RE: Wierd DNS stuff...

  • From: "Jim Harrison" <jim@xxxxxxxxxxxx>
  • To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
  • Date: Wed, 24 Oct 2001 11:57:31 -0700

The log you should be reading is %SystemRoot%\system32\dns\dns.log.  It's
where the DNS services does the extended logging to.

Jim Harrison
MCP(NT4, 2K), A+, Network+, PCG


----- Original Message -----
From: "Bryan Andrews" <bandrews@xxxxxxxxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Wednesday, October 24, 2001 09:44
Subject: [isalist] RE: Wierd DNS stuff...


http://www.ISAserver.org


So I enabled the extended logging and there is no mention of the
rejected packet (IP). Yet it is in the event log. The event log is
saying that is never made it to the dns server? Very weird because the
event is on both dns servers event logs.

Would the dns event log reflect the fact that isa was rejecting it? I
would not think so...

 -----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Sent: Tuesday, October 16, 2001 10:41 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Wierd DNS stuff...

http://www.ISAserver.org


Turn on extended logging in DNS and you'll see exactly what happened
when it
happened.  It will literally log every piece of data in all packets if
you
check all the boxes.
Maybe then we'll have a good answer for you...

Jim Harrison
MCP(NT4/2K), A+, Network+, PCG

----- Original Message -----
From: "Bryan Andrews" <bandrews@xxxxxxxxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Tuesday, October 16, 2001 7:16 AM
Subject: [isalist] RE: Wierd DNS stuff...


http://www.ISAserver.org


Hmmm.... Those damn dns events (see below for events) are showing up
again.

I thought I had locked it down via ISA, I guess not. Could someone tell
me, could that be my servers querying out to those for some reason?

BTW I am not using forwarders.


 -----Original Message-----
From: Uttam K. Malhotra [mailto:uttamm@xxxxxxxxxxxxxx]
Sent: Wednesday, October 10, 2001 4:36 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Wierd DNS stuff...

http://www.ISAserver.org


Hello

This as follows :

As the message is suggesting, the DNS server has received an invalid
domain name. By invalid it means that it contains invalid characters. MS
DNS only supports 0-9, a-z, A-Z, . (dot), and - (hyphen) as part of a
domain name. Some other DNS servers may not strictly enforce RFC 952
(DOD INTERNET HOST TABLE SPECIFICATION) so invalid names reach the DNS
server and the 5504 message is recorded. Usually this happens when
Forwarders are used by the DNS server. Microsoft suggested to one user
to turn off the forwarder in order to eliminate these messages. There
used to be a Knowledge Base article "Q246797 - DNS EVENT IDS 5504, 9999,
AND 5000 FILL EVENT VIEWER" but is no longer available.
Another condition that may generated these messages is when the Internet
connection is saturated or not working properly (losing packets).
Because of the poor Internet connection, the DNS may receive incomplete
or corrupted data and 5504 is generated.

Might solve ur problem !

Uttam


-----Original Message-----
From: Bryan Andrews [mailto:bandrews@xxxxxxxxxxxxxxxxxx]
Sent: Tuesday, October 09, 2001 7:24 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Wierd DNS stuff...


http://www.ISAserver.org


Hello All,

I have been having dns trouble intermittently where emails are bouncing
back (exchange2000) and I clear my dns caches and everything is ok.

Quick note about my setup:

1. ISA server w/ 2 nics, no DNS, no IIS, no etc
2. internal AD, DNS (AD integrated), E2K server
3. internal AD, DNS (AD integrated)
4. other boxes that are not important.

In troubleshooting I have noticed that I have repeated entries in my dns
for:

Event Type: Warning
Event Source: DNS
Event Category: None
Event ID: 5504
Date: 10/2/2001
Time: 6:28:04 PM
User: N/A
Computer: TATL0S03
Description:
The DNS server encountered an invalid domain name in a packet from
209.235.102.18.  The packet is rejected.


AND

Event Type: Warning
Event Source: DNS
Event Category: None
Event ID: 5504
Date: 10/2/2001
Time: 6:28:04 PM
User: N/A
Computer: TATL0S03
Description:
The DNS server encountered an invalid domain name in a packet from
209.235.102.17.  The packet is rejected.

I have no idea why this is happening. I did digs and do not recognize
this address, and whats more, I don't really understand how dns would be
talking to this ip thru the firewall... often and repeatedly.

Has anyone else seen this before is this something I should worry about?

------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
uttamm@xxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
bandrews@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')



------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')



------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
bandrews@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')



------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

Other related posts:

  1. Home
  2. isalist
  3. Archive
  4. 10-2001