Re: Event ID: 5504

From: Kevin D. Goodknecht Sr. [MVP] (admin_at_nospam.WFTX.US)
Date: 07/02/04 

Date: Fri, 2 Jul 2004 10:51:13 -0500

In news:FD1AC3B6-1FDF-461C-AD16-E102F2ADC391@microsoft.com,
InBan <InBan@discussions.microsoft.com> posted a question
Then Kevin replied below:
> I posted a similar question here:
>
>
http://communities2.microsoft.com/communities/newsgroups/en-us/default.aspx?query=5504&dg=&cat=en&lang=en&cr=&pt=&catlist=&dglist=&ptlist=&exp=&mid=7918078e-64c2-4284-9966-856346c5e218
>
> I found that sniffing packets at my gateway to determine the request
> being sent to the root hints by our internal DNS servers revealed
> that the query being sent to the internet was a resolution request
> for the hostname LOCALHOST. DNS servers should never attempt to
> resolve this host name externally. It should always be resolved by
> the internal host file on the server which contains a record mapping
> localhost to 127.0.0.1 which is a loopback address.
>
> The article you posted regarding the hotfix has an insufficient
> amount of information about the issues cause. Is it to address this
> issue? I do not have 7063 messages in my event log. All other
> articles I have found regarding this message have been irrelevant to
> the situation.
>
> I have also found several posts on variouse forums looking for a
> resolution to this issue, noone has been able to provide a solution
> as of yet. This does adversely affect the server as the messages can
> quickly fill your DNS event log, which under times of normal activity
> is a relatively inactive log, and the DNS server is pre-occupied
> performing resolution attempts of this illegal host name.
>
> Part of what bothered me about this issue was the regularity of the
> messages, they seem to be almost exactly 15 minutes apart for a
> period of several days, then they subside for a month or more, then
> return at the same frequency.
>
> Any input would be greatly appreciated.
>
> Ian Bagnald
> Systems Administrator
> Focal Technologies Corporation
> Division of Kaydon Corporation
> MCSE:Security Windows 2000
> MCSA:Security Windows 2000
> COMPTIA A+

This may sound like a rhetorical question but, is there a localhost entry in
your hosts file on all machines?
 localhost shouldn't even go to the DNS server in the first place, it is
probably being sent to the DNS server by another machine with a corrupted
hosts file.

I did find a workaround, create a Forward Lookup zone named localhost and
put a blank (same as parent folder) record with IP 127.0.0.1.
I tested this, (see below) if I queried DNS for localhost it logged a 5504,
I created a localhost forward lookup zone and the blank host with IP
127.0.0.1 IP. Then I queried DNS for localhost, no events logged, and it
resolved to 127.0.0.1 by default DNS has a 127.in-addr.arpa. reverse lookup
zone.

Before.
> localhost
Server: kjweb.lsaol.com
Address: 192.168.0.2

*** kjweb.lsaol.com can't find localhost: Non-existent domain
> localhost
Server: kjweb.lsaol.com
Address: 192.168.0.2

Along with this DNS logged a 5504 event.

Event Type: Warning
Event Source: DNS
Event Category: None
Event ID: 5504
Date: 7/2/2004
Time: 03:36:54
User: N/A
Computer: KJWEB
Description:
The DNS server encountered an invalid domain name in a packet from
199.5.157.128. The packet is rejected.

After
> localhost.
Server: kjweb.lsaol.com
Address: 192.168.0.2

Name: localhost
Address: 127.0.0.1

No event logged. 

-- 
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
============================
-- 
When responding to posts, please "Reply to Group"  via your
newsreader so that others may learn and benefit from your issue.
To respond directly to me remove the nospam. from my email.
==========================================
 http://www.lonestaramerica.com/
==========================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
 http://home.in.tum.de/~jain/software/oe-quotefix/
==========================================
Keep a back up of your OE settings and folders with
OEBackup:
 http://www.oehelp.com/OEBackup/Default.aspx
==========================================

Relevant Pages

  • Re: Problem with local network
    ... Tim wrote: ... >>> Do you have this same hosts file on each PC? ... > I run my own DNS server, and rarely make use of the hosts file. ... > Since one of your comments related to RNDC not finding localhost, ...
    (Fedora)
  • Re: Problem with local network
    ... > Tim wrote: ... >> I run my own DNS server, and rarely make use of the hosts file. ... >> Since one of your comments related to RNDC not finding localhost, ...
    (Fedora)
  • Re: Event ID: 5504
    ... > localhost entry in forward lookup. ... > generated by a client, it is coming from the internal ... > it sends four queries to each root hint server to resolve ... DNS server would try to resolve a name unless it is asked to resolve it. ...
    (microsoft.public.win2000.dns)
  • Re: Problem with local network
    ... >> Do you have this same hosts file on each PC? ... > In answer to your previous response, the 'localhost' in /etc/hosts is ... I run my own DNS server, and rarely make use of the hosts file. ... may be because of a localhost DNS record issue rather than a hosts file ...
    (Fedora)
  • Re: Event ID 5504
    ... > spaces or underscores. ... > saying there is an invalid packet from my dns server. ... zone named localhost with a blank host with IP 127.0.0.1 stopped the 5504s. ...
    (microsoft.public.win2000.dns)