Re: Oops, here's the link - Re: Event ID: 5504

From: Craig Matchan (cwigster_at_nospam.swiftdsl.com.au)
Date: 12/07/04 

Date: Tue, 7 Dec 2004 18:55:16 +1100

Hi,

I'll dig up one of the dns debug logs and post an extract (actually I had
one handy and an extract is at the end of the message). We did in fact find
some staff PCs infected with some malware which has since been removed. This
has reduced the rate of 5504 events however some were still being logged,
and yes they were all doubleclk dns server addresses.

Going through the DNS debug log I noticed that not all the entries were on
port 53, some were on 1026 which apparently MS Messenger uses. A quick look
on the net showed that spammers are exploiting upd port 1026 via MS
Messenger to display pop up adds and so on. We have now blocked this port.
And taking a leaf out of some of the other posts we have blocked access to
the doubleclk dns servers as well, well at least the ones that were being
identified in the log files.

Since taking these steps the 5504 events have stopped...we'll just monitor
it for the next few days or so.

What still has me a little confused was that our internal DNS server is not
accessable from the outside. It is not natted, it is not referenced from our
external DNS server, yet there were queries being logged by it from external
addresses. I can only surmise at this point that either

1. The addresses are spoofed. I suppose a decent network montitor tool would
help prove this
2. Our firewall is crap or buggy.
3. I am miss-reading the log files.
4. All of the above :)

I'm also confused why we never experienced this under Win2k. I find it hard
to believe that all this just strarted to happen at the same time we moved
from Win2k to Win2003.

Lastly, we have chache corruption protection enabled, and allow secure
updates only.

Here's what was appearing in the DNS Event Log

>DNS 5504 The DNS server encounters an invalid domain name in a packet from
>216.73.85.10 The packet will be rejected. The evnet data
> conatains the DNS packet.

Meanwhile, in the dns debug logfile we were seeing the following

10:23:10 958 PACKET UDP Rcv 216.73.85.10 3776 R Q [0084 A NOERROR]
(2)ad(11)doubleclick(3)net(0)
UDP response info at 007F1A00
  Socket = 400
  Remote addr 216.73.85.10, port 53
  Time Query=70057, Queued=0, Expire=0
  Buf length = 0x0500 (1280)
  Msg length = 0x0184 (388)
  Message:
    XID 0x3776
    Flags 0x8400
      QR 1 (RESPONSE)
      OPCODE 0 (QUERY)
      AA 1
      TC 0
      RD 0
      RA 0
      Z 0
      RCODE 0 (NOERROR)
    QCOUNT 1
    ACOUNT 1
    NSCOUNT 8
    ARCOUNT 9
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name "(2)ad(11)doubleclick(3)net(0)"
      QTYPE A (1)
      QCLASS 1
    ANSWER SECTION:
    Offset = 0x0024, RR count = 0
    Name "[C00C](2)ad(11)doubleclick(3)net(0)"
      TYPE CNAME (5)
      CLASS 1
      TTL 900
      DLEN 9
      DATA (2)ad(3)3ad[C00F](11)doubleclick(3)net(0)
    AUTHORITY SECTION:
    Offset = 0x0039, RR count = 0
    Name "[C033](3)3ad[C00F](11)doubleclick(3)net(0)"
      TYPE NS (2)
      CLASS 1
      TTL 3600
      DLEN 12
      DATA (9)eqva3dns2[C00F](11)doubleclick(3)net(0)
    Offset = 0x0051, RR count = 1
    Name "[C033](3)3ad[C00F](11)doubleclick(3)net(0)"
      TYPE NS (2)
      CLASS 1
      TTL 3600
      DLEN 12
      DATA (9)uuny3dns1[C00F](11)doubleclick(3)net(0)
    Offset = 0x0069, RR count = 2
    Name "[C033](3)3ad[C00F](11)doubleclick(3)net(0)"
      TYPE NS (2)
      CLASS 1
      TTL 3600
      DLEN 12
      DATA (9)uuny3dns2[C00F](11)doubleclick(3)net(0)
    Offset = 0x0081, RR count = 3
    Name "[C033](3)3ad[C00F](11)doubleclick(3)net(0)"
      TYPE NS (2)
      CLASS 1
      TTL 3600
      DLEN 12
      DATA (9)uuva3dns1[C00F](11)doubleclick(3)net(0)
    Offset = 0x0099, RR count = 4
    Name "[C033](3)3ad[C00F](11)doubleclick(3)net(0)"
      TYPE NS (2)
      CLASS 1
      TTL 3600
      DLEN 12
      DATA (9)uuva3dns2[C00F](11)doubleclick(3)net(0)
    Offset = 0x00b1, RR count = 5
    Name "[C033](3)3ad[C00F](11)doubleclick(3)net(0)"
      TYPE NS (2)
      CLASS 1
      TTL 3600
      DLEN 12
      DATA (9)anny3dns1[C00F](11)doubleclick(3)net(0)
    Offset = 0x00c9, RR count = 6
    Name "[C033](3)3ad[C00F](11)doubleclick(3)net(0)"
      TYPE NS (2)
      CLASS 1
      TTL 3600
      DLEN 12
      DATA (9)anny3dns2[C00F](11)doubleclick(3)net(0)
    Offset = 0x00e1, RR count = 7
    Name "[C033](3)3ad[C00F](11)doubleclick(3)net(0)"
      TYPE NS (2)
      CLASS 1
      TTL 3600
      DLEN 12
      DATA (9)eqva3dns1[C00F](11)doubleclick(3)net(0)
    ADDITIONAL SECTION:
    Offset = 0x00f9, RR count = 0
    Name "(0)"
      TYPE OPT (41)
      CLASS 4096
      TTL 0
      DLEN 0
      DATA (none)
    Offset = 0x0104, RR count = 1
    Name "[C045](9)eqva3dns2[C00F](11)doubleclick(3)net(0)"
      TYPE A (1)
      CLASS 1
      TTL 86400
      DLEN 4
      DATA 216.73.87.12
    Offset = 0x0114, RR count = 2
    Name "[C05D](9)uuny3dns1[C00F](11)doubleclick(3)net(0)"
      TYPE A (1)
      CLASS 1
      TTL 86400
      DLEN 4
      DATA 206.65.183.12
    Offset = 0x0124, RR count = 3
    Name "[C075](9)uuny3dns2[C00F](11)doubleclick(3)net(0)"
      TYPE A (1)
      CLASS 1
      TTL 86400
      DLEN 4
      DATA 206.65.183.13
    Offset = 0x0134, RR count = 4
    Name "[C08D](9)uuva3dns1[C00F](11)doubleclick(3)net(0)"
      TYPE A (1)
      CLASS 1
      TTL 86400
      DLEN 4
      DATA 65.205.8.11
    Offset = 0x0144, RR count = 5
    Name "[C0A5](9)uuva3dns2[C00F](11)doubleclick(3)net(0)"
      TYPE A (1)
      CLASS 1
      TTL 86400
      DLEN 4
      DATA 65.205.8.12
    Offset = 0x0154, RR count = 6
    Name "[C0BD](9)anny3dns1[C00F](11)doubleclick(3)net(0)"
      TYPE A (1)
      CLASS 1
      TTL 86400
      DLEN 4
      DATA 216.73.86.11
    Offset = 0x0164, RR count = 7
    Name "[C0D5](9)anny3dns2[C00F](11)doubleclick(3)net(0)"
      TYPE A (1)
      CLASS 1
      TTL 86400
      DLEN 4
      DATA 216.73.86.12
    Offset = 0x0174, RR count = 8
    Name "[C0ED](9)eqva3dns1[C00F](11)doubleclick(3)net(0)"
      TYPE A (1)
      CLASS 1
      TTL 86400
      DLEN 4
      DATA 216.73.87.11

10:23:10 958 EVENT The DNS server encountered an invalid domain name in a
packet from 216.73.85.10.
The packet will be rejected.
The event data contains the DNS packet.
10:23:10 958 EVENT The DNS server encountered an invalid domain name in a
packet from 216.73.85.10.
The packet will be rejected.

Craig

Relevant Pages

  • Re: Bad packets and invalid domain names Please help
    ... At any rate, it isn't clear whether these errors, or DNS at all, has anything to do with your issues. ... > Source DNS ... > The DNS server has encountered numerous run-time events. ... > The DNS server encountered a bad packet from X.X.X.X. ...
    (microsoft.public.win2000.dns)
  • Re: constant 5504 errors
    ... > we keep getting 5504 errors logged in our dns server logs ... Use a packet sniffer to see where the DNS request is coming from. ...
    (microsoft.public.windows.server.dns)
  • Error 7062 in Event Log
    ... I have a Windows 2003 Server that is the PDC and DNS Server for a small ... Getting the following error in the DNS Event Viewer: ... The DNS server encountered a packet addressed to itself on IP address ... This is the only server on the network, in the TCP/IP properties, it's ...
    (microsoft.public.windows.server.dns)
  • Re: Error 7062 in Event Log
    ... In the Root Hints did you add your own DNS server by any chance? ... Look in to Root hints, and check if you find the FQDN or private / public IP ... The packet is for the DNS name ...
    (microsoft.public.windows.server.dns)
  • Re: 5504 Warnings
    ... > Event Source: DNS ... > The DNS server encountered an invalid domain name in a packet from ... The packet is rejected. ... It could be a number of things, maybe even an invalid domain name in a DNS ...
    (microsoft.public.win2000.dns)
Loading