|
|
I've got a bunch of these events that are filling up my event logs:
Event Type: Information
Event Source: DNS
Event Category: None
Event ID: 5504
Date: 2007-07-05
Time: 16:35:03
User: N/A
Description:
The DNS server encountered an invalid domain name in a packet from
66.79.163.157. The packet will be rejected. The event data contains
the DNS packet.
Always from a different IP. I've sniff and I don't see any invalid
domain name or host with spaces or underscores. I'm no network expert
but it looks like the resolution requests gets answered and then
there's the following entry in the dns diagnosis loggin :
20070705 16:35:08 5E0 PACKET UDP Rcv 66.79.163.157 4bbf R Q [0084
A NOERROR] (4)[ERROR length byte: 0x04 at 0000000000B70005 leads
outside message]
UDP response info at 0000000000B6F9A0
Socket = 552
Remote addr 66.79.163.157, port 1025
Time Query=197370, Queued=0, Expire=0
Buf length = 0x0500 (1280)
Msg length = 0x0000 (0)
Message:
XID 0x4bbf
Flags 0x8400
QR 1 (RESPONSE)
OPCODE 0 (QUERY)
AA 1
TC 0
RD 0
RA 0
Z 0
RCODE 0 (NOERROR)
QCOUNT 1
ACOUNT 0
NSCOUNT 1
ARCOUNT 1
QUESTION SECTION:
ERROR: BOGUS PACKET:
Following RR (offset 12) past packet length (0).
pchRecord = 0000000000B70004, pCurrent = 0000000000000000,
-11993092 bytes
And here is what I think is the answer right BEFORE the message above
in the DNS diagnosis logging :
20070705 16:35:08 5DC PACKET UDP Snd 66.79.163.157 0d5d R Q [0084
A NOERROR] (4)mail(16)Deleted(2)ca(0)
UDP response info at 0000000000B6EC60
Socket = 552
Remote addr 66.79.163.157, port 1025
Time Query=197370, Queued=0, Expire=0
Buf length = 0x0500 (1280)
Msg length = 0x0045 (69)
Message:
XID 0x0d5d
Flags 0x8400
QR 1 (RESPONSE)
OPCODE 0 (QUERY)
AA 1
TC 0
RD 0
RA 0
Z 0
RCODE 0 (NOERROR)
QCOUNT 1
ACOUNT 1
NSCOUNT 0
ARCOUNT 1
QUESTION SECTION:
Offset = 0x000c, RR count = 0
Name "(4)mail(16)Deleted(2)ca(0)"
QTYPE A (1)
QCLASS 1
ANSWER SECTION:
Offset = 0x002a, RR count = 0
Name "[C00C](4)mail(16)Deleted(2)ca(0)"
TYPE A (1)
CLASS 1
TTL 3600
DLEN 4
DATA X.X.X.X
AUTHORITY SECTION:
empty
ADDITIONAL SECTION:
Offset = 0x003a, RR count = 0
Name "(0)"
TYPE OPT (41)
CLASS 1280
TTL 0
DLEN 0
DATA (none)
Anty insights would be great! Thanks.
|
|
In news:1183731869.434196.18110[ at ]g4g2000hsf.googlegroups.com,
Qafyg <qafyg[ at ]hotmail.com> typed:
[Quoted Text] > I've got a bunch of these events that are filling up my event logs:
>
> Event Type: Information
> Event Source: DNS
> Event Category: None
> Event ID: 5504
> Date: 2007-07-05
> Time: 16:35:03
> User: N/A
> Description:
> The DNS server encountered an invalid domain name in a packet from
> 66.79.163.157. The packet will be rejected. The event data contains
> the DNS packet.
>
>
> Always from a different IP. I've sniff and I don't see any invalid
> domain name or host with spaces or underscores. I'm no network expert
> but it looks like the resolution requests gets answered and then
> there's the following entry in the dns diagnosis loggin :
>
>
> 20070705 16:35:08 5E0 PACKET UDP Rcv 66.79.163.157 4bbf R Q [0084
> A NOERROR] (4)[ERROR length byte: 0x04 at 0000000000B70005 leads
> outside message]
>
> UDP response info at 0000000000B6F9A0
> Socket = 552
> Remote addr 66.79.163.157, port 1025
> Time Query=197370, Queued=0, Expire=0
> Buf length = 0x0500 (1280)
> Msg length = 0x0000 (0)
> Message:
> XID 0x4bbf
> Flags 0x8400
> QR 1 (RESPONSE)
> OPCODE 0 (QUERY)
> AA 1
> TC 0
> RD 0
> RA 0
> Z 0
> RCODE 0 (NOERROR)
> QCOUNT 1
> ACOUNT 0
> NSCOUNT 1
> ARCOUNT 1
> QUESTION SECTION:
> ERROR: BOGUS PACKET:
> Following RR (offset 12) past packet length (0).
> pchRecord = 0000000000B70004, pCurrent = 0000000000000000,
> -11993092 bytes
>
> And here is what I think is the answer right BEFORE the message above
> in the DNS diagnosis logging :
>
> 20070705 16:35:08 5DC PACKET UDP Snd 66.79.163.157 0d5d R Q [0084
> A NOERROR] (4)mail(16)Deleted(2)ca(0)
> UDP response info at 0000000000B6EC60
> Socket = 552
> Remote addr 66.79.163.157, port 1025
> Time Query=197370, Queued=0, Expire=0
> Buf length = 0x0500 (1280)
> Msg length = 0x0045 (69)
> Message:
> XID 0x0d5d
> Flags 0x8400
> QR 1 (RESPONSE)
> OPCODE 0 (QUERY)
> AA 1
> TC 0
> RD 0
> RA 0
> Z 0
> RCODE 0 (NOERROR)
> QCOUNT 1
> ACOUNT 1
> NSCOUNT 0
> ARCOUNT 1
> QUESTION SECTION:
> Offset = 0x000c, RR count = 0
> Name "(4)mail(16)Deleted(2)ca(0)"
> QTYPE A (1)
> QCLASS 1
> ANSWER SECTION:
> Offset = 0x002a, RR count = 0
> Name "[C00C](4)mail(16)Deleted(2)ca(0)"
> TYPE A (1)
> CLASS 1
> TTL 3600
> DLEN 4
> DATA X.X.X.X
> AUTHORITY SECTION:
> empty
> ADDITIONAL SECTION:
> Offset = 0x003a, RR count = 0
> Name "(0)"
> TYPE OPT (41)
> CLASS 1280
> TTL 0
> DLEN 0
> DATA (none)
>
> Anty insights would be great! Thanks.
Do you have a forwarder configured in DNS properties to your ISP? Is so,
which to?
Is your internal AD domain DNS name a single label name (domain rather than
domain.com)?
Does your AD domain DNS name have any illegal characters? Supported
characters are -9, a-z, A-Z, . (dot), and - (hyphen).
In DNS properties, select Advanced tab, and ensure that the checbox is
checked to prevent DNS Cache Pollution.
--
Regards,
Ace
This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.
Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft MVP - Directory Services
Microsoft Certified Trainer
Infinite Diversities in Infinite Combinations
Having difficulty reading or finding responses to your post?
Instead of the website you're using, try using OEx (Outlook Express
or any other newsreader), and configure a news account, pointing to
news.microsoft.com. Anonymous access. It's free - no username or password
required nor do you need a Newsgroup Usenet account with your ISP. It
connects directly to the Microsoft Public Newsgroups. OEx allows you
o easily find, track threads, cross-post, sort by date, poster's name,
watched threads or subject. It's easy:
How to Configure OEx for Internet News
http://support.microsoft.com/?id=171164
"Quitting smoking is easy. I've done it a thousand times." - Mark Twain
|
|
|