Windows AD DNS: Event ID 5504
While still trying to track this down the 5504 errors stopped appearing... I guess it may have been something running on a particular client machine hitting the DNS server in question. Hard to say.
Some additional info can be found in this technet forums thread.
Chris_K
I dabble. A lot. https://about.me/chris.kasten for more
Updated on September 17, 2022Comments
-
Chris_K over 1 year
Two of my AD controllers (both running DNS service) appear to be having a similar issue. Both are throwing lots of events in the DNS events that look like this:
Event Type: Information Event Source: DNS Event Category: None Event ID: 5504 Date: 5/24/2010 Time: 11:51:38 AM User: N/A Computer: ALPHA Description: The DNS server encountered an invalid domain name in a packet from 76.74.137.6. The packet will be rejected. The event data contains the DNS packet.
That will come with the same event, same time, with a packet from 76.74.137.7 as well. I know this is "Information" not an error, but since it is new and different it bothers me (yes, I fear unexplained change!)
Both machines are running Windows 2003 R2 SP2. The DNS servers are not exposed to the internet.
Both DNS servers are configured to use OpenDNS for Forwarders.
For both servers, this started about a week ago.Any thoughts on:
1) should I be concerned?
2) how can I stop/fix this?To keep it interesting, I have a 3rd AD / DNS box. Same domain, different Active Directory site. Same forwarders, yet doesn't have this issue.
[Update]
On a whim, I changed the forwarders on one of the DNS servers to use Google's public DNS (8.8.8.8 and 8.8.4.4) instead of OpenDNS. Didn't change anything, so I think I can eliminate the forwarders as the cause.-
Philip almost 14 yearsDo any of your machines connect over a VPN to your network?
-
Chris_K almost 14 years@Chris - Our employees all have the ability to connect over a VPN to our network (using windows native client and a win2k3 RAS server).
-
-
Chris_K almost 14 yearsI can confirm that "Secure cache against pollution" check box was already selected. (more here on that topic: support.microsoft.com/default.aspx?scid=kb;en-us;241352)
-
Chris_K almost 14 yearsall 3 AD/DNS boxes are on private IPs, but all 3 are using OpenDNS for Forwarders. (does that answer the question)?
-
Alex almost 14 yearsClose. Then check the "smart cache" settings and "network shortcuts" over at OpenDNS under the IP address of the subnet for that DNS server. I assuming you have multiple IP settings over at openDNS.
-
Chris_K almost 14 yearsGotcha. First two are in an OpenDNS "named" network. Smart cache is off and there are no network shortcuts. 3rd AD is not in a named OpenDNS network so definitely none of the above there.
-
Alex almost 14 yearsThen the only thing I can think of would be packet loss to the troubled server. And you are sure openDNS are the only forwarders setup on that server? for the heck of it, can you add "ns1.vpsville.ca" in the openDNS white list?
-
Alex almost 14 yearsor to the blacklist it if not needed.
-
Chris_K almost 14 years@Saif - I don't think it is an OpenDNS related issue. I changed one of the servers to use Google's DNS servers as forwarders and still see the same events.
-
Chris_K almost 14 yearsOnce I figure out who is initiating the DNS request (so I know when to expect it) I plan to sniff out the packets and see what's going on. Could just be a DNS record that 2k3 can't handle. Maybe.