Win2K3 DNS Error 5504

[themeanies]

I am getting a 5504 error about 150 times per 24hrs.

Appears to be only doubleclick.net DNS names

bad packets are coming from
216.73.81.10
216.73.85.10
216.73.86.10
216.73.87.10


<<ERROR TEXT>>
The DNS server encountered an invalid domain name in a packet from
216.73.85.10. The packet will be rejected. The event data contains the
DNS packet.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

Data
0001: f8 31 84 00 01 00 01 00 ø1„.....
0008: 08 00 08 00 02 61 64 0b .....ad.
0010: 64 6f 75 62 6c 65 63 6c doublecl
0018: 69 63 6b 03 6e 65 74 00 ick.net.
0020: 00 01 00 01 c0 0c 00 05 ....À...
0028: 00 01 00 00 03 84 00 09 .....„..
0030: 02 61 64 03 33 61 64 c0 .ad.3adÀ
0038: 0f c0 33 00 02 00 01 00 .À3.....
0040: 00 0e 10 00 0c 09 61 6e ......an
0048: 6e 79 33 64 6e 73 32 c0 ny3dns2À
0050: 0f c0 33 00 02 00 01 00 .À3.....
0058: 00 0e 10 00 0c 09 65 71 ......eq
0060: 76 61 33 64 6e 73 31 c0 va3dns1À
0068: 0f c0 33 00 02 00 01 00 .À3.....
0070: 00 0e 10 00 0c 09 65 71 ......eq
0078: 76 61 33 64 6e 73 32 c0 va3dns2À

<<ERROR TEXT>>


This appears only in my win2k3 DNS event logs. I have a test win2k DNS
server that doesn't see this error.

Seems to have been happening at least 2 weeks.

Could this be related to the Cisco PIX 512byte UDP packet limit?

Any ideas?

tM

 

[Guest]

Try to make sure the "Secure cache against pollution" is enabled. This
prevents DNS spoofing. If this does not help, try to use a firewall to block
those packets.

Your suggestion may also be possible. See this.

An external DNS query may cause an error message in Windows Server 2003
http://support.microsoft.com/default.aspx?scid=kb;en-us;828731

How to Prevent DNS Cache Pollution
http://support.microsoft.com/kb/q241352/

Description of the DNS Server Secure Cache Against Pollution Setting
http://support.microsoft.com/default.aspx?scid=kb;en-us;316786&sd=tech

BR,
Denis

 

[Kevin D. Goodknecht Sr. [MVP]]

In

I am getting a 5504 error about 150 times per 24hrs.

Appears to be only doubleclick.net DNS names

bad packets are coming from
216.73.81.10
216.73.85.10
216.73.86.10
216.73.87.10


<<ERROR TEXT>>
The DNS server encountered an invalid domain name in a
packet from 216.73.85.10. The packet will be rejected.
The event data contains the DNS packet.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

Data
0001: f8 31 84 00 01 00 01 00 ø1„.....
0008: 08 00 08 00 02 61 64 0b .....ad.
0010: 64 6f 75 62 6c 65 63 6c doublecl
0018: 69 63 6b 03 6e 65 74 00 ick.net.
0020: 00 01 00 01 c0 0c 00 05 ....À...
0028: 00 01 00 00 03 84 00 09 .....„..
0030: 02 61 64 03 33 61 64 c0 .ad.3adÀ
0038: 0f c0 33 00 02 00 01 00 .À3.....
0040: 00 0e 10 00 0c 09 61 6e ......an
0048: 6e 79 33 64 6e 73 32 c0 ny3dns2À
0050: 0f c0 33 00 02 00 01 00 .À3.....
0058: 00 0e 10 00 0c 09 65 71 ......eq
0060: 76 61 33 64 6e 73 31 c0 va3dns1À
0068: 0f c0 33 00 02 00 01 00 .À3.....
0070: 00 0e 10 00 0c 09 65 71 ......eq
0078: 76 61 33 64 6e 73 32 c0 va3dns2À

<<ERROR TEXT>>


This appears only in my win2k3 DNS event logs. I have a
test win2k DNS server that doesn't see this error.

Seems to have been happening at least 2 weeks.

Could this be related to the Cisco PIX 512byte UDP packet
limit?

I'm not sure if it is related, you should have already fixed the PIX to
allow these packets anyway. There is an article on the Cisco site for the
DNS Fixup protocol that will allow these packets.
Incedentally, we have seen a lot of these errors coming from these
doubleclick.net DNS servers, if you block access to the DNS servers, which
is what I usually recommend, you shouldn't miss much but maybe some ad
sites. I haven't gotten any bad feedback from anyone that has blocked these
servers.