5504 Warnings

[Guest]

Lately, my forest root DC, which is also hosting an AD integrated DNS zone, is getting its DNS event log filled up with 5504 warnings. I've looked at all of them and they're all from the a through l root DNS servers on the Internet. Not m though for some reason *shrug*. I've looked at all of my other child DCs which are also hosting AD integrated DNS zones for their respective domain names and only two of them show 5504 warnings and only a handful at that. And those few list the forest root DNS server as the source of the bad packet. Please note single DCs for all domains

I have secure cache against pollution enabled on all servers. They are all set to receive only secure updates. There are no computers at all, DCs included, that I can find anywhere on the network with an invalid character in the name. I see no packet loss on the Internet connection serving the forest root DNS. And DNS has been functioning correctly for 2 years on all these servers until just recently. I'm also not aware of any Windows security updates this month that affected DNS.

 

[Kevin D. Goodknecht [MVP]]

In

Lately, my forest root DC, which is also hosting an AD integrated DNS
zone, is getting its DNS event log filled up with 5504 warnings. I've
looked at all of them and they're all from the a through l root DNS
servers on the Internet. Not m though for some reason *shrug*. I've
looked at all of my other child DCs which are also hosting AD
integrated DNS zones for their respective domain names and only two
of them show 5504 warnings and only a handful at that. And those few
list the forest root DNS server as the source of the bad packet.
Please note single DCs for all domains.

I have secure cache against pollution enabled on all servers. They
are all set to receive only secure updates. There are no computers at
all, DCs included, that I can find anywhere on the network with an
invalid character in the name. I see no packet loss on the Internet
connection serving the forest root DNS. And DNS has been functioning
correctly for 2 years on all these servers until just recently. I'm
also not aware of any Windows security updates this month that
affected DNS.

If you could post the complete event we can tell more about the cause it is
usually caused by an invalid character on a machine name. Usaully from a
Win9x because users can change the machine name and may not use valid
characters.
But there are other causes, sometimes a single label name in the DNS search
list or Suffix can cause this.

Post the complete event unedited and an ipconfig /all unedited.

http://www.eventid.net/display.asp?eventid=5504&source=

 

[Guest]

Event Type: Warnin
Event Source: DN
Event Category: Non
Event ID: 550
Date: 4/1/200
Time: 10:31:5
User: N/
Computer: URB-FNG-DC-0
Description
The DNS server encountered an invalid domain name in a packet from 192.33.4.12. The packet is rejected.

Windows 2000 IP Configuratio

Host Name . . . . . . . . . . . . : urb-fng-dc-0
Primary DNS Suffix . . . . . . . : flex-n-gate.co
Node Type . . . . . . . . . . . . : Hybri
IP Routing Enabled. . . . . . . . : N
WINS Proxy Enabled. . . . . . . . : N
DNS Suffix Search List. . . . . . : flex-n-gate.co

Ethernet adapter Local Area Connection 3

Connection-specific DNS Suffix .
Description . . . . . . . . . . . : Intel(R) Advanced Network Services
irtual Adapte
Physical Address. . . . . . . . . : 00-02-55-C7-CA-1
DHCP Enabled. . . . . . . . . . . : N
IP Address. . . . . . . . . . . . : 192.9.201.15
Subnet Mask . . . . . . . . . . . : 255.255.255.
Default Gateway . . . . . . . . . : 192.9.201.25
DNS Servers . . . . . . . . . . . : 192.9.201.15
Primary WINS Server . . . . . . . : 192.9.201.157

 

[Kevin D. Goodknecht [MVP]]

In

Event Type: Warning
Event Source: DNS
Event Category: None
Event ID: 5504
Date: 4/1/2004
Time: 10:31:54
User: N/A
Computer: URB-FNG-DC-01
Description:
The DNS server encountered an invalid domain name in a packet from
192.33.4.12. The packet is rejected.

Windows 2000 IP Configuration

Host Name . . . . . . . . . . . . : urb-fng-dc-01
Primary DNS Suffix . . . . . . . : flex-n-gate.com
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : flex-n-gate.com

Ethernet adapter Local Area Connection 3:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) Advanced Network
Services V
irtual Adapter
Physical Address. . . . . . . . . : 00-02-55-C7-CA-1A
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.9.201.157
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.9.201.254
DNS Servers . . . . . . . . . . . : 192.9.201.157
Primary WINS Server . . . . . . . : 192.9.201.157

There is no invalid character on this machine. But looking at where the
packet is coming from 192.33.4.12 reverses to one of the root servers.
QUESTION SECTION:

12.4.33.192.in-addr.arpa. IN PTR

ANSWER SECTION:

12.4.33.192.in-addr.arpa. 10800 IN PTR c.root-servers.net.

It could be a number of things, maybe even an invalid domain name in a DNS
suffix search list on one of your machines or just a lost packet if your
internet connection is getting congested.

Sometimes they go away if you give the DNS server a forwarder, is there a
forwarder for this DNS server?

 

[Ace Fekay [MVP]]

In

Event Type: Warning
Event Source: DNS
Event Category: None
Event ID: 5504
Date: 4/1/2004
Time: 10:31:54
User: N/A
Computer: URB-FNG-DC-01
Description:
The DNS server encountered an invalid domain name in a packet from
192.33.4.12. The packet is rejected.

Windows 2000 IP Configuration

Host Name . . . . . . . . . . . . : urb-fng-dc-01
Primary DNS Suffix . . . . . . . : flex-n-gate.com
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : flex-n-gate.com

Ethernet adapter Local Area Connection 3:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) Advanced Network
Services V
irtual Adapter
Physical Address. . . . . . . . . : 00-02-55-C7-CA-1A
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.9.201.157
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.9.201.254
DNS Servers . . . . . . . . . . . : 192.9.201.157
Primary WINS Server . . . . . . . : 192.9.201.157

Is this address range you are using internally (192.9.20.0/24) supposed to
be a private range or a public range the ISP gave you to use?

Reason why I ask is that this is a public range. I tried to do a lookup on
it at www.arin.net, but their system seems to be down so I can't determine
who it belongs to.

Valid ranges, FYI, for private NAT networks are:
192.168.0.0/16
172.16.0.0/19
10.0.0.0/8

I apologize if this assumption is incorrect.

If these are your private ranges, and were assumed to be private and not
public, it *may* account for what you are seeing.

Sometimes I also see this when one doesn't use a forwarder, or using a
reserved name (like com, net, prt, etc) but not sure if 'gate' is one or
not, but I don't think so, other than the illegal character issue.

It could also be an attack as well, which I've seen too.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Kevin D. Goodknecht [MVP]]

In

No, there is no forwarder on this DNS server, the forest root. All of
the child DC/DNS servers use the forest root DC/DNS server as their
forwarder and sole root hint.

I also asked the ISP providing Internet service to this server to
analyze the line for dropped or corrupted packets. Still waiting for
the results of that.

Add your ISP's DNS as a forwarder, this can reduce the number of packets
across the link. If it reduces the 5504s then you can almost bet congested
link.
If the 5504s continue but come from the ISP's DNS then it is an invalid name
somewhere on your network.

 

[Ace Fekay [MVP]]

In

Yeah, I know. Don't tease me about that please. I inherited this
network when I came on board with this company. I'm trying to get
this company in a position to clean up a whole host of network
inefficiencies and design flaws but it's a tough row to hoe.

Hmm, I was correct. Ok, no teasing... you got your work cut out for yourself
(as hard as it is).

About the 5504, follow what Kevin said to use a forwarder. I've seen that
clean the 5504's up if they're not on your network. You can use 4.2.2.2,
it's a good one for a forwarder.



--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Guest]

I added two forwarders to the forest root DNS server shortly after your post. Between then and now, only two more 5504 errors have crept into the DNS event log. Both report bad packets from the new forwarders, one each. I find that there was scheduled router maintenance at the edge of the ISP's network where we connect at about the same time these warnings started. So it will be interesting to see what their diagnostics find

Thanks for your guidance. I'll post any supporting or conclusive follow up information as it becomes available.