Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Monday, February 22, 2010 8:50 AM | 1 vote
Symptom
A DNS server may frequently record the Event ID 5504 error in the event log:
Event Type: Warning
Event Source: DNS
Event Category: None
Event ID: 5504
User: N/A
Computer: Computer_name
Description: The DNS server encountered an invalid domain name in a packet from IP_Address .
The packet is rejected.
Cause
Event ID 5504 is logged when a DNS Server receives a packet containing an invalid domain name. There are many possible causes.
1. The DNS cache becomes corrupt with invalid domain names.
2. The DNS Server receives a spoofed response.
3. The DNS response contains domain names with characters other than 0-9, a-z, A-Z, . (Period), and - (Hyphen).
4. The DNS Server has been configured with invalid forwarders
5. The network the DNS server resides on is busy or not working properly.
Resolution
The following are general troubleshooting steps for this issue:
1. Secure the DNS cache against pollution.
a) Open DNS Management snap-in and then open the Properties dialog for the DNS server.
b) Click the Advanced tab, check the Secure Cache against Pollution option, and then click OK.
c) After enabling this setting, right-click the applicable DNS server and select Clear Cache, then restart the DNS Server service.
2. Verify that the forwarder list on the DNS server is pointing to recursive DNS servers. To view the forwarders, please perform the following steps:
a) Open DNS Management snap-in and then open the Properties dialog for the DNS server.
b) Click the Forwarders tab, you can view the existing forwarders.
3. Some third party DNS servers may be using records of a type that aren’t supported by Windows DNS servers, such as the DNAME resource record.
920162 Event 5504 is logged when a Windows Server 2003-based DNS server receives a packet that contains a DNAME resource record
http://support.microsoft.com/default.aspx?scid=kb;EN-US;920162
4. Another example where DNS will produce the Event ID 5504 error is when Extended DNS (EDNS) packets are received but the server that is attempting to resolve the EDNS traffic doesn’t support EDNS or have it enabled. An easy workaround is to disable EDNS.
dnscmd /Config /EnableEDnsProbes 0
More Information
Troubleshooting DNS
http://technet2.microsoft.com/WindowsServer/en/library/de2aa69d-1155-4dc9-a651-e836
DNS Best Practices
http://technet2.microsoft.com/WindowsServer/en/library/59d7a747-48dc-42cc-8986-c73d
Applies to
- Windows Server® 2003 operating system
- Windows Server® 2008 operating system
- Windows Server® 2008 R2 operating system
All replies (1)
Tuesday, April 21, 2015 9:59 AM | 1 vote
I'm not sure whether this is the appropriate place to add this but - a (possible) cause that I have seen which is not mentioned above is a request for an AAAA record (IPv6 address) being responded to with an A record (IPv4 address).
DNS debug logging (Windows 2008 R2 SP1) captured requests to 192.225.156.200 and the corresponding responses. In each case the response was followed in the debug log by the event “The DNS server encountered an invalid domain name in a packet from 192.225.156.200. The packet will be rejected. The event data contains the DNS packet.”
The domain name in the response was the same as that in the query, and looks OK.
The logged query shows an AAAA record (IPv6 address) request and the logged response returned an A record (IPv4 address).
http://www.rfc-editor.org/rfc/rfc4074.txt “Common Misbehavior Against DNS Queries for IPv6 Addresses” says, under “Expected Behavior”:
Suppose that an authoritative server has an A RR but has no AAAA RR
for a host name. Then, the server should return a response to a
query for an AAAA RR of the name with the response code (RCODE) being
0 (indicating no error) and with an empty answer section (see
Sections 4.3.2 and 6.2.4 of [1]). Such a response indicates that
there is at least one RR of a different type than AAAA for the
queried name, and the stub resolver can then look for A RRs.