Microsoft windows dns server service 5504
This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.
Asked by:
General discussion
Symptom
A DNS server may frequently record the Event ID 5504 error in the event log:
Event Type: Warning
Event Source: DNS
Event Category: None
Event ID: 5504
User: N/A
Computer: Computer_name
Description: The DNS server encountered an invalid domain name in a packet from IP_Address .
The packet is rejected.
Cause
Event ID 5504 is logged when a DNS Server receives a packet containing an invalid domain name. There are many possible causes.
1. The DNS cache becomes corrupt with invalid domain names.
2. The DNS Server receives a spoofed response.
3. The DNS response contains domain names with characters other than 0-9, a-z, A-Z, . (Period), and — (Hyphen).
4. The DNS Server has been configured with invalid forwarders
5. The network the DNS server resides on is busy or not working properly.
Resolution
The following are general troubleshooting steps for this issue:
1. Secure the DNS cache against pollution.
a) Open DNS Management snap-in and then open the Properties dialog for the DNS server.
b) Click the Advanced tab, check the Secure Cache against Pollution option, and then click OK.
c) After enabling this setting, right-click the applicable DNS server and select Clear Cache, then restart the DNS Server service.
2. Verify that the forwarder list on the DNS server is pointing to recursive DNS servers. To view the forwarders, please perform the following steps:
a) Open DNS Management snap-in and then open the Properties dialog for the DNS server.
b) Click the Forwarders tab, you can view the existing forwarders.
3. Some third party DNS servers may be using records of a type that aren’t supported by Windows DNS servers, such as the DNAME resource record.
920162 Event 5504 is logged when a Windows Server 2003-based DNS server receives a packet that contains a DNAME resource record
4. Another example where DNS will produce the Event ID 5504 error is when Extended DNS (EDNS) packets are received but the server that is attempting to resolve the EDNS traffic doesn’t support EDNS or have it enabled. An easy workaround is to disable EDNS.
dnscmd /Config /EnableEDnsProbes 0
More Information
DNS Best Practices
Applies to
- Windows Server® 2003 operating system
- Windows Server® 2008 operating system
- Windows Server® 2008 R2 operating system
All replies
I’m not sure whether this is the appropriate place to add this but — a (possible) cause that I have seen which is not mentioned above is a request for an AAAA record (IPv6 address) being responded to with an A record (IPv4 address).
DNS debug logging (Windows 2008 R2 SP1) captured requests to 192.225.156.200 and the corresponding responses. In each case the response was followed in the debug log by the event “ The DNS server encountered an invalid domain name in a packet from 192.225.156.200. The packet will be rejected. The event data contains the DNS packet. ”
The domain name in the response was the same as that in the query, and looks OK.
The logged query shows an AAAA record (IPv6 address) request and the logged response returned an A record (IPv4 address).
http://www.rfc-editor.org/rfc/rfc4074.txt “ Common Misbehavior Against DNS Queries for IPv6 Addresses ” says, under “ Expected Behavior ”:
Suppose that an authoritative server has an A RR but has no AAAA RR
for a host name. Then, the server should return a response to a
query for an AAAA RR of the name with the response code (RCODE) being
0 (indicating no error) and with an empty answer section (see
Sections 4.3.2 and 6.2.4 of [1]). Such a response indicates that
there is at least one RR of a different type than AAAA for the
queried name, and the stub resolver can then look for A RRs.
Microsoft windows dns server service 5504
This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.
Asked by:
General discussion
Symptom
A DNS server may frequently record the Event ID 5504 error in the event log:
Event Type: Warning
Event Source: DNS
Event Category: None
Event ID: 5504
User: N/A
Computer: Computer_name
Description: The DNS server encountered an invalid domain name in a packet from IP_Address .
The packet is rejected.
Cause
Event ID 5504 is logged when a DNS Server receives a packet containing an invalid domain name. There are many possible causes.
1. The DNS cache becomes corrupt with invalid domain names.
2. The DNS Server receives a spoofed response.
3. The DNS response contains domain names with characters other than 0-9, a-z, A-Z, . (Period), and — (Hyphen).
4. The DNS Server has been configured with invalid forwarders
5. The network the DNS server resides on is busy or not working properly.
Resolution
The following are general troubleshooting steps for this issue:
1. Secure the DNS cache against pollution.
a) Open DNS Management snap-in and then open the Properties dialog for the DNS server.
b) Click the Advanced tab, check the Secure Cache against Pollution option, and then click OK.
c) After enabling this setting, right-click the applicable DNS server and select Clear Cache, then restart the DNS Server service.
2. Verify that the forwarder list on the DNS server is pointing to recursive DNS servers. To view the forwarders, please perform the following steps:
a) Open DNS Management snap-in and then open the Properties dialog for the DNS server.
b) Click the Forwarders tab, you can view the existing forwarders.
3. Some third party DNS servers may be using records of a type that aren’t supported by Windows DNS servers, such as the DNAME resource record.
920162 Event 5504 is logged when a Windows Server 2003-based DNS server receives a packet that contains a DNAME resource record
4. Another example where DNS will produce the Event ID 5504 error is when Extended DNS (EDNS) packets are received but the server that is attempting to resolve the EDNS traffic doesn’t support EDNS or have it enabled. An easy workaround is to disable EDNS.
dnscmd /Config /EnableEDnsProbes 0
More Information
DNS Best Practices
Applies to
- Windows Server® 2003 operating system
- Windows Server® 2008 operating system
- Windows Server® 2008 R2 operating system
All replies
I’m not sure whether this is the appropriate place to add this but — a (possible) cause that I have seen which is not mentioned above is a request for an AAAA record (IPv6 address) being responded to with an A record (IPv4 address).
DNS debug logging (Windows 2008 R2 SP1) captured requests to 192.225.156.200 and the corresponding responses. In each case the response was followed in the debug log by the event “ The DNS server encountered an invalid domain name in a packet from 192.225.156.200. The packet will be rejected. The event data contains the DNS packet. ”
The domain name in the response was the same as that in the query, and looks OK.
The logged query shows an AAAA record (IPv6 address) request and the logged response returned an A record (IPv4 address).
http://www.rfc-editor.org/rfc/rfc4074.txt “ Common Misbehavior Against DNS Queries for IPv6 Addresses ” says, under “ Expected Behavior ”:
Suppose that an authoritative server has an A RR but has no AAAA RR
for a host name. Then, the server should return a response to a
query for an AAAA RR of the name with the response code (RCODE) being
0 (indicating no error) and with an empty answer section (see
Sections 4.3.2 and 6.2.4 of [1]). Such a response indicates that
there is at least one RR of a different type than AAAA for the
queried name, and the stub resolver can then look for A RRs.
Microsoft windows dns server service 5504
Общие обсуждения
Symptom
A DNS server may frequently record the Event ID 5504 error in the event log:
Event Type: Warning
Event Source: DNS
Event Category: None
Event ID: 5504
User: N/A
Computer: Computer_name
Description: The DNS server encountered an invalid domain name in a packet from IP_Address .
The packet is rejected.
Cause
Event ID 5504 is logged when a DNS Server receives a packet containing an invalid domain name. There are many possible causes.
1. The DNS cache becomes corrupt with invalid domain names.
2. The DNS Server receives a spoofed response.
3. The DNS response contains domain names with characters other than 0-9, a-z, A-Z, . (Period), and — (Hyphen).
4. The DNS Server has been configured with invalid forwarders
5. The network the DNS server resides on is busy or not working properly.
Resolution
The following are general troubleshooting steps for this issue:
1. Secure the DNS cache against pollution.
a) Open DNS Management snap-in and then open the Properties dialog for the DNS server.
b) Click the Advanced tab, check the Secure Cache against Pollution option, and then click OK.
c) After enabling this setting, right-click the applicable DNS server and select Clear Cache, then restart the DNS Server service.
2. Verify that the forwarder list on the DNS server is pointing to recursive DNS servers. To view the forwarders, please perform the following steps:
a) Open DNS Management snap-in and then open the Properties dialog for the DNS server.
b) Click the Forwarders tab, you can view the existing forwarders.
3. Some third party DNS servers may be using records of a type that aren’t supported by Windows DNS servers, such as the DNAME resource record.
920162 Event 5504 is logged when a Windows Server 2003-based DNS server receives a packet that contains a DNAME resource record
4. Another example where DNS will produce the Event ID 5504 error is when Extended DNS (EDNS) packets are received but the server that is attempting to resolve the EDNS traffic doesn’t support EDNS or have it enabled. An easy workaround is to disable EDNS.
dnscmd /Config /EnableEDnsProbes 0
More Information
DNS Best Practices
Applies to
- Windows Server® 2003 operating system
- Windows Server® 2008 operating system
- Windows Server® 2008 R2 operating system
Все ответы
I’m not sure whether this is the appropriate place to add this but — a (possible) cause that I have seen which is not mentioned above is a request for an AAAA record (IPv6 address) being responded to with an A record (IPv4 address).
DNS debug logging (Windows 2008 R2 SP1) captured requests to 192.225.156.200 and the corresponding responses. In each case the response was followed in the debug log by the event “ The DNS server encountered an invalid domain name in a packet from 192.225.156.200. The packet will be rejected. The event data contains the DNS packet. ”
The domain name in the response was the same as that in the query, and looks OK.
The logged query shows an AAAA record (IPv6 address) request and the logged response returned an A record (IPv4 address).
http://www.rfc-editor.org/rfc/rfc4074.txt “ Common Misbehavior Against DNS Queries for IPv6 Addresses ” says, under “ Expected Behavior ”:
Suppose that an authoritative server has an A RR but has no AAAA RR
for a host name. Then, the server should return a response to a
query for an AAAA RR of the name with the response code (RCODE) being
0 (indicating no error) and with an empty answer section (see
Sections 4.3.2 and 6.2.4 of [1]). Such a response indicates that
there is at least one RR of a different type than AAAA for the
queried name, and the stub resolver can then look for A RRs.
Microsoft windows dns server service 5504
Вопрос
Примерно в 13-00 в журнале DNS появляется событие 5504
На DNS-сервере обнаружено недопустимое имя домена в пакете от 8.8.8.8. Пакет будет отклонен. В данных события содержится пакет DNS.
20 записей (5504) появляется Предупреждение с кодом 3000
DNS-сервер обнаружил значительное число событий времени выполнения. Чтобы определить причину возникновения этих событий, обратитесь к записям журнала DNS-сервера, предшествовавшим этим событиям. Для предотвращения переполнения журнала DNS-cервера, последующие события с кодом события больше 3000 будут подавляться, пока события не перестанут возникать со столь высокой частотой.
Все это время интернета у пользователей нет, т.к. при запросе например mail.ru выдается ip 10.0.0.1(такой же IP выдается на все запросы(google, yandex и т.д.))
После перезапуска службы DNS работает, но отдает IP нестабильно:
При этом запущенный NSLOOKUP до 8.8.8.8 с этого же сервера всегда выдает корректный адрес, без таймаутов, а NSLOOKUP до моего DNS то дает то не дает IP.
Может кто уже сталкивался с подобной ситуацией? уже не знаю куда копать.
Все ответы
Весьма вероятно, что вы попали под атаку, направленную на «загрязнение» кэша DNS некорректными записями, с использованием IP Spoofing (т.е. адрес источника подменен и пакеты от якобы публичного DNS Google 8.8.8.8 направляются совсем с другого узла сети). На ваш внутренний сервер DNS эта атака проходит, т.к. на шлюз с NAT по какой-то причине осуществляет трансляцию на ваш сервер пакетов DNS, приходящих на его внешний интерфейс: либо сервер DNS опубликован (например, помещен в «DMZ» — в этом случае все неопознанные пакеты с внешнего интерфейса транслируются на ваш сервер), либо потому что в момент прихода на шлюзе есть действуюющая ассоциfция NAT для обратной трансляции (а таких ассоциаций может быть много, т.к. ваш сервер DNS пересылает запросы на 8.8.8.8).
В вашем конкретном случае рекомендую
a) проверить, что никакой ненужной публикации на шлюзе NAT нет;
б) удалить 8.8.8.8 из списка серверов, куда осуществляется пересылка запросов: в таком случае ассоциации, через которые возможна атака, создаваться не будут;
Возможно, конечно, (хотя в данном раскладе это кажется мне маловероятным) что атака осуществляется злономеренным узлом вашей внутренней сети. Защититься от этой атаки можно, выполнив п.б), а если не поможет — запретив пакеты с адресом источника 8.8.8.8 в брандмауэре (можно даже — во встроенном), а найти источник — по MAC-адресу источника кадров Ethernet, переносящих вредоносные пакеты IP — для этого потребуется анализатор сети (сниффер), типа Microsoft Network Monitor или Wireshark.
