Win2K3 DNS Error 5504

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

I am getting a 5504 error about 150 times per 24hrs.

Appears to be only doubleclick.net DNS names

bad packets are coming from
216.73.81.10
216.73.85.10
216.73.86.10
216.73.87.10


<<ERROR TEXT>>
The DNS server encountered an invalid domain name in a packet from
216.73.85.10. The packet will be rejected. The event data contains the
DNS packet.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

Data
0001: f8 31 84 00 01 00 01 00 ø1„.....
0008: 08 00 08 00 02 61 64 0b .....ad.
0010: 64 6f 75 62 6c 65 63 6c doublecl
0018: 69 63 6b 03 6e 65 74 00 ick.net.
0020: 00 01 00 01 c0 0c 00 05 ....À...
0028: 00 01 00 00 03 84 00 09 .....„..
0030: 02 61 64 03 33 61 64 c0 .ad.3adÀ
0038: 0f c0 33 00 02 00 01 00 .À3.....
0040: 00 0e 10 00 0c 09 61 6e ......an
0048: 6e 79 33 64 6e 73 32 c0 ny3dns2À
0050: 0f c0 33 00 02 00 01 00 .À3.....
0058: 00 0e 10 00 0c 09 65 71 ......eq
0060: 76 61 33 64 6e 73 31 c0 va3dns1À
0068: 0f c0 33 00 02 00 01 00 .À3.....
0070: 00 0e 10 00 0c 09 65 71 ......eq
0078: 76 61 33 64 6e 73 32 c0 va3dns2À

<<ERROR TEXT>>


This appears only in my win2k3 DNS event logs. I have a test win2k DNS
server that doesn't see this error.

Seems to have been happening at least 2 weeks.

Could this be related to the Cisco PIX 512byte UDP packet limit?

Any ideas?

tM

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

Try to make sure the "Secure cache against pollution" is enabled. This
prevents DNS spoofing. If this does not help, try to use a firewall to block
those packets.

Your suggestion may also be possible. See this.

An external DNS query may cause an error message in Windows Server 2003
http://support.microsoft.com/default.aspx?scid=kb;en-us;828731

How to Prevent DNS Cache Pollution
http://support.microsoft.com/kb/q241352/

Description of the DNS Server Secure Cache Against Pollution Setting
http://support.microsoft.com/default.aspx?scid=kb;en-us;316786&sd=tech

BR,
Denis

"themeanies" wrote:

> I am getting a 5504 error about 150 times per 24hrs.
>
> Appears to be only doubleclick.net DNS names
>
> bad packets are coming from
> 216.73.81.10
> 216.73.85.10
> 216.73.86.10
> 216.73.87.10
>
>
> <<ERROR TEXT>>
> The DNS server encountered an invalid domain name in a packet from
> 216.73.85.10. The packet will be rejected. The event data contains the
> DNS packet.
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
>
> Data
> 0001: f8 31 84 00 01 00 01 00 ø1„.....
> 0008: 08 00 08 00 02 61 64 0b .....ad.
> 0010: 64 6f 75 62 6c 65 63 6c doublecl
> 0018: 69 63 6b 03 6e 65 74 00 ick.net.
> 0020: 00 01 00 01 c0 0c 00 05 ....À...
> 0028: 00 01 00 00 03 84 00 09 .....„..
> 0030: 02 61 64 03 33 61 64 c0 .ad.3adÀ
> 0038: 0f c0 33 00 02 00 01 00 .À3.....
> 0040: 00 0e 10 00 0c 09 61 6e ......an
> 0048: 6e 79 33 64 6e 73 32 c0 ny3dns2À
> 0050: 0f c0 33 00 02 00 01 00 .À3.....
> 0058: 00 0e 10 00 0c 09 65 71 ......eq
> 0060: 76 61 33 64 6e 73 31 c0 va3dns1À
> 0068: 0f c0 33 00 02 00 01 00 .À3.....
> 0070: 00 0e 10 00 0c 09 65 71 ......eq
> 0078: 76 61 33 64 6e 73 32 c0 va3dns2À
>
> <<ERROR TEXT>>
>
>
> This appears only in my win2k3 DNS event logs. I have a test win2k DNS
> server that doesn't see this error.
>
> Seems to have been happening at least 2 weeks.
>
> Could this be related to the Cisco PIX 512byte UDP packet limit?
>
> Any ideas?
>
> tM
>

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

In news:4197e011_2@127.0.0.1,
themeanies <themeanies@nowhere.net> commented
Then Kevin replied below:
> I am getting a 5504 error about 150 times per 24hrs.
>
> Appears to be only doubleclick.net DNS names
>
> bad packets are coming from
> 216.73.81.10
> 216.73.85.10
> 216.73.86.10
> 216.73.87.10
>
>
> <<ERROR TEXT>>
> The DNS server encountered an invalid domain name in a
> packet from 216.73.85.10. The packet will be rejected.
> The event data contains the DNS packet.
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
>
> Data
> 0001: f8 31 84 00 01 00 01 00 ø1„.....
> 0008: 08 00 08 00 02 61 64 0b .....ad.
> 0010: 64 6f 75 62 6c 65 63 6c doublecl
> 0018: 69 63 6b 03 6e 65 74 00 ick.net.
> 0020: 00 01 00 01 c0 0c 00 05 ....À...
> 0028: 00 01 00 00 03 84 00 09 .....„..
> 0030: 02 61 64 03 33 61 64 c0 .ad.3adÀ
> 0038: 0f c0 33 00 02 00 01 00 .À3.....
> 0040: 00 0e 10 00 0c 09 61 6e ......an
> 0048: 6e 79 33 64 6e 73 32 c0 ny3dns2À
> 0050: 0f c0 33 00 02 00 01 00 .À3.....
> 0058: 00 0e 10 00 0c 09 65 71 ......eq
> 0060: 76 61 33 64 6e 73 31 c0 va3dns1À
> 0068: 0f c0 33 00 02 00 01 00 .À3.....
> 0070: 00 0e 10 00 0c 09 65 71 ......eq
> 0078: 76 61 33 64 6e 73 32 c0 va3dns2À
>
> <<ERROR TEXT>>
>
>
> This appears only in my win2k3 DNS event logs. I have a
> test win2k DNS server that doesn't see this error.
>
> Seems to have been happening at least 2 weeks.
>
> Could this be related to the Cisco PIX 512byte UDP packet
> limit?

I'm not sure if it is related, you should have already fixed the PIX to
allow these packets anyway. There is an article on the Cisco site for the
DNS Fixup protocol that will allow these packets.
Incedentally, we have seen a lot of these errors coming from these
doubleclick.net DNS servers, if you block access to the DNS servers, which
is what I usually recommend, you shouldn't miss much but maybe some ad
sites. I haven't gotten any bad feedback from anyone that has blocked these
servers.



--
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================