Re: DNS Messages

[Bill Reamy <bill () STAFFNET COM>]

Steven,

  I've noticed similar errors many times and have experimented with
 packet sniffing the offending traffic. MS's DNS server has some
 serious problems with logging errors. In many cases the following
 will occur:

  1) bad dns request comes from x.x.x.x
  2) local dns server passes bad request along to root name server
     (or other authoritative dns server) y.y.y.y
  3) y.y.y.y responds, question section still contains a copy of
     the bad dns request.
  4) local ms dns finally checks validity of request, logs error
     as having come from y.y.y.y, _not_ x.x.x.x

  When this happens packet sniffing is the only way I've found to
 identify the actual offender.



On 29 Nov 00, at 11:40, Steven Bonici wrote:

Date sent:              Wed, 29 Nov 2000 11:40:32 -0500
Send reply to:          Steven Bonici <sbonici () GROUPEA COM>
From:                   Steven Bonici <sbonici () GROUPEA COM>
Subject:                DNS Messages
To:                     INCIDENTS () SECURITYFOCUS COM

> We started to get some DNS warning messages on our NT PDC from an IP address
> that we have no idea of who it is.  I would like to know if I should be...
> ...snip...
> Windows Event Log Messages:
> Source/Event ID:      DNS/5504
> Message:              DNS Server encountered invalid domain name packet
> from 216.190.200.2. Packet rejected
> Source/Event ID:      DNS/5504
> Message:              DNS Server encountered invalid domain name packet
> from 216.190.200.2. Packet rejected
> Source/Event ID:      DNS/5506
> Message:              DNS Server encountered invalid domain name offset in
> packet. Packet rejected
... snip ...

                          Bill Reamy
                           bill () staffnet com