Yet Another DNS 5504 Event issue

[guest]

Two of my AD controllers (both running DNS service) appear to be having a similar issue. Both are throwing lots of events in the DNS events that look like this:

Event Type: InformationEvent Source: DNSEvent Category: NoneEvent ID: 5504Date: 5/24/2010Time: 11:51:38 AMUser: N/AComputer: ALPHADescription:The DNS server encountered an invalid domain name in a packet from 76.74.137.6. The packet will be rejected. The event data contains the DNS packet.Immediately after that will come another event with a packet from 76.74.137.7 as well. They always come in pairs.

I know this is "Information" not an error, but since it is new and different it bothers me (yes, I fear unexplained change!)

Both machines are running Windows 2003 R2 SP2. The DNS servers are not exposed to the internet.
Both DNS servers were configured to use OpenDNS for Forwarders. I've also changed them to point to Google's public DNS servers with the same results.
For both servers, this started about a week ago.

Any thoughts on:
1) should I be concerned?
2) how can I stop/fix this?

To keep it interesting, I have a 3rd AD / DNS box. Same domain, different Active Directory site. Same forwarders yet doesn't have this issue.

I've seen the Forum FAQ on Troubleshooting 5504 issues. In response:

1.Secure Cache Against Pollution was already enabled
2.I believe my forwarders are valid or legit and not recursive. (or they certainly were for the past couple years at any rate)
3.I have not installed the mentioned hotfix. Since this just recently started, I'm hesitant to grab an older hotfix
4.I've run the suggested dnscmd with no change
Suggestions on how to proceed?

[guest]

So the VPN users or connections are ruled out.

If using a forwarder, END0 support won't be required. I went down that road when I suggested to remove your forwarders and use the Root Hints to test this, and basically wanted to make sure you can resolve all domain names and resources on the internet. lack of EDNS0 support will prevent resolution of some resources. Since you put your forwarders back in, it's a moot point now. But in the future, FWIW, you now know if you want to use the Root Hints, your firewall needs to support EDNS0.

I don't think any event log error is normal, but some may be more benign than others. As for your 5504s, I'm starting to lean to two things: an advertising domain using those name servers, and something in the name is illegal. Other than that, this is going to be difficult, unless you actually get some sniffing in. If it's around the clock, it may point to adware on a machine in your network. I'm not trying to add more to your plate, but this is just a suggestion that you may want to check your machines for malware, the kind many AVs don't catch. I've been using malwarebytes.org's free version, but they have a paid version that runs realtime.

Ace






--------------------------------------------------------------------------------
Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003 Microsoft Certified Trainer