Sign in with
Sign up | Sign in
Your question

Event ID: 5504

Last response: in Windows 2000/NT
Share
Anonymous
July 1, 2004 7:22:01 PM

Archived from groups: microsoft.public.win2000.dns (More info?)

I've googled and looked up the kb articles on this warning in my event log.
I don't have forwarding setup on my DNS Servers. I have an AD domain with
both Windows 2000 DC's running DNS. One server has no messages, the other is
full of them. They all reference root servers ip addresses. I've seen many
posts about this but no solutions other than making sure forwarding is not
on. Any suggestions? Below is the event log message.

Event ID: 5504
Source: DNS
Time: 13:03
Category: None
Type: Warning
Description: The DNS server encountered an invalid domain name in a packet
from 192.5.5.241. The packet is rejected.

Any help would greatly by appreciated.

Thanks.
Natalie

More about : event 5504

Anonymous
July 1, 2004 11:50:37 PM

Archived from groups: microsoft.public.win2000.dns (More info?)

In news:%237t0Tn7XEHA.316@TK2MSFTNGP10.phx.gbl,
Natalie Polanco <nataliepolanco@hotmail.com> posted a question
Then Kevin replied below:
> I've googled and looked up the kb articles on this warning in my
> event log. I don't have forwarding setup on my DNS Servers. I have an
> AD domain with both Windows 2000 DC's running DNS. One server has no
> messages, the other is full of them. They all reference root servers
> ip addresses. I've seen many posts about this but no solutions other
> than making sure forwarding is not on. Any suggestions? Below is the
> event log message.
>
> Event ID: 5504
> Source: DNS
> Time: 13:03
> Category: None
> Type: Warning
> Description: The DNS server encountered an invalid domain name in a
> packet from 192.5.5.241. The packet is rejected.
>
> Any help would greatly by appreciated.

You will need to set up a packet sniffer first to see what is being sent to
the root servers that is getting rejected.
5504 can be caused by Win9x computers with an illegal character in their
name or even just a conjested link. You could also need a hotfix for the
server.
http://www.eventid.net/display.asp?eventid=5504&eventno...


--
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
============================
--
When responding to posts, please "Reply to Group" via your
newsreader so that others may learn and benefit from your issue.
To respond directly to me remove the nospam. from my email.
==========================================
http://www.lonestaramerica.com/
==========================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
==========================================
Keep a back up of your OE settings and folders with
OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
==========================================
Anonymous
July 2, 2004 2:02:47 AM

Archived from groups: microsoft.public.win2000.dns (More info?)

In news:%23KmgZ68XEHA.712@TK2MSFTNGP11.phx.gbl,
Kevin D. Goodknecht Sr. [MVP] in <admin@nospam.WFTX.US> posted their
thoughts, then I offered mine

> You will need to set up a packet sniffer first to see what is being
> sent to the root servers that is getting rejected.
> 5504 can be caused by Win9x computers with an illegal character in
> their
> name or even just a conjested link. You could also need a hotfix for
> the server.
>
http://www.eventid.net/display.asp?eventid=5504&eventno...
>


See if this helps as well;

838969 - Event 5504 & 7063 is recorded in the DNS log of Event Viewer in
Windows 2000 Server:
http://support.microsoft.com/?id=838969

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroup so all
can benefit. This posting is provided "AS-IS" with no warranties and
confers no rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

HAM AND EGGS: A day's work for a chicken; A lifetime commitment for a
pig. --
=================================
Related resources
Can't find your answer ? Ask !
Anonymous
July 2, 2004 12:05:02 PM

Archived from groups: microsoft.public.win2000.dns (More info?)

I posted a similar question here:

http://communities2.microsoft.com/communities/newsgroup...

I found that sniffing packets at my gateway to determine the request being sent to the root hints by our internal DNS servers revealed that the query being sent to the internet was a resolution request for the hostname LOCALHOST. DNS servers should never attempt to resolve this host name externally. It should always be resolved by the internal host file on the server which contains a record mapping localhost to 127.0.0.1 which is a loopback address.

The article you posted regarding the hotfix has an insufficient amount of information about the issues cause. Is it to address this issue? I do not have 7063 messages in my event log. All other articles I have found regarding this message have been irrelevant to the situation.

I have also found several posts on variouse forums looking for a resolution to this issue, noone has been able to provide a solution as of yet. This does adversely affect the server as the messages can quickly fill your DNS event log, which under times of normal activity is a relatively inactive log, and the DNS server is pre-occupied performing resolution attempts of this illegal host name.

Part of what bothered me about this issue was the regularity of the messages, they seem to be almost exactly 15 minutes apart for a period of several days, then they subside for a month or more, then return at the same frequency.

Any input would be greatly appreciated.

Ian Bagnald
Systems Administrator
Focal Technologies Corporation
Division of Kaydon Corporation
MCSE:Security Windows 2000
MCSA:Security Windows 2000
COMPTIA A+

This post is as is and no assurance is made for the validity of its contents.

"Ace Fekay [MVP]" wrote:

> In news:%23KmgZ68XEHA.712@TK2MSFTNGP11.phx.gbl,
> Kevin D. Goodknecht Sr. [MVP] in <admin@nospam.WFTX.US> posted their
> thoughts, then I offered mine
>
> > You will need to set up a packet sniffer first to see what is being
> > sent to the root servers that is getting rejected.
> > 5504 can be caused by Win9x computers with an illegal character in
> > their
> > name or even just a conjested link. You could also need a hotfix for
> > the server.
> >
> http://www.eventid.net/display.asp?eventid=5504&eventno...
> >
>
>
> See if this helps as well;
>
> 838969 - Event 5504 & 7063 is recorded in the DNS log of Event Viewer in
> Windows 2000 Server:
> http://support.microsoft.com/?id=838969
>
> --
> Regards,
> Ace
>
> Please direct all replies ONLY to the Microsoft public newsgroup so all
> can benefit. This posting is provided "AS-IS" with no warranties and
> confers no rights.
>
> Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
> Microsoft Windows MVP - Active Directory
>
> HAM AND EGGS: A day's work for a chicken; A lifetime commitment for a
> pig. --
> =================================
>
>
>
Anonymous
July 2, 2004 2:00:19 PM

Archived from groups: microsoft.public.win2000.dns (More info?)

Has anyone actually tried the hotfix that is referenced in kb838969? I
called Microsoft and got the hotfix but I am very hesitant to install it
since it hasn't been regression tested. Anyone have any results of
installing it?


"InBan" <InBan@discussions.microsoft.com> wrote in message
news:FD1AC3B6-1FDF-461C-AD16-E102F2ADC391@microsoft.com...
> I posted a similar question here:
>
>
http://communities2.microsoft.com/communities/newsgroup...
>
> I found that sniffing packets at my gateway to determine the request being
sent to the root hints by our internal DNS servers revealed that the query
being sent to the internet was a resolution request for the hostname
LOCALHOST. DNS servers should never attempt to resolve this host name
externally. It should always be resolved by the internal host file on the
server which contains a record mapping localhost to 127.0.0.1 which is a
loopback address.
>
> The article you posted regarding the hotfix has an insufficient amount of
information about the issues cause. Is it to address this issue? I do not
have 7063 messages in my event log. All other articles I have found
regarding this message have been irrelevant to the situation.
>
> I have also found several posts on variouse forums looking for a
resolution to this issue, noone has been able to provide a solution as of
yet. This does adversely affect the server as the messages can quickly fill
your DNS event log, which under times of normal activity is a relatively
inactive log, and the DNS server is pre-occupied performing resolution
attempts of this illegal host name.
>
> Part of what bothered me about this issue was the regularity of the
messages, they seem to be almost exactly 15 minutes apart for a period of
several days, then they subside for a month or more, then return at the same
frequency.
>
> Any input would be greatly appreciated.
>
> Ian Bagnald
> Systems Administrator
> Focal Technologies Corporation
> Division of Kaydon Corporation
> MCSE:Security Windows 2000
> MCSA:Security Windows 2000
> COMPTIA A+
>
> This post is as is and no assurance is made for the validity of its
contents.
>
> "Ace Fekay [MVP]" wrote:
>
> > In news:%23KmgZ68XEHA.712@TK2MSFTNGP11.phx.gbl,
> > Kevin D. Goodknecht Sr. [MVP] in <admin@nospam.WFTX.US> posted their
> > thoughts, then I offered mine
> >
> > > You will need to set up a packet sniffer first to see what is being
> > > sent to the root servers that is getting rejected.
> > > 5504 can be caused by Win9x computers with an illegal character in
> > > their
> > > name or even just a conjested link. You could also need a hotfix for
> > > the server.
> > >
> >
http://www.eventid.net/display.asp?eventid=5504&eventno...
> > >
> >
> >
> > See if this helps as well;
> >
> > 838969 - Event 5504 & 7063 is recorded in the DNS log of Event Viewer in
> > Windows 2000 Server:
> > http://support.microsoft.com/?id=838969
> >
> > --
> > Regards,
> > Ace
> >
> > Please direct all replies ONLY to the Microsoft public newsgroup so all
> > can benefit. This posting is provided "AS-IS" with no warranties and
> > confers no rights.
> >
> > Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
> > Microsoft Windows MVP - Active Directory
> >
> > HAM AND EGGS: A day's work for a chicken; A lifetime commitment for a
> > pig. --
> > =================================
> >
> >
> >
Anonymous
July 2, 2004 2:51:13 PM

Archived from groups: microsoft.public.win2000.dns (More info?)

In news:FD1AC3B6-1FDF-461C-AD16-E102F2ADC391@microsoft.com,
InBan <InBan@discussions.microsoft.com> posted a question
Then Kevin replied below:
> I posted a similar question here:
>
>
http://communities2.microsoft.com/communities/newsgroup...
>
> I found that sniffing packets at my gateway to determine the request
> being sent to the root hints by our internal DNS servers revealed
> that the query being sent to the internet was a resolution request
> for the hostname LOCALHOST. DNS servers should never attempt to
> resolve this host name externally. It should always be resolved by
> the internal host file on the server which contains a record mapping
> localhost to 127.0.0.1 which is a loopback address.
>
> The article you posted regarding the hotfix has an insufficient
> amount of information about the issues cause. Is it to address this
> issue? I do not have 7063 messages in my event log. All other
> articles I have found regarding this message have been irrelevant to
> the situation.
>
> I have also found several posts on variouse forums looking for a
> resolution to this issue, noone has been able to provide a solution
> as of yet. This does adversely affect the server as the messages can
> quickly fill your DNS event log, which under times of normal activity
> is a relatively inactive log, and the DNS server is pre-occupied
> performing resolution attempts of this illegal host name.
>
> Part of what bothered me about this issue was the regularity of the
> messages, they seem to be almost exactly 15 minutes apart for a
> period of several days, then they subside for a month or more, then
> return at the same frequency.
>
> Any input would be greatly appreciated.
>
> Ian Bagnald
> Systems Administrator
> Focal Technologies Corporation
> Division of Kaydon Corporation
> MCSE:Security Windows 2000
> MCSA:Security Windows 2000
> COMPTIA A+

This may sound like a rhetorical question but, is there a localhost entry in
your hosts file on all machines?
localhost shouldn't even go to the DNS server in the first place, it is
probably being sent to the DNS server by another machine with a corrupted
hosts file.

I did find a workaround, create a Forward Lookup zone named localhost and
put a blank (same as parent folder) record with IP 127.0.0.1.
I tested this, (see below) if I queried DNS for localhost it logged a 5504,
I created a localhost forward lookup zone and the blank host with IP
127.0.0.1 IP. Then I queried DNS for localhost, no events logged, and it
resolved to 127.0.0.1 by default DNS has a 127.in-addr.arpa. reverse lookup
zone.

Before.
> localhost
Server: kjweb.lsaol.com
Address: 192.168.0.2

*** kjweb.lsaol.com can't find localhost: Non-existent domain
> localhost
Server: kjweb.lsaol.com
Address: 192.168.0.2

Along with this DNS logged a 5504 event.

Event Type: Warning
Event Source: DNS
Event Category: None
Event ID: 5504
Date: 7/2/2004
Time: 03:36:54
User: N/A
Computer: KJWEB
Description:
The DNS server encountered an invalid domain name in a packet from
199.5.157.128. The packet is rejected.


After
> localhost.
Server: kjweb.lsaol.com
Address: 192.168.0.2

Name: localhost
Address: 127.0.0.1

No event logged.

--
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
============================
--
When responding to posts, please "Reply to Group" via your
newsreader so that others may learn and benefit from your issue.
To respond directly to me remove the nospam. from my email.
==========================================
http://www.lonestaramerica.com/
==========================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
==========================================
Keep a back up of your OE settings and folders with
OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
==========================================
Anonymous
July 2, 2004 6:03:19 PM

Archived from groups: microsoft.public.win2000.dns (More info?)

In news:uXrDRYFYEHA.2672@TK2MSFTNGP09.phx.gbl,
Natalie Polanco in <nataliepolanco@hotmail.com> posted their thoughts, then
I offered mine
> Has anyone actually tried the hotfix that is referenced in kb838969? I
> called Microsoft and got the hotfix but I am very hesitant to install
> it
> since it hasn't been regression tested. Anyone have any results of
> installing it?
>
>

I haven't tried it yet, and just to point out and mention, one of my clients
had this popping up a couple of years ago. I researched it and found, as
Kevin said, that this is primarily caused by an illegal character in a host
name. Illegal character such as a space or underscore. I found two Mac
machines with those characters in their names, and guess what, I changed the
names and the error disappeared.3

Kevin asked if there are any names in your infrastructure with an illegal
character, but I'm not sure if I saw your response, unless my newsreader
didn't display all the responses.


--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroup so all
can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

HAM AND EGGS: A day's work for a chicken; A lifetime commitment for a
pig. --
=================================
Anonymous
July 2, 2004 6:03:20 PM

Archived from groups: microsoft.public.win2000.dns (More info?)

The only character I have in some of the names is a dash like dana-laptop. I
bet this could definitely cause a problem. I will try changing those names
to see if it made a difference. I also tried the suggestion about of
creating a forward lookup zone for localhost. I did that at 9:36am this
morning and as of now 11:28, the messages stopped as soon as I made the
change. I will be keeping a close eye out.

Thank you so much for all your answers - ALL of you - it is very much
appreciated.
"Ace Fekay [MVP]"
<PleaseSubstituteMyActualFirstName&LastNameHere@hotmail.com> wrote in
message news:%23e7Q59FYEHA.1652@TK2MSFTNGP09.phx.gbl...
> In news:uXrDRYFYEHA.2672@TK2MSFTNGP09.phx.gbl,
> Natalie Polanco in <nataliepolanco@hotmail.com> posted their thoughts,
then
> I offered mine
> > Has anyone actually tried the hotfix that is referenced in kb838969? I
> > called Microsoft and got the hotfix but I am very hesitant to install
> > it
> > since it hasn't been regression tested. Anyone have any results of
> > installing it?
> >
> >
>
> I haven't tried it yet, and just to point out and mention, one of my
clients
> had this popping up a couple of years ago. I researched it and found, as
> Kevin said, that this is primarily caused by an illegal character in a
host
> name. Illegal character such as a space or underscore. I found two Mac
> machines with those characters in their names, and guess what, I changed
the
> names and the error disappeared.3
>
> Kevin asked if there are any names in your infrastructure with an illegal
> character, but I'm not sure if I saw your response, unless my newsreader
> didn't display all the responses.
>
>
> --
> Regards,
> Ace
>
> Please direct all replies ONLY to the Microsoft public newsgroup so all
> can benefit.
> This posting is provided "AS-IS" with no warranties and confers no
> rights.
>
> Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
> Microsoft Windows MVP - Active Directory
>
> HAM AND EGGS: A day's work for a chicken; A lifetime commitment for a
> pig. --
> =================================
>
>
Anonymous
July 2, 2004 6:03:21 PM

Archived from groups: microsoft.public.win2000.dns (More info?)

I did examin the hosts files on the DNS servers, they did contain the localhost record. I also examined the network traffic to and from the DNS servers at the time. No clients had made a localhost resolution request to the internal DNS servers. If they had the DNS server should NOT have forwarded it to the root hint.

I did consider puting a record in forward lookup for localhost before posting. However it would not explain WHY the DNS servers are making repeated requests to the public DNS servers to resolve localhost. I may try this workaround as the 5504 records are flooding the logs.

An illegal character should not cause this type of behaviour. The reason illegal characters in host names are associated with 5504 warnings is because they cannot be corrctly resolved by DNS. The repsonses from the Root Hint servers are those that are being dropped; they are considered to contain illegal characters because they are not the response that the DNS server is expecting. If LOCALHOST requests were illegal internal requests the ip address referenced in the warning would be internal, not that of the root hint. Note that localhost is not an illegal request, it should however always be resolved without being passed to a name server. Also if this was casued by an illegal charcter of an internal host, the ip address would be internal, not a public root hint.

Ian Bagnald
Systems Administrator
Focal Technologies Corporation
Division of Kaydon Corporation
MCSE:Security Windows 2000
MCSA:Security Windows 2000
COMPTIA A+


"Natalie Polanco" wrote:

> The only character I have in some of the names is a dash like dana-laptop. I
> bet this could definitely cause a problem. I will try changing those names
> to see if it made a difference. I also tried the suggestion about of
> creating a forward lookup zone for localhost. I did that at 9:36am this
> morning and as of now 11:28, the messages stopped as soon as I made the
> change. I will be keeping a close eye out.
>
> Thank you so much for all your answers - ALL of you - it is very much
> appreciated.
> "Ace Fekay [MVP]"
> <PleaseSubstituteMyActualFirstName&LastNameHere@hotmail.com> wrote in
> message news:%23e7Q59FYEHA.1652@TK2MSFTNGP09.phx.gbl...
> > In news:uXrDRYFYEHA.2672@TK2MSFTNGP09.phx.gbl,
> > Natalie Polanco in <nataliepolanco@hotmail.com> posted their thoughts,
> then
> > I offered mine
> > > Has anyone actually tried the hotfix that is referenced in kb838969? I
> > > called Microsoft and got the hotfix but I am very hesitant to install
> > > it
> > > since it hasn't been regression tested. Anyone have any results of
> > > installing it?
> > >
> > >
> >
> > I haven't tried it yet, and just to point out and mention, one of my
> clients
> > had this popping up a couple of years ago. I researched it and found, as
> > Kevin said, that this is primarily caused by an illegal character in a
> host
> > name. Illegal character such as a space or underscore. I found two Mac
> > machines with those characters in their names, and guess what, I changed
> the
> > names and the error disappeared.3
> >
> > Kevin asked if there are any names in your infrastructure with an illegal
> > character, but I'm not sure if I saw your response, unless my newsreader
> > didn't display all the responses.
> >
> >
> > --
> > Regards,
> > Ace
> >
> > Please direct all replies ONLY to the Microsoft public newsgroup so all
> > can benefit.
> > This posting is provided "AS-IS" with no warranties and confers no
> > rights.
> >
> > Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
> > Microsoft Windows MVP - Active Directory
> >
> > HAM AND EGGS: A day's work for a chicken; A lifetime commitment for a
> > pig. --
> > =================================
> >
> >
>
>
>
Anonymous
July 2, 2004 6:54:47 PM

Archived from groups: microsoft.public.win2000.dns (More info?)

In news:%23pCSFKGYEHA.3420@TK2MSFTNGP10.phx.gbl,
Natalie Polanco in <nataliepolanco@hotmail.com> posted their thoughts, then
I offered mine
> The only character I have in some of the names is a dash like
> dana-laptop. I bet this could definitely cause a problem. I will try
> changing those names to see if it made a difference. I also tried the
> suggestion about of creating a forward lookup zone for localhost. I
> did that at 9:36am this morning and as of now 11:28, the messages
> stopped as soon as I made the change. I will be keeping a close eye
> out.
>
> Thank you so much for all your answers - ALL of you - it is very much
> appreciated.

No problem Natalie.

A dash should be fine. Keep with the localhost forward lookup zone if that
fixes it. Post back with any concerns!

Ace
Anonymous
July 3, 2004 2:08:10 AM

Archived from groups: microsoft.public.win2000.dns (More info?)

In news:6FC1856C-8EE5-40EC-90D7-6D8AEFBEFBA3@microsoft.com,
InBan in <InBan@discussions.microsoft.com> posted their thoughts, then I
offered mine
> I did examin the hosts files on the DNS servers, they did contain the
> localhost record. I also examined the network traffic to and from the
> DNS servers at the time. No clients had made a localhost resolution
> request to the internal DNS servers. If they had the DNS server
> should NOT have forwarded it to the root hint.
>
> I did consider puting a record in forward lookup for localhost before
> posting. However it would not explain WHY the DNS servers are making
> repeated requests to the public DNS servers to resolve localhost. I
> may try this workaround as the 5504 records are flooding the logs.
>
> An illegal character should not cause this type of behaviour. The
> reason illegal characters in host names are associated with 5504
> warnings is because they cannot be corrctly resolved by DNS. The
> repsonses from the Root Hint servers are those that are being
> dropped; they are considered to contain illegal characters because
> they are not the response that the DNS server is expecting. If
> LOCALHOST requests were illegal internal requests the ip address
> referenced in the warning would be internal, not that of the root
> hint. Note that localhost is not an illegal request, it should
> however always be resolved without being passed to a name server.
> Also if this was casued by an illegal charcter of an internal host,
> the ip address would be internal, not a public root hint.
>
> Ian Bagnald
> Systems Administrator
> Focal Technologies Corporation
> Division of Kaydon Corporation
> MCSE:Security Windows 2000
> MCSA:Security Windows 2000
> COMPTIA A+
>
>

Good point Ian. After re-reading the original post, I see its a Root. Now
knowing the impact of the hotfix, maybe the more cautious resolution would
be the localhost record in your zone.


--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.
--
=================================
Anonymous
July 3, 2004 8:20:01 PM

Archived from groups: microsoft.public.win2000.dns (More info?)

I'd still like to know why the DNS servers are trying to resolve localhost. It shouldn't be necessary to have a localhost entry in forward lookup. This query isn't being generated by a client, it is coming from the internal Windows DNS server. The frequency/regularity bothers me. For 3 or 4 days every 1 or two months, every 15 minutes it sends four queries to each root hint server to resolve localhost. This does not seem to be normal behaviour.

Ian Bagnald
Systems Administrator
Focal Technologies Corporation
Division of Kaydon Corporation
MCSE:Security Windows 2000
MCSA:Security Windows 2000
COMPTIA A+

"Ace Fekay [MVP]" wrote:

> In news:6FC1856C-8EE5-40EC-90D7-6D8AEFBEFBA3@microsoft.com,
> InBan in <InBan@discussions.microsoft.com> posted their thoughts, then I
> offered mine
> > I did examin the hosts files on the DNS servers, they did contain the
> > localhost record. I also examined the network traffic to and from the
> > DNS servers at the time. No clients had made a localhost resolution
> > request to the internal DNS servers. If they had the DNS server
> > should NOT have forwarded it to the root hint.
> >
> > I did consider puting a record in forward lookup for localhost before
> > posting. However it would not explain WHY the DNS servers are making
> > repeated requests to the public DNS servers to resolve localhost. I
> > may try this workaround as the 5504 records are flooding the logs.
> >
> > An illegal character should not cause this type of behaviour. The
> > reason illegal characters in host names are associated with 5504
> > warnings is because they cannot be corrctly resolved by DNS. The
> > repsonses from the Root Hint servers are those that are being
> > dropped; they are considered to contain illegal characters because
> > they are not the response that the DNS server is expecting. If
> > LOCALHOST requests were illegal internal requests the ip address
> > referenced in the warning would be internal, not that of the root
> > hint. Note that localhost is not an illegal request, it should
> > however always be resolved without being passed to a name server.
> > Also if this was casued by an illegal charcter of an internal host,
> > the ip address would be internal, not a public root hint.
> >
> > Ian Bagnald
> > Systems Administrator
> > Focal Technologies Corporation
> > Division of Kaydon Corporation
> > MCSE:Security Windows 2000
> > MCSA:Security Windows 2000
> > COMPTIA A+
> >
> >
>
> Good point Ian. After re-reading the original post, I see its a Root. Now
> knowing the impact of the hotfix, maybe the more cautious resolution would
> be the localhost record in your zone.
>
>
> --
> Regards,
> Ace
>
> Please direct all replies ONLY to the Microsoft public newsgroups
> so all can benefit.
>
> This posting is provided "AS-IS" with no warranties or guarantees
> and confers no rights.
>
> Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
> Microsoft Windows MVP - Active Directory
>
> HAM AND EGGS: A day's work for a chicken;
> A lifetime commitment for a pig.
> --
> =================================
>
>
>
Anonymous
July 3, 2004 11:37:28 PM

Archived from groups: microsoft.public.win2000.dns (More info?)

In news:829C8C82-C046-47C0-AD8E-4D21518F3DD8@microsoft.com,
InBan <InBan@discussions.microsoft.com> posted a question
Then Kevin replied below:
> I'd still like to know why the DNS servers are trying to
> resolve localhost. It shouldn't be necessary to have a
> localhost entry in forward lookup. This query isn't being
> generated by a client, it is coming from the internal
> Windows DNS server. The frequency/regularity bothers me.
> For 3 or 4 days every 1 or two months, every 15 minutes
> it sends four queries to each root hint server to resolve
> localhost. This does not seem to be normal behaviour.

Possibly it is coming from its own client, I can't think of a reason why a
DNS server would try to resolve a name unless it is asked to resolve it.
What else is on the box?
Is the DNS client service running?
Does ipconfig /displaydns display localhost?


--
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
============================
--
When responding to posts, please "Reply to Group" via your
newsreader so that others may learn and benefit from your
issue. To respond directly to me remove the nospam. from my
email. ==========================================
http://www.lonestaramerica.com/
==========================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
==========================================
Keep a back up of your OE settings and folders with
OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
==========================================
Anonymous
July 4, 2004 4:07:03 PM

Archived from groups: microsoft.public.win2000.dns (More info?)

Kevin;

Localhost is listed first when ipconfig /displaydns is run. The DNS client service is also running on the server.

My organization is made up of about 20 locations; each has at least one internal DNS server. Each server that is receiving these messages has local access to the internet and is configured to use root hint servers. Until recently all locations were connected by frame relay. Now each location has an ISA server and persistent VPN connections serve as the inter-site back-bone. Prior to the VPN implementation only one server saw these messages regularly. At that time all other internal DNS servers were configured to forward requests to that server if they were unable to resolve the request. Now that the forwarders have been removed and the internal DNS servers at each site are using the root hint servers for resolution all DNS servers in the organization (which I have examined) are receiving these messages. Each of these DNS servers may or may not also run DHCP, WINS, Exchange, AD and other services.

Ian Bagnald
Systems Administrator
Focal Technologies Corporation
Division of Kaydon Corporation
MCSE:Security Windows 2000
MCSA:Security Windows 2000
COMPTIA A+


"Kevin D. Goodknecht Sr. [MVP]" wrote:

> In news:829C8C82-C046-47C0-AD8E-4D21518F3DD8@microsoft.com,
> InBan <InBan@discussions.microsoft.com> posted a question
> Then Kevin replied below:
> > I'd still like to know why the DNS servers are trying to
> > resolve localhost. It shouldn't be necessary to have a
> > localhost entry in forward lookup. This query isn't being
> > generated by a client, it is coming from the internal
> > Windows DNS server. The frequency/regularity bothers me.
> > For 3 or 4 days every 1 or two months, every 15 minutes
> > it sends four queries to each root hint server to resolve
> > localhost. This does not seem to be normal behaviour.
>
> Possibly it is coming from its own client, I can't think of a reason why a
> DNS server would try to resolve a name unless it is asked to resolve it.
> What else is on the box?
> Is the DNS client service running?
> Does ipconfig /displaydns display localhost?
>
>
> --
> Best regards,
> Kevin D4 Dad Goodknecht Sr. [MVP]
> Hope This Helps
> ============================
> --
> When responding to posts, please "Reply to Group" via your
> newsreader so that others may learn and benefit from your
> issue. To respond directly to me remove the nospam. from my
> email. ==========================================
> http://www.lonestaramerica.com/
> ==========================================
> Use Outlook Express?... Get OE_Quotefix:
> It will strip signature out and more
> http://home.in.tum.de/~jain/software/oe-quotefix/
> ==========================================
> Keep a back up of your OE settings and folders with
> OEBackup:
> http://www.oehelp.com/OEBackup/Default.aspx
> ==========================================
>
>
>
Anonymous
July 4, 2004 7:52:29 PM

Archived from groups: microsoft.public.win2000.dns (More info?)

Not to get off track, but curious, and not sure if it relates, but is your
domain a single label name?

Ace


"InBan" <InBan@discussions.microsoft.com> wrote in message
news:829C8C82-C046-47C0-AD8E-4D21518F3DD8@microsoft.com...
> I'd still like to know why the DNS servers are trying to resolve
localhost. It shouldn't be necessary to have a localhost entry in forward
lookup. This query isn't being generated by a client, it is coming from the
internal Windows DNS server. The frequency/regularity bothers me. For 3 or 4
days every 1 or two months, every 15 minutes it sends four queries to each
root hint server to resolve localhost. This does not seem to be normal
behaviour.
>
> Ian Bagnald
> Systems Administrator
> Focal Technologies Corporation
> Division of Kaydon Corporation
> MCSE:Security Windows 2000
> MCSA:Security Windows 2000
> COMPTIA A+
>
> "Ace Fekay [MVP]" wrote:
>
> > In news:6FC1856C-8EE5-40EC-90D7-6D8AEFBEFBA3@microsoft.com,
> > InBan in <InBan@discussions.microsoft.com> posted their thoughts, then I
> > offered mine
> > > I did examin the hosts files on the DNS servers, they did contain the
> > > localhost record. I also examined the network traffic to and from the
> > > DNS servers at the time. No clients had made a localhost resolution
> > > request to the internal DNS servers. If they had the DNS server
> > > should NOT have forwarded it to the root hint.
> > >
> > > I did consider puting a record in forward lookup for localhost before
> > > posting. However it would not explain WHY the DNS servers are making
> > > repeated requests to the public DNS servers to resolve localhost. I
> > > may try this workaround as the 5504 records are flooding the logs.
> > >
> > > An illegal character should not cause this type of behaviour. The
> > > reason illegal characters in host names are associated with 5504
> > > warnings is because they cannot be corrctly resolved by DNS. The
> > > repsonses from the Root Hint servers are those that are being
> > > dropped; they are considered to contain illegal characters because
> > > they are not the response that the DNS server is expecting. If
> > > LOCALHOST requests were illegal internal requests the ip address
> > > referenced in the warning would be internal, not that of the root
> > > hint. Note that localhost is not an illegal request, it should
> > > however always be resolved without being passed to a name server.
> > > Also if this was casued by an illegal charcter of an internal host,
> > > the ip address would be internal, not a public root hint.
> > >
> > > Ian Bagnald
> > > Systems Administrator
> > > Focal Technologies Corporation
> > > Division of Kaydon Corporation
> > > MCSE:Security Windows 2000
> > > MCSA:Security Windows 2000
> > > COMPTIA A+
> > >
> > >
> >
> > Good point Ian. After re-reading the original post, I see its a Root.
Now
> > knowing the impact of the hotfix, maybe the more cautious resolution
would
> > be the localhost record in your zone.
> >
> >
> > --
> > Regards,
> > Ace
> >
> > Please direct all replies ONLY to the Microsoft public newsgroups
> > so all can benefit.
> >
> > This posting is provided "AS-IS" with no warranties or guarantees
> > and confers no rights.
> >
> > Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
> > Microsoft Windows MVP - Active Directory
> >
> > HAM AND EGGS: A day's work for a chicken;
> > A lifetime commitment for a pig.
> > --
> > =================================
> >
> >
> >
Anonymous
July 4, 2004 7:54:49 PM

Archived from groups: microsoft.public.win2000.dns (More info?)

Also, do you have Secure Cache against Pollution enabled?

Ace

"InBan" <InBan@discussions.microsoft.com> wrote in message
news:829C8C82-C046-47C0-AD8E-4D21518F3DD8@microsoft.com...
> I'd still like to know why the DNS servers are trying to resolve
localhost. It shouldn't be necessary to have a localhost entry in forward
lookup. This query isn't being generated by a client, it is coming from the
internal Windows DNS server. The frequency/regularity bothers me. For 3 or 4
days every 1 or two months, every 15 minutes it sends four queries to each
root hint server to resolve localhost. This does not seem to be normal
behaviour.
>
> Ian Bagnald
> Systems Administrator
> Focal Technologies Corporation
> Division of Kaydon Corporation
> MCSE:Security Windows 2000
> MCSA:Security Windows 2000
> COMPTIA A+
>
> "Ace Fekay [MVP]" wrote:
>
> > In news:6FC1856C-8EE5-40EC-90D7-6D8AEFBEFBA3@microsoft.com,
> > InBan in <InBan@discussions.microsoft.com> posted their thoughts, then I
> > offered mine
> > > I did examin the hosts files on the DNS servers, they did contain the
> > > localhost record. I also examined the network traffic to and from the
> > > DNS servers at the time. No clients had made a localhost resolution
> > > request to the internal DNS servers. If they had the DNS server
> > > should NOT have forwarded it to the root hint.
> > >
> > > I did consider puting a record in forward lookup for localhost before
> > > posting. However it would not explain WHY the DNS servers are making
> > > repeated requests to the public DNS servers to resolve localhost. I
> > > may try this workaround as the 5504 records are flooding the logs.
> > >
> > > An illegal character should not cause this type of behaviour. The
> > > reason illegal characters in host names are associated with 5504
> > > warnings is because they cannot be corrctly resolved by DNS. The
> > > repsonses from the Root Hint servers are those that are being
> > > dropped; they are considered to contain illegal characters because
> > > they are not the response that the DNS server is expecting. If
> > > LOCALHOST requests were illegal internal requests the ip address
> > > referenced in the warning would be internal, not that of the root
> > > hint. Note that localhost is not an illegal request, it should
> > > however always be resolved without being passed to a name server.
> > > Also if this was casued by an illegal charcter of an internal host,
> > > the ip address would be internal, not a public root hint.
> > >
> > > Ian Bagnald
> > > Systems Administrator
> > > Focal Technologies Corporation
> > > Division of Kaydon Corporation
> > > MCSE:Security Windows 2000
> > > MCSA:Security Windows 2000
> > > COMPTIA A+
> > >
> > >
> >
> > Good point Ian. After re-reading the original post, I see its a Root.
Now
> > knowing the impact of the hotfix, maybe the more cautious resolution
would
> > be the localhost record in your zone.
> >
> >
> > --
> > Regards,
> > Ace
> >
> > Please direct all replies ONLY to the Microsoft public newsgroups
> > so all can benefit.
> >
> > This posting is provided "AS-IS" with no warranties or guarantees
> > and confers no rights.
> >
> > Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
> > Microsoft Windows MVP - Active Directory
> >
> > HAM AND EGGS: A day's work for a chicken;
> > A lifetime commitment for a pig.
> > --
> > =================================
> >
> >
> >
Anonymous
July 5, 2004 6:44:01 PM

Archived from groups: microsoft.public.win2000.dns (More info?)

Sorry for the slow response. No it is not a single label domain, and yes secure against cache polution is enabled. Actually my first concern when I saw all those errors was cache poisoning, but I'm convinced that is not the case. If this is a configuration issue, its not an obviouse one, and if its an issue with the Windows DNS implementation, its not (well) published.

Ian Bagnald
Systems Administrator
Focal Technologies Corporation
Division of Kaydon Corporation
MCSE:Security Windows 2000
MCSA:Security Windows 2000
COMPTIA A+

"Ace Fekay [MVP]" wrote:

> Also, do you have Secure Cache against Pollution enabled?
>
> Ace
>
> "InBan" <InBan@discussions.microsoft.com> wrote in message
> news:829C8C82-C046-47C0-AD8E-4D21518F3DD8@microsoft.com...
> > I'd still like to know why the DNS servers are trying to resolve
> localhost. It shouldn't be necessary to have a localhost entry in forward
> lookup. This query isn't being generated by a client, it is coming from the
> internal Windows DNS server. The frequency/regularity bothers me. For 3 or 4
> days every 1 or two months, every 15 minutes it sends four queries to each
> root hint server to resolve localhost. This does not seem to be normal
> behaviour.
> >
> > Ian Bagnald
> > Systems Administrator
> > Focal Technologies Corporation
> > Division of Kaydon Corporation
> > MCSE:Security Windows 2000
> > MCSA:Security Windows 2000
> > COMPTIA A+
> >
> > "Ace Fekay [MVP]" wrote:
> >
> > > In news:6FC1856C-8EE5-40EC-90D7-6D8AEFBEFBA3@microsoft.com,
> > > InBan in <InBan@discussions.microsoft.com> posted their thoughts, then I
> > > offered mine
> > > > I did examin the hosts files on the DNS servers, they did contain the
> > > > localhost record. I also examined the network traffic to and from the
> > > > DNS servers at the time. No clients had made a localhost resolution
> > > > request to the internal DNS servers. If they had the DNS server
> > > > should NOT have forwarded it to the root hint.
> > > >
> > > > I did consider puting a record in forward lookup for localhost before
> > > > posting. However it would not explain WHY the DNS servers are making
> > > > repeated requests to the public DNS servers to resolve localhost. I
> > > > may try this workaround as the 5504 records are flooding the logs.
> > > >
> > > > An illegal character should not cause this type of behaviour. The
> > > > reason illegal characters in host names are associated with 5504
> > > > warnings is because they cannot be corrctly resolved by DNS. The
> > > > repsonses from the Root Hint servers are those that are being
> > > > dropped; they are considered to contain illegal characters because
> > > > they are not the response that the DNS server is expecting. If
> > > > LOCALHOST requests were illegal internal requests the ip address
> > > > referenced in the warning would be internal, not that of the root
> > > > hint. Note that localhost is not an illegal request, it should
> > > > however always be resolved without being passed to a name server.
> > > > Also if this was casued by an illegal charcter of an internal host,
> > > > the ip address would be internal, not a public root hint.
> > > >
> > > > Ian Bagnald
> > > > Systems Administrator
> > > > Focal Technologies Corporation
> > > > Division of Kaydon Corporation
> > > > MCSE:Security Windows 2000
> > > > MCSA:Security Windows 2000
> > > > COMPTIA A+
> > > >
> > > >
> > >
> > > Good point Ian. After re-reading the original post, I see its a Root.
> Now
> > > knowing the impact of the hotfix, maybe the more cautious resolution
> would
> > > be the localhost record in your zone.
> > >
> > >
> > > --
> > > Regards,
> > > Ace
> > >
> > > Please direct all replies ONLY to the Microsoft public newsgroups
> > > so all can benefit.
> > >
> > > This posting is provided "AS-IS" with no warranties or guarantees
> > > and confers no rights.
> > >
> > > Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
> > > Microsoft Windows MVP - Active Directory
> > >
> > > HAM AND EGGS: A day's work for a chicken;
> > > A lifetime commitment for a pig.
> > > --
> > > =================================
> > >
> > >
> > >
>
>
>
Anonymous
July 6, 2004 12:20:42 AM

Archived from groups: microsoft.public.win2000.dns (More info?)

In news:85E4036F-4D2E-41EA-8E23-AE830696B5DF@microsoft.com,
InBan <InBan@discussions.microsoft.com> asked for help and I offered my
suggestions below:
> Sorry for the slow response. No it is not a single label domain, and
> yes secure against cache polution is enabled. Actually my first
> concern when I saw all those errors was cache poisoning, but I'm
> convinced that is not the case. If this is a configuration issue, its
> not an obviouse one, and if its an issue with the Windows DNS
> implementation, its not (well) published.
>

This is an elusive issue. I understand as well that if it were an illegal
character in a client, and the client were to register, then I believe it
would appear as if the DNS server itself is querying to the Root servers,
assuming (none of us have asked your config yet) that you have all your
machines using your DNS, but assuming you don't have a forwarder configured.
Please correct me if my assumption is incorrect. Not saying it would or
would not fix it, but do you have forwarding configured? IF you do, try
removing it, but from the looks, it seems that you may not?

As for the localhost resolution, that seems odd that it would try to query
the Roots for it. Do you by chance have 127.0.0.1 as your DNS address? I
guess it would be prudent if we can ask for some config info, such as an
ipconfig /all, is DNS mutlihomed, if so, is it performing NAT, and anything
else you can think of that may or may not be relevant at first glance.

Also, as Kevin mentioned earlier, a saturated link can cause this. If during
the time the errors popped up, can you recall if there is heavy Internet
traffic across your link, such as file transfers, or something else? Do you
have logging set or anyway to check bandwidth usage by time/date stamp? Most
ISPs offering T1s have some sort of administration page that show
statistics, etc. I remember one guy called me with a saturated link that
wound up being a server that gotted 'pubbed'. It got pubbed twice. Two
separate instances. I removed both and it cleaned it up, but he wasn't
getting 5504s since his forwarding scheme was to his main office and not
from that location. So maybe if in a situation where there's saturation or a
DNS server overloaded, it could retrieve a valid packet, but due to
corruption, DNS is translating it as something else and results in that
error. Just maybe that hotfix takes care of this, but as for regression
testing as Natalie asked previously, I don;t know anyone that has applied
it, nor has anyone posted any issues about it as of yet.

Hope we can come down to a resolution here. 5504's come up time to time, but
they wind up being an internal client name issue, but not from what you're
describing, and frankly, believe it or not, I thought about this off and on
all weekend.


--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.
--
=================================
Anonymous
July 6, 2004 12:20:43 AM

Archived from groups: microsoft.public.win2000.dns (More info?)

Its good to know I'm not the only one this is nagging at. Some of the other guys in IT in my organization didn't seem very interested in trying to pin this one down, but there is just something about it that bothers me.

A note on my config; no forwarders to external servers are used, all clients use only internal DNS. Internal DNS servers are configured to use root hints. 127.0.0.1 is not used to specify a DNS server in the servers IP Config. Internal DNS servers are configured to use themselves, by their static assigned IP, and their peers.

Here is some real food for thought. Check out the details of this packet capture. The first packet is a query sent to a root hint server (source and destination are the ip of the internal DNS server and the gateway). The second packet is the response from the root hint. The response is from a different root hint than the query was sent to, there are just so many of these I just grabbed two, they are all essentially identical.

(note I doctored it a little because I don't like exposing my internal IP addresses to the world, though a determined individual could pull the info from the hex, it would be rather pointless.):

Frame 25976 (69 bytes on wire, 69 bytes captured)
Arrival Time: Jun 30, 2004 12:04:27.340885000
Time delta from previous packet: 0.000065000 seconds
Time since reference or first frame: 133.065232000 seconds
Frame Number: 25976
Packet Length: 69 bytes
Capture Length: 69 bytes
Ethernet II, Src: 00:0x:xx:xx:xx:xx, Dst: 00:x0:xx:x0:xx:xx
Destination: 00:x0:xx:x0:xx:xx (192.168.xx.xxx)
Source: 00:0x:xx:xx:xx:xx (192.168.xx.x)
Type: IP (0x0800)
Internet Protocol, Src Addr: 192.168.xx.x (192.168.xx.x), Dst Addr: 192.228.79.201 (192.228.79.201)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 55
Identification: 0xd92a (55594)
Flags: 0x00
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 128
Protocol: UDP (0x11)
Header checksum: 0x742f (correct)
Source: 192.168.xx.x (192.168.xx.x)
Destination: 192.228.79.201 (192.228.79.201)
User Datagram Protocol, Src Port: 1273 (1273), Dst Port: domain (53)
Source port: 1273 (1273)
Destination port: domain (53)
Length: 35
Checksum: 0x3382 (correct)
Domain Name System (query)
Transaction ID: 0x217b
Flags: 0x0000 (Standard query)
0... .... .... .... = Response: Message is a query
.000 0... .... .... = Opcode: Standard query (0)
.... ..0. .... .... = Truncated: Message is not truncated
.... ...0 .... .... = Recursion desired: Don't do query recursively
.... .... .0.. .... = Z: reserved (0)
.... .... ...0 .... = Non-authenticated data OK: Non-authenticated data is unacceptable
Questions: 1
Answer RRs: 0
Authority RRs: 0
Additional RRs: 0
Queries
localhost: type A, class inet
Name: localhost
Type: Host address
Class: inet

0000 00 c0 9f 10 de 21 00 06 5b fd 9d 97 08 00 45 00 .....!..[.....E.
0010 00 37 d9 2a 00 00 80 11 74 2f c0 a8 1c 06 c0 e4 .7.*....t/......
0020 4f c9 04 f9 00 35 00 23 33 82 21 7b 00 00 00 01 O....5.#3.!{....
0030 00 00 00 00 00 00 09 6c 6f 63 61 6c 68 6f 73 74 .......localhost
0040 00 00 01 00 01 .....


____________________________________________________________________________


Frame 25984 (144 bytes on wire, 144 bytes captured)
Arrival Time: Jun 30, 2004 12:04:27.404963000
Time delta from previous packet: 0.021646000 seconds
Time since reference or first frame: 133.129310000 seconds
Frame Number: 25984
Packet Length: 144 bytes
Capture Length: 144 bytes
Ethernet II, Src: 00:x0:xx:x0:xx:xx, Dst: 00:0x:xx:xx:xx:xx
Destination: 00:0x:xx:xx:xx:xx (192.168.xx.x)
Source: 00:x0:xx:x0:xx:xx (192.168.xx.xxx)
Type: IP (0x0800)
Internet Protocol, Src Addr: 192.112.36.4 (192.112.36.4), Dst Addr: 192.168.xx.x (192.168.xx.x)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 130
Identification: 0x66c4 (26308)
Flags: 0x00
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 128
Protocol: UDP (0x11)
Header checksum: 0x1284 (correct)
Source: 192.112.36.4 (192.112.36.4)
Destination: 192.168.xx.x (192.168.xx.x)
User Datagram Protocol, Src Port: domain (53), Dst Port: 1273 (1273)
Source port: domain (53)
Destination port: 1273 (1273)
Length: 110
Checksum: 0x5556 (correct)
Domain Name System (response)
Transaction ID: 0x217b
Flags: 0x8403 (Standard query response, No such name)
1... .... .... .... = Response: Message is a response
.000 0... .... .... = Opcode: Standard query (0)
.... .1.. .... .... = Authoritative: Server is an authority for domain
.... ..0. .... .... = Truncated: Message is not truncated
.... ...0 .... .... = Recursion desired: Don't do query recursively
.... .... 0... .... = Recursion available: Server can't do recursive queries
.... .... .0.. .... = Z: reserved (0)
.... .... ..0. .... = Answer authenticated: Answer/authority portion was not authenticated by the server
.... .... .... 0011 = Reply code: No such name (3)
Questions: 1
Answer RRs: 0
Authority RRs: 1
Additional RRs: 0
Queries
localhost: type A, class inet
Name: localhost
Type: Host address
Class: inet
Authoritative nameservers
<Root>: type SOA, class inet, mname A.ROOT-SERVERS.NET
Name: <Root>
Type: Start of zone of authority
Class: inet
Time to live: 1 day
Data length: 64
Primary name server: A.ROOT-SERVERS.NET
Responsible authority's mailbox: NSTLD.VERISIGN-GRS.COM
Serial number: 2004062901
Refresh interval: 30 minutes
Retry interval: 15 minutes
Expiration limit: 7 days
Minimum TTL: 1 day

0000 00 06 5b fd 9d 97 00 c0 9f 10 de 21 08 00 45 00 ..[........!..E.
0010 00 82 66 c4 00 00 80 11 12 84 c0 70 24 04 c0 a8 ..f........p$...
0020 1c 06 00 35 04 f9 00 6e 55 56 21 7b 84 03 00 01 ...5...nUV!{....
0030 00 00 00 01 00 00 09 6c 6f 63 61 6c 68 6f 73 74 .......localhost
0040 00 00 01 00 01 00 00 06 00 01 00 01 51 80 00 40 ............Q..@
0050 01 41 0c 52 4f 4f 54 2d 53 45 52 56 45 52 53 03 .A.ROOT-SERVERS.
0060 4e 45 54 00 05 4e 53 54 4c 44 0c 56 45 52 49 53 NET..NSTLD.VERIS
0070 49 47 4e 2d 47 52 53 03 43 4f 4d 00 77 73 92 b5 IGN-GRS.COM.ws..
0080 00 00 07 08 00 00 03 84 00 09 3a 80 00 01 51 80 ..........:...Q.

The expiration, retry and refresh interval have to do with the frequency/regularity of the messages. But I don't know what is setting those values.

Ian Bagnald
MCSE:Security
MCSA:Security
COMPITA A+


"Ace Fekay [MVP]" wrote:

> In news:85E4036F-4D2E-41EA-8E23-AE830696B5DF@microsoft.com,
> InBan <InBan@discussions.microsoft.com> asked for help and I offered my
> suggestions below:
> > Sorry for the slow response. No it is not a single label domain, and
> > yes secure against cache polution is enabled. Actually my first
> > concern when I saw all those errors was cache poisoning, but I'm
> > convinced that is not the case. If this is a configuration issue, its
> > not an obviouse one, and if its an issue with the Windows DNS
> > implementation, its not (well) published.
> >
>
> This is an elusive issue. I understand as well that if it were an illegal
> character in a client, and the client were to register, then I believe it
> would appear as if the DNS server itself is querying to the Root servers,
> assuming (none of us have asked your config yet) that you have all your
> machines using your DNS, but assuming you don't have a forwarder configured.
> Please correct me if my assumption is incorrect. Not saying it would or
> would not fix it, but do you have forwarding configured? IF you do, try
> removing it, but from the looks, it seems that you may not?
>
> As for the localhost resolution, that seems odd that it would try to query
> the Roots for it. Do you by chance have 127.0.0.1 as your DNS address? I
> guess it would be prudent if we can ask for some config info, such as an
> ipconfig /all, is DNS mutlihomed, if so, is it performing NAT, and anything
> else you can think of that may or may not be relevant at first glance.
>
> Also, as Kevin mentioned earlier, a saturated link can cause this. If during
> the time the errors popped up, can you recall if there is heavy Internet
> traffic across your link, such as file transfers, or something else? Do you
> have logging set or anyway to check bandwidth usage by time/date stamp? Most
> ISPs offering T1s have some sort of administration page that show
> statistics, etc. I remember one guy called me with a saturated link that
> wound up being a server that gotted 'pubbed'. It got pubbed twice. Two
> separate instances. I removed both and it cleaned it up, but he wasn't
> getting 5504s since his forwarding scheme was to his main office and not
> from that location. So maybe if in a situation where there's saturation or a
> DNS server overloaded, it could retrieve a valid packet, but due to
> corruption, DNS is translating it as something else and results in that
> error. Just maybe that hotfix takes care of this, but as for regression
> testing as Natalie asked previously, I don;t know anyone that has applied
> it, nor has anyone posted any issues about it as of yet.
>
> Hope we can come down to a resolution here. 5504's come up time to time, but
> they wind up being an internal client name issue, but not from what you're
> describing, and frankly, believe it or not, I thought about this off and on
> all weekend.
>
>
> --
> Regards,
> Ace
>
> Please direct all replies ONLY to the Microsoft public newsgroups
> so all can benefit.
>
> This posting is provided "AS-IS" with no warranties or guarantees
> and confers no rights.
>
> Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
> Microsoft Windows MVP - Active Directory
>
> HAM AND EGGS: A day's work for a chicken;
> A lifetime commitment for a pig.
> --
> =================================
>
>
>
Anonymous
July 6, 2004 6:13:51 PM

Archived from groups: microsoft.public.win2000.dns (More info?)

In news:B77DB15D-58B7-45B1-91A5-890B17BB8C0D@microsoft.com,
InBan <InBan@discussions.microsoft.com> asked for help and I offered my
suggestions below:
> Its good to know I'm not the only one this is nagging at. Some of the
> other guys in IT in my organization didn't seem very interested in
> trying to pin this one down, but there is just something about it
> that bothers me.
>
> A note on my config; no forwarders to external servers are used, all
> clients use only internal DNS. Internal DNS servers are configured to
> use root hints. 127.0.0.1 is not used to specify a DNS server in the
> servers IP Config. Internal DNS servers are configured to use
> themselves, by their static assigned IP, and their peers.
>
> Here is some real food for thought. Check out the details of this
> packet capture. The first packet is a query sent to a root hint
> server (source and destination are the ip of the internal DNS server
> and the gateway). The second packet is the response from the root
> hint. The response is from a different root hint than the query was
> sent to, there are just so many of these I just grabbed two, they are
> all essentially identical.
>
> (note I doctored it a little because I don't like exposing my
> internal IP addresses to the world, though a determined individual
> could pull the info from the hex, it would be rather pointless.):
>
<snip>


The expiration, retry and refresh interval usually is based on the zone
data, but that's strange.

That is also strange that 192.112.36.4 would respond to a query originally
sent to 192.228.79.201. Ian, do me a favor and set a forwarder and let me
know what happens. Usually in most cases we recommend forwarding for a
number of reasons, main one is to offload the recursion processing to
another server. I usually mention to use 4.2.2.2, or you can use whatever
you like that supports the RA bit.

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.
--
=================================
Anonymous
July 6, 2004 6:13:52 PM

Archived from groups: microsoft.public.win2000.dns (More info?)

One didn't reply to a packet sent to the other, packets were sent to both, I just didn't grab the reply to that request but a reply to an identical request sent to one of the other root hints. The replies and queries are all identical other than the root hint servers ip. The response is the same.

The messages seem to have subsided for now, so if I did configure a forwarder at this point it wouldn't tell us if it fixed the issue. I'll wait and possibly try it the next time this happens, but if history is an indication, this wont happen again for about a month.

Thanks for the attention.
Ian

"Ace Fekay [MVP]" wrote:

> In news:B77DB15D-58B7-45B1-91A5-890B17BB8C0D@microsoft.com,
> InBan <InBan@discussions.microsoft.com> asked for help and I offered my
> suggestions below:
> > Its good to know I'm not the only one this is nagging at. Some of the
> > other guys in IT in my organization didn't seem very interested in
> > trying to pin this one down, but there is just something about it
> > that bothers me.
> >
> > A note on my config; no forwarders to external servers are used, all
> > clients use only internal DNS. Internal DNS servers are configured to
> > use root hints. 127.0.0.1 is not used to specify a DNS server in the
> > servers IP Config. Internal DNS servers are configured to use
> > themselves, by their static assigned IP, and their peers.
> >
> > Here is some real food for thought. Check out the details of this
> > packet capture. The first packet is a query sent to a root hint
> > server (source and destination are the ip of the internal DNS server
> > and the gateway). The second packet is the response from the root
> > hint. The response is from a different root hint than the query was
> > sent to, there are just so many of these I just grabbed two, they are
> > all essentially identical.
> >
> > (note I doctored it a little because I don't like exposing my
> > internal IP addresses to the world, though a determined individual
> > could pull the info from the hex, it would be rather pointless.):
> >
> <snip>
>
>
> The expiration, retry and refresh interval usually is based on the zone
> data, but that's strange.
>
> That is also strange that 192.112.36.4 would respond to a query originally
> sent to 192.228.79.201. Ian, do me a favor and set a forwarder and let me
> know what happens. Usually in most cases we recommend forwarding for a
> number of reasons, main one is to offload the recursion processing to
> another server. I usually mention to use 4.2.2.2, or you can use whatever
> you like that supports the RA bit.
>
> --
> Regards,
> Ace
>
> Please direct all replies ONLY to the Microsoft public newsgroups
> so all can benefit.
>
> This posting is provided "AS-IS" with no warranties or guarantees
> and confers no rights.
>
> Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
> Microsoft Windows MVP - Active Directory
>
> HAM AND EGGS: A day's work for a chicken;
> A lifetime commitment for a pig.
> --
> =================================
>
>
>
Anonymous
July 7, 2004 12:16:55 AM

Archived from groups: microsoft.public.win2000.dns (More info?)

In news:FA56114F-31C8-41B5-86B3-465DBF86AC2F@microsoft.com,
InBan <InBan@discussions.microsoft.com> asked for help and I offered my
suggestions below:
> One didn't reply to a packet sent to the other, packets were sent to
> both, I just didn't grab the reply to that request but a reply to an
> identical request sent to one of the other root hints. The replies
> and queries are all identical other than the root hint servers ip.
> The response is the same.
>
> The messages seem to have subsided for now, so if I did configure a
> forwarder at this point it wouldn't tell us if it fixed the issue.
> I'll wait and possibly try it the next time this happens, but if
> history is an indication, this wont happen again for about a month.
>
> Thanks for the attention.
> Ian
>

No problem for the stab at it. I would be curious to find out if a forwarder
stops it all. I guess we'll have to wait a month...
:-)

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.
--
=================================
Anonymous
July 7, 2004 9:12:02 AM

Archived from groups: microsoft.public.win2000.dns (More info?)

I'll post something here when I do get a chance to try it out.

Thanks for the interest.

Ian Bagnald

"Ace Fekay [MVP]" wrote:

> In news:FA56114F-31C8-41B5-86B3-465DBF86AC2F@microsoft.com,
> InBan <InBan@discussions.microsoft.com> asked for help and I offered my
> suggestions below:
> > One didn't reply to a packet sent to the other, packets were sent to
> > both, I just didn't grab the reply to that request but a reply to an
> > identical request sent to one of the other root hints. The replies
> > and queries are all identical other than the root hint servers ip.
> > The response is the same.
> >
> > The messages seem to have subsided for now, so if I did configure a
> > forwarder at this point it wouldn't tell us if it fixed the issue.
> > I'll wait and possibly try it the next time this happens, but if
> > history is an indication, this wont happen again for about a month.
> >
> > Thanks for the attention.
> > Ian
> >
>
> No problem for the stab at it. I would be curious to find out if a forwarder
> stops it all. I guess we'll have to wait a month...
> :-)
>
> --
> Regards,
> Ace
>
> Please direct all replies ONLY to the Microsoft public newsgroups
> so all can benefit.
>
> This posting is provided "AS-IS" with no warranties or guarantees
> and confers no rights.
>
> Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
> Microsoft Windows MVP - Active Directory
>
> HAM AND EGGS: A day's work for a chicken;
> A lifetime commitment for a pig.
> --
> =================================
>
>
>
Anonymous
July 7, 2004 1:37:39 PM

Archived from groups: microsoft.public.win2000.dns (More info?)

In news:83362F09-874E-403F-9F59-D10448360C27@microsoft.com,
InBan <InBan@discussions.microsoft.com> asked for help and I offered my
suggestions below:
> I'll post something here when I do get a chance to try it out.
>
> Thanks for the interest.
>
> Ian Bagnald
>

Thanks!

Ace
!