Event ID: 5504

Discussion in 'DNS Server' started by Dan Moynihan, Nov 5, 2004.

  1. Dan Moynihan

    Dan Moynihan Guest

    We are getting about 15 warnings in a row of this same event (5504) every 30
    minutes. We are getting these warnings in both our dc1 and dc2. We are
    running Windows 2000 with SP4 on both machines. I've been reading a lot of
    posts on this event and some say to ignore it and others say to "enable"
    "disable" forwarders. Currently we have forwarders turned off on both
    servers. From what other people have said, if they turn on forwarders they
    still get these warnings but not as frequently. All the errors are coming
    from root servers. I have checked for any servers with illegal characters
    (&*$, etc) and they all seem to be valid. What are some things that I could
    change or look into to fix this problem? Any suggestions would be
    appreciated.



    Dan







    Event Type: Warning

    Event Source: DNS

    Event Category: None

    Event ID: 5504

    Date: 11/3/2004

    Time: 2:59:44 AM

    User: N/A

    Computer: CQL-GR-DC2

    Description:

    The DNS server encountered an invalid domain name in a packet from
    198.41.0.10. The packet is rejected.
     
    Dan Moynihan, Nov 5, 2004
    #1
    1. Advertisements

  2. In
    This is a tough one to track down. Did you use Netmon to see the exact query
    that is causing it? It may also be as simple as a hotfix:
     
    Ace Fekay [MVP], Nov 5, 2004
    #2
    1. Advertisements

  3. In
    <snip>

    838969 - Event 5504 & 7063 is recorded in the DNS log of Event Viewer in
    Windows 2000 Server:
    http://support.microsoft.com/?id=838969

    Keep in mind, an underscore is also considered illegal.

    Ace
     
    Ace Fekay [MVP], Nov 5, 2004
    #3
  4. Hi

    This behavior may be caused by DNS spoofing. The DNS cache becomes polluted
    with invalid domain names.

    To resolve this, perform the following:

    1. secure the DNS cache against pollution

    "Secure cache against pollution" is an option under the Advanced tab in
    properties of the DNS server in the DNS MMC.

    2. Clear the DNS cache

    3. Restart the DNS service

    Kind regards
    --
    Mark Renoden [MSFT]
    Windows Platform Support Team
    Email:

    Please note you'll need to strip ".online" from my email address to email
    me; I'll post a response back to the group.

    This posting is provided "AS IS" with no warranties, and confers no rights.


    "Ace Fekay [MVP]"
     
    Mark Renoden [MSFT], Nov 7, 2004
    #4
  5. In
    Mark, correct me if I'm wrong, unless he disabled it, if SP4 is installed,
    than Secure cache would already be enabled.

    Ace
     
    Ace Fekay [MVP], Nov 8, 2004
    #5
  6. Hi Ace

    Correct but worth a check.

    Cheers
    --
    Mark Renoden [MSFT]
    Windows Platform Support Team
    Email:

    Please note you'll need to strip ".online" from my email address to email
    me; I'll post a response back to the group.

    This posting is provided "AS IS" with no warranties, and confers no rights.

    "Ace Fekay [MVP]"
     
    Mark Renoden [MSFT], Nov 8, 2004
    #6
  7. In
    Cheers back!

    Ace
     
    Ace Fekay [MVP], Nov 9, 2004
    #7
  8. Dan Moynihan

    Dan Moynihan Guest

    Thanks for help on this problem. I checked to see if "secure the DNS cache
    against pollution" was checked and we do have it enabled. Yesterday we
    flushed the DNS cache and restarted DNS service on DC2 only. I just check
    the logs in event viewer and we are still getting "invalid packets" event
    ID: 5504.



    I did check out that hot fix link but I thought it was fixed in SP4 release?
    Is that correct? Also, when I click on that link to the hot fix I see no
    place to download the fix. Is their something I 'm supposed to do. Should
    I call Microsoft and request the hot fix?



    Thanks,



    Dan




    "Ace Fekay [MVP]"
     
    Dan Moynihan, Nov 9, 2004
    #8
  9. Hi Dan

    This fix doesn't appear to be specifically for SP4. You can probably give
    it a go. The normal method for obtaining a hotfix would be to contact
    Microsoft and request it. Hotfixes are usually processed free of charge.

    Kind regards
    --
    Mark Renoden [MSFT]
    Windows Platform Support Team
    Email:

    Please note you'll need to strip ".online" from my email address to email
    me; I'll post a response back to the group.

    This posting is provided "AS IS" with no warranties, and confers no rights.
     
    Mark Renoden [MSFT], Nov 9, 2004
    #9
  10. Dan Moynihan

    Dan Moynihan Guest

    Mark,

    I'll give Microsoft a call tomorrow and take it from there. I'll respond to
    this post again when I've applied the hotfix. I hope this works.



    Thanks,



    Dan



     
    Dan Moynihan, Nov 9, 2004
    #10
  11. Dan Moynihan

    Dan Moynihan Guest

    Ok, well we applied the hotfix (Article ID: 838969) to dc2 this morning. We
    applied the fix and rebooted the server and got these three warnings after
    the reboot. We haven't gotten any anymore Event ID: 5504 warnings thus far
    after the reboot. Are these warnings anything that we should be concerned
    about? Has any anyone else applied this hotfix and gotten these warnings
    after they applied the fix. After the reboot, thsese are the only three
    errors/warnings that showed up in Event Viewer (DNS Server)



    Thanks,



    Dan


    Event Type: Warning

    Event Source: DNS

    Event Category: None

    Event ID: 9999

    Date: 11/11/2004

    Time: 6:40:49 AM

    User: N/A

    Computer: CQL-GR-DC2

    Description:

    The DNS server has encountered numerous run-time events. These are usually
    caused by the reception of bad or unexpected packets, or from problems with
    or excessive replication traffic. The data is the number of suppressed
    events encountered in the last 15 minute interval.

    Data:

    0000: 8e 08 00 00 Ž...



    Event Type: Warning

    Event Source: DNS

    Event Category: None

    Event ID: 9999

    Date: 11/11/2004

    Time: 6:24:49 AM

    User: N/A

    Computer: CQL-GR-DC2

    Description:

    The DNS server has encountered numerous run-time events. These are usually
    caused by the reception of bad or unexpected packets, or from problems with
    or excessive replication traffic. The data is the number of suppressed
    events encountered in the last 15 minute interval.

    Data:

    0000: 04 0d 00 00 ....



    Event Type: Warning

    Event Source: DNS

    Event Category: None

    Event ID: 3000

    Date: 11/11/2004

    Time: 6:09:07 AM

    User: N/A

    Computer: CQL-GR-DC2

    Description:

    The DNS server is logging numerous run-time events. For information about
    these events, see previous DNS Server event log entries. To prevent the DNS
    Server from clogging server logs, further logging of this event and other
    events with higher Event IDs will now be suppressed.





     
    Dan Moynihan, Nov 11, 2004
    #11
  12. Hi Dan

    If you're running Windows Server 2003, you can turn off DNS event
    suppression by using:

    dnscmd /Config /EventControlSuppression 1

    dnscmd.exe is available when you install the Support Tools available from
    \support\tools on the installation media.

    Kind regards
    --
    Mark Renoden [MSFT]
    Windows Platform Support Team
    Email:

    Please note you'll need to strip ".online" from my email address to email
    me; I'll post a response back to the group.

    This posting is provided "AS IS" with no warranties, and confers no rights.

     
    Mark Renoden [MSFT], Nov 11, 2004
    #12
  13. Dan Moynihan

    Dan Moynihan Guest

    Mark,

    We are running windows 2000 with SP4. This is happening on our second
    domain controller (dc2). We got those errors after we applied the hotfix
    (Article ID: 838969). We haven't received any of those errors since late
    afternoon yesterday.'



    Thanks,



    Dan



     
    Dan Moynihan, Nov 12, 2004
    #13
  14. In
    Maybe it needed time to settle in.
    :)

    Glad to hear they're gone, so far. Post back if they continue.

    Ace
     
    Ace Fekay [MVP], Nov 14, 2004
    #14
  15. In
    Curious, what IPs are logged with the error? Are they possibly
    doubleclick.net's nameservers? That seems to be the error dujour for the
    past few months.

    Ace
     
    Ace Fekay [MVP], Nov 18, 2004
    #15
  16. HI all,

    we have just migrated from a Win2k/Exch2k setup to a Win2003/Exch2003 setup
    and almost imediately we noticed these 5004 events on our interal protected
    DNS server. We are currently going through all the PCs to see which PCs are
    causing this. Unfortunately the rate at which they occur has actually taken
    down the DNS server, and hence AD then spits the dummy.

    I never noticed this on our previous setup, so is the DNS server in 2003
    more fragile?

    Craig


    "Ace Fekay [MVP]"
     
    Craig Matchan, Dec 6, 2004
    #16
  17. In
    A number of things can cause this, from a client machine with an illegal
    character, a damaged packet, or something up with the forwarder.
    http://www.eventid.net/display.asp?eventid=5504&eventno=642&source=DNS&phase=1

    Can you copy and paste the actual error unedited?

    Thanks

    --
    Regards,
    Ace

    G O E A G L E S !!!
    Please direct all replies ONLY to the Microsoft public newsgroups
    so all can benefit.

    This posting is provided "AS-IS" with no warranties or guarantees
    and confers no rights.

    Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
    Microsoft Windows MVP - Windows Server - Directory Services

    Security Is Like An Onion, It Has Layers
    HAM AND EGGS: A day's work for a chicken;
    A lifetime commitment for a pig.
     
    Ace Fekay [MVP], Dec 7, 2004
    #17
  18. Hi,

    I'll dig up one of the dns debug logs and post an extract (actually I had
    one handy and an extract is at the end of the message). We did in fact find
    some staff PCs infected with some malware which has since been removed. This
    has reduced the rate of 5504 events however some were still being logged,
    and yes they were all doubleclk dns server addresses.

    Going through the DNS debug log I noticed that not all the entries were on
    port 53, some were on 1026 which apparently MS Messenger uses. A quick look
    on the net showed that spammers are exploiting upd port 1026 via MS
    Messenger to display pop up adds and so on. We have now blocked this port.
    And taking a leaf out of some of the other posts we have blocked access to
    the doubleclk dns servers as well, well at least the ones that were being
    identified in the log files.

    Since taking these steps the 5504 events have stopped...we'll just monitor
    it for the next few days or so.

    What still has me a little confused was that our internal DNS server is not
    accessable from the outside. It is not natted, it is not referenced from our
    external DNS server, yet there were queries being logged by it from external
    addresses. I can only surmise at this point that either

    1. The addresses are spoofed. I suppose a decent network montitor tool would
    help prove this
    2. Our firewall is crap or buggy.
    3. I am miss-reading the log files.
    4. All of the above :)

    I'm also confused why we never experienced this under Win2k. I find it hard
    to believe that all this just strarted to happen at the same time we moved
    from Win2k to Win2003.

    Lastly, we have chache corruption protection enabled, and allow secure
    updates only.

    Here's what was appearing in the DNS Event Log
    Meanwhile, in the dns debug logfile we were seeing the following

    10:23:10 958 PACKET UDP Rcv 216.73.85.10 3776 R Q [0084 A NOERROR]
    (2)ad(11)doubleclick(3)net(0)
    UDP response info at 007F1A00
    Socket = 400
    Remote addr 216.73.85.10, port 53
    Time Query=70057, Queued=0, Expire=0
    Buf length = 0x0500 (1280)
    Msg length = 0x0184 (388)
    Message:
    XID 0x3776
    Flags 0x8400
    QR 1 (RESPONSE)
    OPCODE 0 (QUERY)
    AA 1
    TC 0
    RD 0
    RA 0
    Z 0
    RCODE 0 (NOERROR)
    QCOUNT 1
    ACOUNT 1
    NSCOUNT 8
    ARCOUNT 9
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name "(2)ad(11)doubleclick(3)net(0)"
    QTYPE A (1)
    QCLASS 1
    ANSWER SECTION:
    Offset = 0x0024, RR count = 0
    Name "[C00C](2)ad(11)doubleclick(3)net(0)"
    TYPE CNAME (5)
    CLASS 1
    TTL 900
    DLEN 9
    DATA (2)ad(3)3ad[C00F](11)doubleclick(3)net(0)
    AUTHORITY SECTION:
    Offset = 0x0039, RR count = 0
    Name "[C033](3)3ad[C00F](11)doubleclick(3)net(0)"
    TYPE NS (2)
    CLASS 1
    TTL 3600
    DLEN 12
    DATA (9)eqva3dns2[C00F](11)doubleclick(3)net(0)
    Offset = 0x0051, RR count = 1
    Name "[C033](3)3ad[C00F](11)doubleclick(3)net(0)"
    TYPE NS (2)
    CLASS 1
    TTL 3600
    DLEN 12
    DATA (9)uuny3dns1[C00F](11)doubleclick(3)net(0)
    Offset = 0x0069, RR count = 2
    Name "[C033](3)3ad[C00F](11)doubleclick(3)net(0)"
    TYPE NS (2)
    CLASS 1
    TTL 3600
    DLEN 12
    DATA (9)uuny3dns2[C00F](11)doubleclick(3)net(0)
    Offset = 0x0081, RR count = 3
    Name "[C033](3)3ad[C00F](11)doubleclick(3)net(0)"
    TYPE NS (2)
    CLASS 1
    TTL 3600
    DLEN 12
    DATA (9)uuva3dns1[C00F](11)doubleclick(3)net(0)
    Offset = 0x0099, RR count = 4
    Name "[C033](3)3ad[C00F](11)doubleclick(3)net(0)"
    TYPE NS (2)
    CLASS 1
    TTL 3600
    DLEN 12
    DATA (9)uuva3dns2[C00F](11)doubleclick(3)net(0)
    Offset = 0x00b1, RR count = 5
    Name "[C033](3)3ad[C00F](11)doubleclick(3)net(0)"
    TYPE NS (2)
    CLASS 1
    TTL 3600
    DLEN 12
    DATA (9)anny3dns1[C00F](11)doubleclick(3)net(0)
    Offset = 0x00c9, RR count = 6
    Name "[C033](3)3ad[C00F](11)doubleclick(3)net(0)"
    TYPE NS (2)
    CLASS 1
    TTL 3600
    DLEN 12
    DATA (9)anny3dns2[C00F](11)doubleclick(3)net(0)
    Offset = 0x00e1, RR count = 7
    Name "[C033](3)3ad[C00F](11)doubleclick(3)net(0)"
    TYPE NS (2)
    CLASS 1
    TTL 3600
    DLEN 12
    DATA (9)eqva3dns1[C00F](11)doubleclick(3)net(0)
    ADDITIONAL SECTION:
    Offset = 0x00f9, RR count = 0
    Name "(0)"
    TYPE OPT (41)
    CLASS 4096
    TTL 0
    DLEN 0
    DATA (none)
    Offset = 0x0104, RR count = 1
    Name "[C045](9)eqva3dns2[C00F](11)doubleclick(3)net(0)"
    TYPE A (1)
    CLASS 1
    TTL 86400
    DLEN 4
    DATA 216.73.87.12
    Offset = 0x0114, RR count = 2
    Name "[C05D](9)uuny3dns1[C00F](11)doubleclick(3)net(0)"
    TYPE A (1)
    CLASS 1
    TTL 86400
    DLEN 4
    DATA 206.65.183.12
    Offset = 0x0124, RR count = 3
    Name "[C075](9)uuny3dns2[C00F](11)doubleclick(3)net(0)"
    TYPE A (1)
    CLASS 1
    TTL 86400
    DLEN 4
    DATA 206.65.183.13
    Offset = 0x0134, RR count = 4
    Name "[C08D](9)uuva3dns1[C00F](11)doubleclick(3)net(0)"
    TYPE A (1)
    CLASS 1
    TTL 86400
    DLEN 4
    DATA 65.205.8.11
    Offset = 0x0144, RR count = 5
    Name "[C0A5](9)uuva3dns2[C00F](11)doubleclick(3)net(0)"
    TYPE A (1)
    CLASS 1
    TTL 86400
    DLEN 4
    DATA 65.205.8.12
    Offset = 0x0154, RR count = 6
    Name "[C0BD](9)anny3dns1[C00F](11)doubleclick(3)net(0)"
    TYPE A (1)
    CLASS 1
    TTL 86400
    DLEN 4
    DATA 216.73.86.11
    Offset = 0x0164, RR count = 7
    Name "[C0D5](9)anny3dns2[C00F](11)doubleclick(3)net(0)"
    TYPE A (1)
    CLASS 1
    TTL 86400
    DLEN 4
    DATA 216.73.86.12
    Offset = 0x0174, RR count = 8
    Name "[C0ED](9)eqva3dns1[C00F](11)doubleclick(3)net(0)"
    TYPE A (1)
    CLASS 1
    TTL 86400
    DLEN 4
    DATA 216.73.87.11

    10:23:10 958 EVENT The DNS server encountered an invalid domain name in a
    packet from 216.73.85.10.
    The packet will be rejected.
    The event data contains the DNS packet.
    10:23:10 958 EVENT The DNS server encountered an invalid domain name in a
    packet from 216.73.85.10.
    The packet will be rejected.

    Craig
     
    Craig Matchan, Dec 7, 2004
    #18
  19. In
    That IP is one of doubleclick.net's. I remember this being discussed in
    another post, and is causing all your 5504 errors. Their DNS servers are
    misconfigured. If I were you, I would block ALL OF THE FIVE
    doubleclick.net's addresses (below) at your firewall. Apparently there are
    still machines internally that are sending out queries to them. Re-check for
    malware using Adware or Spybot. Run a proactive solution on your machines to
    eliminate malware before it can get installed, such as Adaware Pro.
    Non-authoritative answer:
    doubleclick.net nameserver = ns1.doubleclick.net
    doubleclick.net nameserver = ns2.doubleclick.net
    doubleclick.net nameserver = ns3.doubleclick.net
    doubleclick.net nameserver = ns4.doubleclick.net
    doubleclick.net internet address = 216.73.92.112

    doubleclick.net nameserver = ns1.doubleclick.net
    doubleclick.net nameserver = ns2.doubleclick.net
    doubleclick.net nameserver = ns3.doubleclick.net
    doubleclick.net nameserver = ns4.doubleclick.net
    ns1.doubleclick.net internet address = 216.73.86.10
    ns2.doubleclick.net internet address = 216.73.87.10
    ns3.doubleclick.net internet address = 216.73.85.10
    ns4.doubleclick.net internet address = 216.73.81.10

    Ace
     
    Ace Fekay [MVP], Dec 8, 2004
    #19
  20. Hi Ace,

    yep, we have done a few things now

    1. Blocked Windows Messenger traffic at the firewall
    2. Blocked the doubleclick.net dns servers. I think I have excluded
    something like 12 of their DNS servers now.
    3. Configured our internal DNS server to forward any non internal domain
    queries to our ISPs DNS server
    4. Configured the firewall to only allow our internal DNS server to accept
    traffic from our ISPs DNS server.

    All of these steps have resulted in no more 5504 events.

    We are about to purchase Ad-Ware Pro. Anyone have any comments on any
    alternatives for background sypyware/malware solutions and how they compare
    to Ad-Ware Pro?

    Craig



    "Ace Fekay [MVP]"
     
    Craig Matchan, Dec 8, 2004
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.