no longer available. Another condition that may generated these messages is when the Internet connection is saturated or not working properly (losing packets). Because of the poor Internet connection, the DNS may receive incomplete or corrupted data and 5504 is generated. J.C. "See Q241352 on how to prevent DNS Cache Polution". When I check the Q article on cache pollution it tells me about adding a reg setting to eliminate non secure data: DNS cache pollution can occur if Domain Name System (DNS) "spoofing" has been encountered. The term "spoofing" describes the sending of non-secure data in response to a DNS query. It can be used to redirect queries to a rogue DNS server and can be malicious in nature. Now if I do a reverse dns scan on the ip i get: Reverse DNS Scan 207.14.100.1 gw.snapnames.com (bogus rDNS) 207.14.100.4 gateway1.snapnames.com (bogus rDNS) What I don't understand is how this is hitting my dns server. I have ISA set up with no incoming dns ports inabled. How are my dns servers event logs recording this? Is this something internal that is querying out to this ip? Some sort of trojan? I have also turned on my dns logging (all settings checked) and cannot find that IP in any of the log files. I do however have entries pertaining to the domains that I cannot send email to (sushiclothingco.com and marketatl.com) which is long and will be the last thing attached. I see it saying RCODE 2 (SERVFAIL) which I believe is the problem, but the rest is greek to me. I know this is not a DNS group but if anyone here can help with comments or advice it would be appreciated as I am not sure if requests are making it thru my ISA server or if I have a serious security issue. Thanks for any help! Snd 10.1.2.151 0f81 R Q [8281 DR SERVFAIL] (15)sushiclothingco(3)com(0) UDP response info at 010C1F1C Socket = 496 Remote addr 10.1.2.151, port 1105 Time Query=187657, Queued=187657, Expire=187672 Buf length = 0x0200 (512) Msg length = 0x0025 (37) Message: XID 0x0f81 Flags 0x8182 QR 1 (response) OPCODE 0 (QUERY) AA 0 TC 0 RD 1 RA 1 Z 0 RCODE 2 (SERVFAIL) QCOUNT 0x1 ACOUNT 0x0 NSCOUNT 0x0 ARCOUNT 0x0 Offset = 0x000c, RR count = 0 Name "(15)sushiclothingco(3)com(0)" QTYPE A (1) QCLASS 1 ANSWER SECTION: AUTHORITY SECTION: ADDITIONAL SECTION: Snd 10.1.2.151 0f82 R Q [8281 DR SERVFAIL] (6)hipinc(3)com(0) UDP response info at 0115901C Socket = 496 Remote addr 10.1.2.151, port 1108 Time Query=187657, Queued=187657, Expire=187672 Buf length = 0x0200 (512) Msg length = 0x001c (28) Message: XID 0x0f82 Flags 0x8182 QR 1 (response) OPCODE 0 (QUERY) AA 0 TC 0 RD 1 RA 1 Z 0 RCODE 2 (SERVFAIL) QCOUNT 0x1 ACOUNT 0x0 NSCOUNT 0x0 ARCOUNT 0x0 Offset = 0x000c, RR count = 0 Name "(6)hipinc(3)com(0)" QTYPE A (1) QCLASS 1 ANSWER SECTION: AUTHORITY SECTION: ADDITIONAL SECTION: Rcv 10.1.2.151 0f86 Q [0001 D NOERROR] (6)hipinc(3)com(0) UDP question info at 010F9AAC Socket = 496 Remote addr 10.1.2.151, port 1156 Time Query=187675, Queued=0, Expire=0 Buf length = 0x0200 (512) Msg length = 0x001c (28) Message: XID 0x0f86 Flags 0x0100 QR 0 (question) OPCODE 0 (QUERY) AA 0 TC 0 RD 1 RA 0 Z 0 RCODE 0 (NOERROR) QCOUNT 0x1 ACOUNT 0x0 NSCOUNT 0x0 ARCOUNT 0x0 Offset = 0x000c, RR count = 0 Name "(6)hipinc(3)com(0)" QTYPE A (1) QCLASS 1 ANSWER SECTION: AUTHORITY SECTION: ADDITIONAL SECTION: Snd 192.5.6.30 0fd8 Q [0000 NOERROR] (6)hipinc(3)com(0) UDP question info at 011704AC Socket = 520 Remote addr 192.5.6.30, port 53 Time Query=0, Queued=0, Expire=0 Buf length = 0x0200 (512) Msg length = 0x001c (28) Message: XID 0x0fd8 Flags 0x0000 QR 0 (question) OPCODE 0 (QUERY) AA 0 TC 0 RD 0 RA 0 Z 0 RCODE 0 (NOERROR) QCOUNT 0x1 ACOUNT 0x0 NSCOUNT 0x0 ARCOUNT 0x0 Offset = 0x000c, RR count = 0 Name "(6)hipinc(3)com(0)" QTYPE A (1) QCLASS 1 ANSWER SECTION: AUTHORITY SECTION: ADDITIONAL SECTION: Rcv 192.5.6.30 0fd8 R Q [0080 NOERROR] (6)hipinc(3)com(0) UDP response info at 0117CE2C Socket = 520 Remote addr 192.5.6.30, port 53 Time Query=187675, Queued=0, Expire=0 Buf length = 0x0200 (512) Msg length = 0x0092 (146) Message: XID 0x0fd8 Flags 0x8000 QR 1 (response) OPCODE 0 (QUERY) AA 0 TC 0 RD 0 RA 0 Z 0 RCODE 0 (NOERROR) QCOUNT 0x1 ACOUNT 0x0 NSCOUNT 0x3 ARCOUNT 0x3 Offset = 0x000c, RR count = 0 Name "(6)hipinc(3)com(0)" QTYPE A (1) QCLASS 1 ANSWER SECTION: AUTHORITY SECTION: Offset = 0x001c, RR count = 0 Name "[C00C](6)hipinc(3)com(0)" TYPE NS (2) CLASS 1 TTL 172800 DLEN 20 DATA (4)DNS1(9)INTERLAND(3)NET(0) Offset = 0x003c, RR count = 1 Name "[C00C](6)hipinc(3)com(0)" TYPE NS (2) CLASS 1 TTL 172800 DLEN 7 DATA (4)DNS2[C02D](9)INTERLAND(3)NET(0) Offset = 0x004f, RR count = 2 Name "[C00C](6)hipinc(3)com(0)" TYPE NS (2) CLASS 1 TTL 172800 DLEN 7 DATA (4)DNS3[C02D](9)INTERLAND(3)NET(0) ADDITIONAL SECTION: Offset = 0x0062, RR count = 0 Name "[C028](4)DNS1(9)INTERLAND(3)NET(0)" TYPE A (1) CLASS 1 TTL 172800 DLEN 4 DATA 64.224.20.132 Offset = 0x0072, RR count = 1 Name "[C048](4)DNS2[C02D](9)INTERLAND(3)NET(0)" TYPE A (1) CLASS 1 TTL 172800 DLEN 4 DATA 64.224.20.133 Offset = 0x0082, RR count = 2 Name "[C05B](4)DNS3[C02D](9)INTERLAND(3)NET(0)" TYPE A (1) CLASS 1 TTL 172800 DLEN 4 DATA 64.224.20.134 Snd 10.1.2.151 0f83 R Q [8281 DR SERVFAIL] (9)marketatl(3)com(0) UDP response info at 011224AC Socket = 496 Remote addr 10.1.2.151, port 1138 Time Query=187660, Queued=187660, Expire=187675 Buf length = 0x0200 (512) Msg length = 0x001f (31) Message: XID 0x0f83 Flags 0x8182 QR 1 (response) OPCODE 0 (QUERY) AA 0 TC 0 RD 1 RA 1 Z 0 RCODE 2 (SERVFAIL) QCOUNT 0x1 ACOUNT 0x0 NSCOUNT 0x0 ARCOUNT 0x0 Offset = 0x000c, RR count = 0 Name "(9)marketatl(3)com(0)" QTYPE A (1) QCLASS 1 ANSWER SECTION: AUTHORITY SECTION: ADDITIONAL SECTION: Snd 10.1.2.151 0f83 R Q [8281 DR SERVFAIL] (9)marketatl(3)com(0) UDP response info at 011106AC Socket = 496 Remote addr 10.1.2.151, port 1138 Time Query=187661, Queued=187661, Expire=187676 Buf length = 0x0200 (512) Msg length = 0x001f (31) Message: XID 0x0f83 Flags 0x8182 QR 1 (response) OPCODE 0 (QUERY) AA 0 TC 0 RD 1 RA 1 Z 0 RCODE 2 (SERVFAIL) QCOUNT 0x1 ACOUNT 0x0 NSCOUNT 0x0 ARCOUNT 0x0 Offset = 0x000c, RR count = 0 Name "(9)marketatl(3)com(0)" QTYPE A (1) QCLASS 1 ANSWER SECTION: AUTHORITY SECTION: ADDITIONAL SECTION: Rcv 10.1.2.151 0f87 Q [0001 D NOERROR] (9)marketatl(3)com(14)trendinfluence(3)com(0) UDP question info at 0115901C Socket = 496 Remote addr 10.1.2.151, port 1138 Time Query=187677, Queued=0, Expire=0 Buf length = 0x0200 (512) Msg length = 0x0032 (50) Message: XID 0x0f87 Flags 0x0100 QR 0 (question) OPCODE 0 (QUERY) AA 0 TC 0 RD 1 RA 0 Z 0 RCODE 0 (NOERROR) QCOUNT 0x1 ACOUNT 0x0 NSCOUNT 0x0 ARCOUNT 0x0 Offset = 0x000c, RR count = 0 Name "(9)marketatl(3)com(14)trendinfluence(3)com(0)" QTYPE A (1) QCLASS 1 ANSWER SECTION: AUTHORITY SECTION: ADDITIONAL SECTION: Snd 10.1.2.151 0f87 R Q [8385 A DR NXDOMAIN] (9)marketatl(3)com(14)trendinfluence(3)com(0) UDP response info at 0115901C Socket = 496 Remote addr 10.1.2.151, port 1138 Time Query=187677, Queued=0, Expire=0 Buf length = 0x0200 (512) Msg length = 0x0076 (118) Message: XID 0x0f87 Flags 0x8583 QR 1 (response) OPCODE 0 (QUERY) AA 1 TC 0 RD 1 RA 1 Z 0 RCODE 3 (NXDOMAIN) QCOUNT 0x1 ACOUNT 0x0 NSCOUNT 0x1 ARCOUNT 0x0 Offset = 0x000c, RR count = 0 Name "(9)marketatl(3)com(14)trendinfluence(3)com(0)" QTYPE A (1) QCLASS 1 ANSWER SECTION: AUTHORITY SECTION: Offset = 0x0032, RR count = 0 Name "(14)trendinfluence(3)com(0)" TYPE SOA (6) CLASS 1 TTL 3600 DLEN 38 DATA PrimaryServer: (8)tatl0s03[C032](14)trendinfluence(3)com(0) Administrator: (5)admin(0) SerialNo = 904 Refresh = 900 Retry = 600 Expire = 86400 MinimumTTL = 3600 ADDITIONAL SECTION: Snd 10.1.2.151 0f83 R Q [8281 DR SERVFAIL] (9)marketatl(3)com(0) UDP response info at 004D667C Socket = 496 Remote addr 10.1.2.151, port 1138 Time Query=187663, Queued=187663, Expire=187678 Buf length = 0x0200 (512) Msg length = 0x001f (31) Message: XID 0x0f83 Flags 0x8182 QR 1 (response) OPCODE 0 (QUERY) AA 0 TC 0 RD 1 RA 1 Z 0 RCODE 2 (SERVFAIL) QCOUNT 0x1 ACOUNT 0x0 NSCOUNT 0x0 ARCOUNT 0x0 Offset = 0x000c, RR count = 0 Name "(9)marketatl(3)com(0)" QTYPE A (1) QCLASS 1 ANSWER SECTION: AUTHORITY SECTION: ADDITIONAL SECTION: Snd 10.1.2.151 0f83 R Q [8281 DR SERVFAIL] (9)marketatl(3)com(0) UDP response info at 0109108C Socket = 496 Remote addr 10.1.2.151, port 1138 Time Query=187665, Queued=187665, Expire=187680 Buf length = 0x0200 (512) Msg length = 0x001f (31) Message: XID 0x0f83 Flags 0x8182 QR 1 (response) OPCODE 0 (QUERY) AA 0 TC 0 RD 1 RA 1 Z 0 RCODE 2 (SERVFAIL) QCOUNT 0x1 ACOUNT 0x0 NSCOUNT 0x0 ARCOUNT 0x0 Offset = 0x000c, RR count = 0 Name "(9)marketatl(3)com(0)" QTYPE A (1) QCLASS 1 ANSWER SECTION: AUTHORITY SECTION: ADDITIONAL SECTION: Snd 10.1.2.151 0f86 R Q [8281 DR SERVFAIL] (6)hipinc(3)com(0) UDP response info at 004D540C Socket = 496 Remote addr 10.1.2.151, port 1156 Time Query=187665, Queued=187665, Expire=187680 Buf length = 0x0200 (512) Msg length = 0x001c (28) Message: XID 0x0f86 Flags 0x8182 QR 1 (response) OPCODE 0 (QUERY) AA 0 TC 0 RD 1 RA 1 Z 0 RCODE 2 (SERVFAIL) QCOUNT 0x1 ACOUNT 0x0 NSCOUNT 0x0 ARCOUNT 0x0 Offset = 0x000c, RR count = 0 Name "(6)hipinc(3)com(0)" QTYPE A (1) QCLASS 1 ANSWER SECTION: AUTHORITY SECTION: ADDITIONAL SECTION: