Very odd DNS error in Windows 2000 server

[Jay_2]

The DNS server encountered an invalid domain name in a packet from 127.0.0.1. The packet is rejected.

it started with 192.168.xxx.16 sending one paket and it being rejected then I get a load of the above errors.

 

[Spartacus]

That's a weird one.

Did the local IP of the server change?

Is the NIC config'ed to point to itself?

EDIT: Starting to think it's not something like that though.... I'll have to think on this.

 

[Jay_2]

nothing has changed

the NIC is pointed at 127.0.0.1 for DNS

 

[Spartacus]

I don't think it will change anything, but try the actual local IP for the DNS instead of the loopback and see if anything changes.

Check A records and see if anything is obviously amiss.

EDIT: Are there dual NICs in the server?

 

[Jay_2]

as itsnever been a problems before I don't really want to change the IP of the loopback.

One thing that has been an issue is that my ISP had a huge outage all over the country. I wonder if its effected my DNS server?

and yes, 2 NICs

 

[Spartacus]

Anything strange with dcdiag?

Any errors on nslookup?

Flush the cache, restart, and see if the errors continue.

Where are you seeing this event logged (DNS event log I assume)?

Any codes?

 

[Spartacus]

One thing that has been an issue is that my ISP had a huge outage all over the country. I wonder if its effected my DNS server?

Maybe they had DNS server issues. Try taking their DNS out of your forwarders (then flush cache) and set one of the public DNS servers as a forwarder. Try 4.2.2.1 as a test for your forwarder and see if you still get the errors.

 

[Jay_2]

nothing looks odd in either to be honest.

the error is ID 5504

 

[Spartacus]

Have you been here already?

http://support.microsoft.com/Default.aspx?kbid=838969

EDIT: lol... friggin' Microsoft....

"Note Microsoft recommends that you do not ignore the warnings in the DNS log. Sometimes a warning may be false because a DNS forwarder may not be configured correctly. However, there is currently no way to determine whether the warning is accurate or not."

EDIT #2: I looked at my 2000 server and \system32\dns.exe is dated 10-17-2007, much newer than the hotfix. Not sure where that came from, I think it would have been in an auto update since the server was built long ago.

 

[Jay_2]

I have given the server a restart, I am wondering if the zonealarm firewall had gone a little bit screwy.

 

[Spartacus]

Could be I guess.

Try applying all updates. There is a post SP4 rollup update too.

Then try change forwarders with a cache flush and see how it goes.

 

[Jay_2]

Will, do. I'll do one at a time. If it come back i'll change the forwarder etc. I'll report back, thanks.

 

[Spartacus]

Will, do. I'll do one at a time. If it come back i'll change the forwarder etc. I'll report back, thanks.

Yep, good luck.
Probably nothing to worry about.

Might be fun to call the ISP and ask if they had any DNS issues. I always have DNS poisoning in the back of my mind when I see wacky DNS stuff too. I just saw an article somewhere about how the bad guys are getting better at tampering with DNS.

Just something fun to think about.

 

[Spartacus]

it started with 192.168.xxx.16 sending one paket and it being rejected then I get a load of the above errors.

I had some other thoughts on this.....

Anything fishy going on with that IP (that I assume is a workstation)?

Try shutting it down and see if the DNS errors are still logged.

Any torrent or spyware activity on the network?

 

[Jay_2]

there should be no torrent or spyware (you can never be 100% sure on the spyware side)

The guy at 192.168.xxx.16 is a pain in the arse and has had a warning about using torrents on the company network.

What are you thinking?