DNS Event ID 7063

  • Thread starter Thread starter Crazy Russian
  • Start date Start date
C

Crazy Russian

Hi all,
I'm getting tons of Event ID 7063 in my DNS log. DNS is
running on DC, DCDIAG shows no errors. DNS configured with
2 forwarders, which do accept recursive queries (verified
with nslookup d2 options set, answered recursion avail.)
All events that are being logged come from totaly
different IPs that specified for forwarders, DNS
configured to listen only on its own IP. DNS is behind
firewall (ISA, I run split DNS). DNS IP is 192.168.0.4,
configured to forward to X.X.X.X and Y.Y.Y.Y, firewall
public IP is Z.Z.Z.Z, firewall internal ip is 192.168.0.1.
DNS server IP configuration: IP: 192.168.0.4; Default
Gateway: 192.168.0.1; DNS server: 192.168.0.4 (to itself).
I host all locals domain on that DNS server and forward
all others to ISP DNS'. Here are couple of events:
1.The DNS server is configured to forward to a non-
recursive DNS server at 198.6.1.65
I dont have that IP specified anywhere??? Why is it trying
to query it? Some other IPs:
202.96.75.65, 202.96.75.68
The forwaredes i have setup in DNS beging with 140.99.x.x
Am I being under some kind of DNS attack???
 
In
Crazy Russian said:
Hi all,
I'm getting tons of Event ID 7063 in my DNS log. DNS is
running on DC, DCDIAG shows no errors. DNS configured with
2 forwarders, which do accept recursive queries (verified
with nslookup d2 options set, answered recursion avail.)
All events that are being logged come from totaly
different IPs that specified for forwarders, DNS
configured to listen only on its own IP. DNS is behind
firewall (ISA, I run split DNS). DNS IP is 192.168.0.4,
configured to forward to X.X.X.X and Y.Y.Y.Y, firewall
public IP is Z.Z.Z.Z, firewall internal ip is 192.168.0.1.
DNS server IP configuration: IP: 192.168.0.4; Default
Gateway: 192.168.0.1; DNS server: 192.168.0.4 (to itself).
I host all locals domain on that DNS server and forward
all others to ISP DNS'. Here are couple of events:
1.The DNS server is configured to forward to a non-
recursive DNS server at 198.6.1.65
I dont have that IP specified anywhere??? Why is it trying
to query it? Some other IPs:
202.96.75.65, 202.96.75.68
The forwaredes i have setup in DNS beging with 140.99.x.x
Am I being under some kind of DNS attack???
Click to expand...

Hmm, this is a strange one. changing forwarders usually fixws this. Try this
delete your forwarders and use this one 4.2.2.2 could be your ISP's DNS
causing two of the DNS servers are in Canada and one is AUTH51.NS.UU.NET
 
Hmm, this is a strange one. changing forwarders usually
fixws this. Try this
delete your forwarders and use this one 4.2.2.2 could be your ISP's DNS
causing two of the DNS servers are in Canada and one is AUTH51.NS.UU.NET

--
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
http://home.in.tum.de/~jain/software/oe-quotefix/
==========================================
Keep a back up of your OE settings and folders with
OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
==========================================
Click to expand...
Thanks for quick response, I'm trying it now... I just
dont understand where are those queries comming from and
why??? I have whole bunch of IPs to post:
198.6.1.83
192.5.6.32
192.26.92.32
198.6.1.65
192.35.51.32
192.31.80.32
How the hell they are getting to me or why the hell my box
is querying them??? I thought about blocking port 53 and
all DNS traffic at firewall, allowing only my ISPs servers
to go through, but I dont know if do more harm than good
with that. Should queries from other servers be able to
pass through my firewall to my DNS server? When my DNS
queries my ISP DNS, and ISP DNS does not have the answer,
does it instruct my server to query "authoritive" server?
In that case, I cant block all DNS traffic.
Guys, any ideas are welcome!!
TIA
 
Changing forwardes did not help (I changed it to 4.2.2.2),
still getting load of:
The DNS server is configured to forward to a non-recursive
DNS server at 198.6.1.83.

DNS servers in forwarders list MUST be configured to
process recursive queries.
Either
1) fix the forwarder (198.6.1.83) to allow recursion
- connect to it with DNS Manager
- bring up server properties
- open "Advanced" tab
- uncheck "Disable Recursion"
- click OK
OR
2) remove this forwarder from this servers forwarders
list
- DNS Manager
- bring up server properties
- open "Forwarders" tab
- remove (198.6.1.83) from list of forwarders
- click OK

I just have one forwarder setup: 4.2.2.2.... ARggggggggg
 
In
Crazy Russian said:
Changing forwardes did not help (I changed it to 4.2.2.2),
Click to expand...
On the forwarder check the box "Do not use recursion" see if that stops it.
Then we will go from there.
 
On the forwarder check the box "Do not use recursion" see
if that stops it.
Then we will go from there.
Click to expand...

Before I do that (of course there is another twist), I
need to reveal the rest of my setup: the problematic
server we were talking about is in Phoenix, AZ. I also
have offices in Nogales, AZ and Cerritos, CA. Phoenix
connected to those two by point to point T1: there are two
of them: Phoenix<->Cerritos and Phoenix<->Nogales. Phoenix
has connection to the internet, so does Cerritos' office:
Phoenix has T1 and Cerritos has DSL. Nogales does not have
direct connection to the internet. All 3 offices are in
single forest, 2 domains: Phoenix and Nogales one domain,
Cerritos another; but they are in the same forest. Phoenix
has one domain conroller and one DNS, Cerritos has one
domain controller and one DNS, Nogales has two domain
controllers and one DNS. Nogales' DNS configured with
Phoenix's DNS as forwarder. Cerritos' DNS configured with
Phoenix's DNS as forwarder. So, Nogalse and Cerritos query
Phoenix.
If I disable recursion in Phoenix, wouldnt that leave
Cerritos and Nogales DNSless???
 
In (e-mail address removed) <[email protected]>
posted a question
Then Kevin replied below:
Before I do that (of course there is another twist), I
need to reveal the rest of my setup: the problematic
server we were talking about is in Phoenix, AZ. I also
have offices in Nogales, AZ and Cerritos, CA. Phoenix
connected to those two by point to point T1: there are two
of them: Phoenix<->Cerritos and Phoenix<->Nogales. Phoenix
has connection to the internet, so does Cerritos' office:
Phoenix has T1 and Cerritos has DSL. Nogales does not have
direct connection to the internet. All 3 offices are in
single forest, 2 domains: Phoenix and Nogales one domain,
Cerritos another; but they are in the same forest. Phoenix
has one domain conroller and one DNS, Cerritos has one
domain controller and one DNS, Nogales has two domain
controllers and one DNS. Nogales' DNS configured with
Phoenix's DNS as forwarder. Cerritos' DNS configured with
Phoenix's DNS as forwarder. So, Nogalse and Cerritos query
Phoenix.
If I disable recursion in Phoenix, wouldnt that leave
Cerritos and Nogales DNSless???
Click to expand...
NO NO your not disabling recursion you are telling DNS to use its forwarders
only. It sounds to me like that is what you want to do. But you must be
careful to not set up a DNS loop.
Instead of forwarding between these DNS servers I would use Secondary DNS
zones.

What is Phoenix's Forwarder?
If you want to resolve Cerritos' domain from Phoenix you should bring in a
secondary from Cerritos to the Phoenix DNS and put a secondary of Phoenix on
Cerritos. Then you don't need a forwarder between these two. Both domains
could be resolved from all three locations then.

Does Nogales get internet from Phoenix?
If it does then you should put a Cerritos Secondary in Nogales,then Nogales
won't need to forward to Phoenix you would just use Phoenix as Nogales'
Gateway.
All this forwarding can get confusing and dangerously close to setting up a
DNS loop.

BTW< "Do not use recursion" on the forwarders tab means the same as "Do not
use Root Hints"
 
NO NO your not disabling recursion you are telling DNS to
use its forwarders
only. It sounds to me like that is what you want to do. But you must be
careful to not set up a DNS loop.
Instead of forwarding between these DNS servers I would use Secondary DNS
zones.

What is Phoenix's Forwarder?
If you want to resolve Cerritos' domain from Phoenix you should bring in a
secondary from Cerritos to the Phoenix DNS and put a secondary of Phoenix on
Cerritos. Then you don't need a forwarder between these two. Both domains
could be resolved from all three locations then.

Does Nogales get internet from Phoenix?
If it does then you should put a Cerritos Secondary in Nogales,then Nogales
won't need to forward to Phoenix you would just use Phoenix as Nogales'
Gateway.
All this forwarding can get confusing and dangerously close to setting up a
DNS loop.

BTW< "Do not use recursion" on the forwarders tab means the same as "Do not
use Root Hints"
Click to expand...

That's exactly what I have: Cerritos has Phoenix's zone
as secondary, Phoenix and Nogales have Ceritos' zone as
secondary. Nogales uses Phoenix for forwarding, so does
Cerritos (for external networks). Phoenix's DNS, in turn,
uses ISP DNS (or for that matter 4.2.2.2) as a forwarder.
So, I should be ok enabling "Do Not Use recursion",
actually, I should be OK disabling it everywhere, right?
Hold on, would that mean, that if, for instance, Cerritos
needs to go to microsoft.com, it doesnt have that zone,
so, it will "forward" query to Phoenix, would Phoenix
query its forwarder with "do not use recursion" enabled?
 
In
Crazy Russian said:
NO NO your not disabling recursion you are telling DNS to
use its forwarders

That's exactly what I have: Cerritos has Phoenix's zone
as secondary, Phoenix and Nogales have Ceritos' zone as
secondary. Nogales uses Phoenix for forwarding, so does
Cerritos (for external networks). Phoenix's DNS, in turn,
uses ISP DNS (or for that matter 4.2.2.2) as a forwarder.
So, I should be ok enabling "Do Not Use recursion",
actually, I should be OK disabling it everywhere, right?
Hold on, would that mean, that if, for instance, Cerritos
needs to go to microsoft.com, it doesnt have that zone,
so, it will "forward" query to Phoenix, would Phoenix
query its forwarder with "do not use recursion" enabled?
Click to expand...

Yes, as I said "Do not use recursion" means the same as "Do not use root
hints" Forwarding still works fine, Root hints will not be used, only the
defined forwarders.

This IS NOT the same as "Disable recursion" on the Advanced tab, that
setting stops all forwarding and root hints.
 
Yes, as I said "Do not use recursion" means the same
Click to expand...
as "Do not use root hints" Forwarding still works fine,
Root hints will not be used, only the defined forwarders.
This IS NOT the same as "Disable recursion" on the
Advanced tab, that setting stops all forwarding and root
hints.

Aahhhh, I got those 2 confused. Your statement made me dig
this:
"Using forwarders exclusively (no recursion)
When a DNS server is configured to use forwarders, they
are used before any other means of resolving a name is
tried. If the list of forwarders fails to provide a
positive answer, a DNS server can attempt to resolve the
query itself using iterative queries and standard
recursion.

A server can also be configured to not perform recursion
after forwarders fail. In this configuration, the server
does not attempt any further recursive queries itself to
resolve the name. Instead, it fails the query if it does
not get a successful query response from any of the
forwarders.

This forces a DNS server to use its configured forwarders
exclusively to perform final resolution when resolving a
name query. In this mode of operation, a server configured
to use forwarders can still check in its configured zones
first to attempt to resolve a queried name. If it finds a
match in its authoritative data there, it can answer the
query based on that information.

To use this option, select the Do not use recursion option
on the Forwarders tab when a server is configured to use
forwarders."

Ok, I have it setup. We'll see if that helps. Thanks
Keving for all your help.
CR
 
Two hours went by.... no errors!!! I was getting those
errors every 1-5 minutes. Loooks like "Do Not User
Recursion" fixed it!!!
Thanks Kevin!
CR
 
Back
Top