The log you should be reading is %SystemRoot%\system32\dns\dns.log. It's where the DNS services does the extended logging to. Jim Harrison MCP(NT4, 2K), A+, Network+, PCG ----- Original Message ----- From: "Bryan Andrews" <bandrews@xxxxxxxxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Wednesday, October 24, 2001 09:44 Subject: [isalist] RE: Wierd DNS stuff... http://www.ISAserver.org So I enabled the extended logging and there is no mention of the rejected packet (IP). Yet it is in the event log. The event log is saying that is never made it to the dns server? Very weird because the event is on both dns servers event logs. Would the dns event log reflect the fact that isa was rejecting it? I would not think so... -----Original Message----- From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Sent: Tuesday, October 16, 2001 10:41 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Wierd DNS stuff... http://www.ISAserver.org Turn on extended logging in DNS and you'll see exactly what happened when it happened. It will literally log every piece of data in all packets if you check all the boxes. Maybe then we'll have a good answer for you... Jim Harrison MCP(NT4/2K), A+, Network+, PCG ----- Original Message ----- From: "Bryan Andrews" <bandrews@xxxxxxxxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Tuesday, October 16, 2001 7:16 AM Subject: [isalist] RE: Wierd DNS stuff... http://www.ISAserver.org Hmmm.... Those damn dns events (see below for events) are showing up again. I thought I had locked it down via ISA, I guess not. Could someone tell me, could that be my servers querying out to those for some reason? BTW I am not using forwarders. -----Original Message----- From: Uttam K. Malhotra [mailto:uttamm@xxxxxxxxxxxxxx] Sent: Wednesday, October 10, 2001 4:36 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Wierd DNS stuff... http://www.ISAserver.org Hello This as follows : As the message is suggesting, the DNS server has received an invalid domain name. By invalid it means that it contains invalid characters. MS DNS only supports 0-9, a-z, A-Z, . (dot), and - (hyphen) as part of a domain name. Some other DNS servers may not strictly enforce RFC 952 (DOD INTERNET HOST TABLE SPECIFICATION) so invalid names reach the DNS server and the 5504 message is recorded. Usually this happens when Forwarders are used by the DNS server. Microsoft suggested to one user to turn off the forwarder in order to eliminate these messages. There used to be a Knowledge Base article "Q246797 - DNS EVENT IDS 5504, 9999, AND 5000 FILL EVENT VIEWER" but is no longer available. Another condition that may generated these messages is when the Internet connection is saturated or not working properly (losing packets). Because of the poor Internet connection, the DNS may receive incomplete or corrupted data and 5504 is generated. Might solve ur problem ! Uttam -----Original Message----- From: Bryan Andrews [mailto:bandrews@xxxxxxxxxxxxxxxxxx] Sent: Tuesday, October 09, 2001 7:24 PM To: [ISAserver.org Discussion List] Subject: [isalist] Wierd DNS stuff... http://www.ISAserver.org Hello All, I have been having dns trouble intermittently where emails are bouncing back (exchange2000) and I clear my dns caches and everything is ok. Quick note about my setup: 1. ISA server w/ 2 nics, no DNS, no IIS, no etc 2. internal AD, DNS (AD integrated), E2K server 3. internal AD, DNS (AD integrated) 4. other boxes that are not important. In troubleshooting I have noticed that I have repeated entries in my dns for: Event Type: Warning Event Source: DNS Event Category: None Event ID: 5504 Date: 10/2/2001 Time: 6:28:04 PM User: N/A Computer: TATL0S03 Description: The DNS server encountered an invalid domain name in a packet from 209.235.102.18. The packet is rejected. AND Event Type: Warning Event Source: DNS Event Category: None Event ID: 5504 Date: 10/2/2001 Time: 6:28:04 PM User: N/A Computer: TATL0S03 Description: The DNS server encountered an invalid domain name in a packet from 209.235.102.17. The packet is rejected. I have no idea why this is happening. I did digs and do not recognize this address, and whats more, I don't really understand how dns would be talking to this ip thru the firewall... often and repeatedly. Has anyone else seen this before is this something I should worry about? ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: uttamm@xxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: bandrews@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: bandrews@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')