External IP addresses showing up in internal DNS logs??

[Michael H.]

I turned on the logging feature on both of my DNS servers to monitor the DNS
traffic and see if I could troubleshoot some DNS issues we have been having.
I turned on all the logging features query, notify, update, questions,
answers, send, receive, UDP, TCP, Full packets, Write Through. Unfortunately
I don't know how to read the logs (Doohh!).

Here is an example in one of my DNS logs. (See Below) This is an internal
DNS server (Windows 2000 AS - updated to the most recent critical updates
and service packs) and there is/are external IP showing up in both the SND
and RCV packet captures.

I don't have forwarding enabled, (yet) should I? and should I have external
IPs in my DNS logs both under the SND and RCV packet captures?

What are the best practices on DNS logging for MS servers?

Thanks in advance for the help.
Mike H.

Packet Capture from MS W2k AS Server DNS log
******************************************************************************
Snd 210.94.0.15 09a0 Q [0000 NOERROR]
(3)143(2)58(2)98(3)222(7)in-addr(4)arpa(0)
UDP question info at 022E900C
Socket = 400
Remote addr 210.94.0.15, port 53
Time Query=0, Queued=0, Expire=0
Buf length = 0x0200 (512)
Msg length = 0x002c (44)
Message:
XID 0x09a0
Flags 0x0000
QR 0 (question)
OPCODE 0 (QUERY)
AA 0
TC 0
RD 0
RA 0
Z 0
RCODE 0 (NOERROR)
QCOUNT 0x1
ACOUNT 0x0
NSCOUNT 0x0
ARCOUNT 0x0
Offset = 0x000c, RR count = 0
Name "(3)143(2)58(2)98(3)222(7)in-addr(4)arpa(0)"
QTYPE PTR (12)
QCLASS 1
ANSWER SECTION:
AUTHORITY SECTION:
ADDITIONAL SECTION:
*********************************************************************************

 

[Kevin D. Goodknecht Sr. [MVP]]

In

I turned on the logging feature on both of my DNS servers to monitor
the DNS
traffic and see if I could troubleshoot some DNS issues we have been
having.
I turned on all the logging features query, notify, update, questions,
answers, send, receive, UDP, TCP, Full packets, Write Through.
Unfortunately
I don't know how to read the logs (Doohh!).

Here is an example in one of my DNS logs. (See Below) This is an
internal
DNS server (Windows 2000 AS - updated to the most recent critical
updates
and service packs) and there is/are external IP showing up in both
the SND
and RCV packet captures.

I don't have forwarding enabled, (yet) should I? and should I have
external
IPs in my DNS logs both under the SND and RCV packet captures?

Forwarding is not required but is recommended to off load some of the
external resolution to an external DNS server.
In the entry below I see it is for a reverse lookup which tends to make me
believe you have a mail server.
The public IP you see DNS connecting to (210.94.0.15) is expected since the
DNS server at that IP is authoritative for the PTR
(143.58.98.222.in-addr.arpa) your DNS is looking up. Which by the way, the
PTR does not exist. I also believe this IP is for a Spam server in Korea.

What are the best practices on DNS logging for MS servers?

Long term logging like this is not recommended due to the extra load put on
the DNS service to write these logs, and has been known to cause the DNS
service to fail when under high load. If there is anything you don't want in
an Active Directory environment, is to have the DNS service fail.
This type of logging should be enabled only for short term diagnostics.

Thanks in advance for the help.
Mike H.

Packet Capture from MS W2k AS Server DNS log
******************************************************************************
Snd 210.94.0.15 09a0 Q [0000 NOERROR]
(3)143(2)58(2)98(3)222(7)in-addr(4)arpa(0)
UDP question info at 022E900C
Socket = 400
Remote addr 210.94.0.15, port 53
Time Query=0, Queued=0, Expire=0
Buf length = 0x0200 (512)
Msg length = 0x002c (44)
Message:
XID 0x09a0
Flags 0x0000
QR 0 (question)
OPCODE 0 (QUERY)
AA 0
TC 0
RD 0
RA 0
Z 0
RCODE 0 (NOERROR)
QCOUNT 0x1
ACOUNT 0x0
NSCOUNT 0x0
ARCOUNT 0x0
Offset = 0x000c, RR count = 0
Name "(3)143(2)58(2)98(3)222(7)in-addr(4)arpa(0)"
QTYPE PTR (12)
QCLASS 1
ANSWER SECTION:
AUTHORITY SECTION:
ADDITIONAL SECTION:
*********************************************************************************

 

[Mike H.]

Thanks Kevin for the answers.

Yes, I do have a mail server (Novell GroupWise) but I'm still wondering if I
should be concerned about having these external IP address show up in my DNS
log?

Is my mail server looking up this address up to confirm existence of the
senders domain? SPAM... is it receiving spam or relaying it and is there a
way to tell with DNS?

Thanks,
Mike H.

In

I turned on the logging feature on both of my DNS servers to monitor
the DNS
traffic and see if I could troubleshoot some DNS issues we have been
having.
I turned on all the logging features query, notify, update, questions,
answers, send, receive, UDP, TCP, Full packets, Write Through.
Unfortunately
I don't know how to read the logs (Doohh!).

Here is an example in one of my DNS logs. (See Below) This is an
internal
DNS server (Windows 2000 AS - updated to the most recent critical
updates
and service packs) and there is/are external IP showing up in both
the SND
and RCV packet captures.

I don't have forwarding enabled, (yet) should I? and should I have
external
IPs in my DNS logs both under the SND and RCV packet captures?

Forwarding is not required but is recommended to off load some of the
external resolution to an external DNS server.
In the entry below I see it is for a reverse lookup which tends to make me
believe you have a mail server.
The public IP you see DNS connecting to (210.94.0.15) is expected since
the
DNS server at that IP is authoritative for the PTR
(143.58.98.222.in-addr.arpa) your DNS is looking up. Which by the way, the
PTR does not exist. I also believe this IP is for a Spam server in Korea.

What are the best practices on DNS logging for MS servers?

Long term logging like this is not recommended due to the extra load put
on
the DNS service to write these logs, and has been known to cause the DNS
service to fail when under high load. If there is anything you don't want
in
an Active Directory environment, is to have the DNS service fail.
This type of logging should be enabled only for short term diagnostics.

Thanks in advance for the help.
Mike H.

Packet Capture from MS W2k AS Server DNS log
******************************************************************************
Snd 210.94.0.15 09a0 Q [0000 NOERROR]
(3)143(2)58(2)98(3)222(7)in-addr(4)arpa(0)
UDP question info at 022E900C
Socket = 400
Remote addr 210.94.0.15, port 53
Time Query=0, Queued=0, Expire=0
Buf length = 0x0200 (512)
Msg length = 0x002c (44)
Message:
XID 0x09a0
Flags 0x0000
QR 0 (question)
OPCODE 0 (QUERY)
AA 0
TC 0
RD 0
RA 0
Z 0
RCODE 0 (NOERROR)
QCOUNT 0x1
ACOUNT 0x0
NSCOUNT 0x0
ARCOUNT 0x0
Offset = 0x000c, RR count = 0
Name "(3)143(2)58(2)98(3)222(7)in-addr(4)arpa(0)"
QTYPE PTR (12)
QCLASS 1
ANSWER SECTION:
AUTHORITY SECTION:
ADDITIONAL SECTION:
*********************************************************************************

 

[Kevin D. Goodknecht Sr. [MVP]]

In

Thanks Kevin for the answers.

Yes, I do have a mail server (Novell GroupWise) but I'm still
wondering if I
should be concerned about having these external IP address show up in
my DNS
log?

No you should be concerned with this, it is normal for mail servers to do
this PTR lookup.

Is my mail server looking up this address up to confirm existence of
the
senders domain?

Your mail server looks up the IP of any mail server sending mail to it. Some
mail servers use this to decide if it is going to accept mail from the
server for the domain.

SPAM... is it receiving spam or relaying it and is

there a
way to tell with DNS?

No you can't tell with DNS if your mail server is accepting spam or relaying
mail.