Ill constructed SRV lookups

[relay_denied]

First of all thank you for reading and especially for any assistance.

We experience odd pauses at times in some network services such as MSMQ,
mail delivery, or others that at least led me to look at the DNS logging for
any information I may find. although I am not convinced yet my problem lies
completely in DNS, there certainly is a peculiarity.

I first starting seeing misconfigured SRV lookups scattered about, but I now
have seen little storms of these like as many as 150 or so right in a row.
It is not only a nuisance to us but these get forwarded to root servers
since the lookup ends in a machine name instead of a known domain name.

I have looked quite exhaustively for an explanation or even an explanation
of what I am looking at when I have complete logging on. There seems to be
very little describing the logs and nothing on these misconfigured lookups.

I have included just a few examples, it is just a few from the top of one of
the storms. There are two types of error.

Machine name at end instead of domain name, these come in storms

Rcv 10.10.20.97 26e4 Q [0001 D NOERROR]
(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(3)PV3(0)
Snd 202.12.27.33 188d Q [0000 NOERROR]
(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(3)PV3(0)
Rcv 10.10.21.41 4e2e Q [0001 D NOERROR]
(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(5)LSSE2(0)
Snd 202.12.27.33 2094 Q [0000 NOERROR]
(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(5)LSSE2(0)
Rcv 192.168.1.161 93a6 Q [0001 D NOERROR]
(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(2)P2(0)
Snd 202.12.27.33 289a Q [0000 NOERROR]
(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(2)P2(0)
Rcv 10.10.20.59 93fa Q [0001 D NOERROR]
(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(4)SQL2(0)
Snd 202.12.27.33 18a0 Q [0000 NOERROR]
(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(4)SQL2(0)
Rcv 10.10.21.36 e1e0 Q [0001 D NOERROR]
(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(5)LPUB1(0)
Snd 202.12.27.33 28ac Q [0000 NOERROR]
(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(5)LPUB1(0)
Rcv 10.10.21.30 476f Q [0001 D NOERROR]
(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(8)DEVADMIN
(0)
Snd 202.12.27.33 38b6 Q [0000 NOERROR]
(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(8)DEVADMIN
(0)
Rcv 10.10.20.45 b01a Q [0001 D NOERROR]
(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(3)NS2(0)
Snd 202.12.27.33 38bd Q [0000 NOERROR]
(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(3)NS2(0)
Rcv 10.10.20.83 0b53 Q [0001 D NOERROR]
(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(4)SSE1(0)
Snd 202.12.27.33 28c0 Q [0000 NOERROR]
(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(4)SSE1(0)
Rcv 10.10.20.95 1ba1 Q [0001 D NOERROR]
(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(4)SSE3(0)

Machine name injected into path, dc1(9) these are scattered about:

Rcv 10.10.20.86 ca9b Q [0001 D NOERROR]
(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(3)dc1(9)ad
expedia(3)com(0)
Snd 10.10.20.86 ca9b R Q [8385 A DR NXDOMAIN]
(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(3)dc1(9)ad
expedia(3)com(0)
Rcv 10.10.20.86 209d Q [0001 D NOERROR]
(5)_ldap(4)_tcp(2)dc(6)_msdcs(3)dc1(9)adexpedia(3)com(0)
Snd 10.10.20.86 209d R Q [8385 A DR NXDOMAIN]
(5)_ldap(4)_tcp(2)dc(6)_msdcs(3)dc1(9)adexpedia(3)com(0)

Any assistance with an explanation and possibly a fix would be greatly
appreciated. If there is a good source for troubleshooting W2K DNS or
reading the logs I would welcome the reading.

 

[William Stacey]

In my mind, I would first want to track down where these are comming from.
I would start with NetMon (or other) and filter on DNS packets and try catch
some of these comming or going on the DNS server. You should then be able
to determine the IP address (and hence box) where these are comming from.

--
William Stacey, MVP

First of all thank you for reading and especially for any assistance.

We experience odd pauses at times in some network services such as MSMQ,
mail delivery, or others that at least led me to look at the DNS logging for
any information I may find. although I am not convinced yet my problem lies
completely in DNS, there certainly is a peculiarity.

I first starting seeing misconfigured SRV lookups scattered about, but I now
have seen little storms of these like as many as 150 or so right in a row.
It is not only a nuisance to us but these get forwarded to root servers
since the lookup ends in a machine name instead of a known domain name.

I have looked quite exhaustively for an explanation or even an explanation
of what I am looking at when I have complete logging on. There seems to be
very little describing the logs and nothing on these misconfigured lookups.

I have included just a few examples, it is just a few from the top of one of
the storms. There are two types of error.

Machine name at end instead of domain name, these come in storms

Rcv 10.10.20.97 26e4 Q [0001 D NOERROR]
(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(3)PV3(0)
Snd 202.12.27.33 188d Q [0000 NOERROR]
(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(3)PV3(0)
Rcv 10.10.21.41 4e2e Q [0001 D NOERROR]
(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(5)LSSE2(0)
Snd 202.12.27.33 2094 Q [0000 NOERROR]
(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(5)LSSE2(0)
Rcv 192.168.1.161 93a6 Q [0001 D NOERROR]
(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(2)P2(0)
Snd 202.12.27.33 289a Q [0000 NOERROR]
(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(2)P2(0)
Rcv 10.10.20.59 93fa Q [0001 D NOERROR]
(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(4)SQL2(0)
Snd 202.12.27.33 18a0 Q [0000 NOERROR]
(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(4)SQL2(0)
Rcv 10.10.21.36 e1e0 Q [0001 D NOERROR]
(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(5)LPUB1(0)
Snd 202.12.27.33 28ac Q [0000 NOERROR]
(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(5)LPUB1(0)
Rcv 10.10.21.30 476f Q [0001 D NOERROR]
(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(8)DEVADMIN
(0)
Snd 202.12.27.33 38b6 Q [0000 NOERROR]
(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(8)DEVADMIN
(0)
Rcv 10.10.20.45 b01a Q [0001 D NOERROR]
(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(3)NS2(0)
Snd 202.12.27.33 38bd Q [0000 NOERROR]
(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(3)NS2(0)
Rcv 10.10.20.83 0b53 Q [0001 D NOERROR]
(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(4)SSE1(0)
Snd 202.12.27.33 28c0 Q [0000 NOERROR]
(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(4)SSE1(0)
Rcv 10.10.20.95 1ba1 Q [0001 D NOERROR]
(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(4)SSE3(0)

Machine name injected into path, dc1(9) these are scattered about:

Rcv 10.10.20.86 ca9b Q [0001 D NOERROR]
(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(3)dc1(9)ad
expedia(3)com(0)
Snd 10.10.20.86 ca9b R Q [8385 A DR NXDOMAIN]
(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(3)dc1(9)ad
expedia(3)com(0)
Rcv 10.10.20.86 209d Q [0001 D NOERROR]
(5)_ldap(4)_tcp(2)dc(6)_msdcs(3)dc1(9)adexpedia(3)com(0)
Snd 10.10.20.86 209d R Q [8385 A DR NXDOMAIN]
(5)_ldap(4)_tcp(2)dc(6)_msdcs(3)dc1(9)adexpedia(3)com(0)

Any assistance with an explanation and possibly a fix would be greatly
appreciated. If there is a good source for troubleshooting W2K DNS or
reading the logs I would welcome the reading.

 

[Ace Fekay [MVP]]

In

In my mind, I would first want to track down where these are comming
from. I would start with NetMon (or other) and filter on DNS packets
and try catch some of these comming or going on the DNS server. You
should then be able to determine the IP address (and hence box) where
these are comming from.

I agree, need to know where from. My initial feeling is that these are DC
and/or client queries, or Exchange DSAccess queries, to find the DCs or GC.
But a netmon will definitely determine this.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Jonathan de Boyne Pollard]

r> I first starting seeing misconfigured SRV lookups scattered
r> about, but I now have seen little storms of these like as many
r> as 150 or so right in a row. It is not only a nuisance to us
r> but these get forwarded to root servers since the lookup ends
r> in a machine name instead of a known domain name.

Annoying, isn't it ? I was trying to track down the cause of such irritants
last year, in an effort to reduce the DNS query leakage from a "split horizon"
setup. I never had the opportunity to find the root cause of the problem, but
I had narrowed it down as far as the culprits all seemingly being Windows NT
2000 machines that had initially been installed as members of a Workgroup
rather than as members of a Domain. Check whether this is the case for you.

 

[relay_denied]

Actually, I believe I know where they are coming from, and in most cases it
seems to be the machine itself. Is not the address after RCV the address of
the machine that DNS received the request from, and after SND the machine a
foward request was sent to? These are mainly W2K servers on our network and
anything starting with dc is actually a domain controller.

In my mind, I would first want to track down where these are comming from.
I would start with NetMon (or other) and filter on DNS packets and try catch
some of these comming or going on the DNS server. You should then be able
to determine the IP address (and hence box) where these are comming from.

--
William Stacey, MVP

First of all thank you for reading and especially for any assistance.

We experience odd pauses at times in some network services such as MSMQ,
mail delivery, or others that at least led me to look at the DNS logging for
any information I may find. although I am not convinced yet my problem lies
completely in DNS, there certainly is a peculiarity.

I first starting seeing misconfigured SRV lookups scattered about, but I now
have seen little storms of these like as many as 150 or so right in a row.
It is not only a nuisance to us but these get forwarded to root servers
since the lookup ends in a machine name instead of a known domain name.

I have looked quite exhaustively for an explanation or even an explanation
of what I am looking at when I have complete logging on. There seems to be
very little describing the logs and nothing on these misconfigured lookups.

I have included just a few examples, it is just a few from the top of

one

of
the storms. There are two types of error.

Machine name at end instead of domain name, these come in storms

Rcv 10.10.20.97 26e4 Q [0001 D NOERROR]
(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(3)PV3(0)
Snd 202.12.27.33 188d Q [0000 NOERROR]
(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(3)PV3(0)
Rcv 10.10.21.41 4e2e Q [0001 D NOERROR]

(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(5)LSSE2(0)

Snd 202.12.27.33 2094 Q [0000 NOERROR]

(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(5)LSSE2(0)

Rcv 192.168.1.161 93a6 Q [0001 D NOERROR]
(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(2)P2(0)
Snd 202.12.27.33 289a Q [0000 NOERROR]
(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(2)P2(0)
Rcv 10.10.20.59 93fa Q [0001 D NOERROR]

(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(4)SQL2(0)

Snd 202.12.27.33 18a0 Q [0000 NOERROR]

(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(4)SQL2(0)

Rcv 10.10.21.36 e1e0 Q [0001 D NOERROR]

(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(5)LPUB1(0)

Snd 202.12.27.33 28ac Q [0000 NOERROR]

(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(5)LPUB1(0)

Rcv 10.10.21.30 476f Q [0001 D NOERROR]

(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(8)DEVADMIN

(0)
Snd 202.12.27.33 38b6 Q [0000 NOERROR]

(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(8)DEVADMIN

(0)
Rcv 10.10.20.45 b01a Q [0001 D NOERROR]
(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(3)NS2(0)
Snd 202.12.27.33 38bd Q [0000 NOERROR]
(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(3)NS2(0)
Rcv 10.10.20.83 0b53 Q [0001 D NOERROR]

(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(4)SSE1(0)

Snd 202.12.27.33 28c0 Q [0000 NOERROR]

(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(4)SSE1(0)

Rcv 10.10.20.95 1ba1 Q [0001 D NOERROR]

(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(4)SSE3(0)

Machine name injected into path, dc1(9) these are scattered about:

Rcv 10.10.20.86 ca9b Q [0001 D NOERROR]

(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(3)dc1(9)ad

expedia(3)com(0)
Snd 10.10.20.86 ca9b R Q [8385 A DR NXDOMAIN]

(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(3)dc1(9)ad

expedia(3)com(0)
Rcv 10.10.20.86 209d Q [0001 D NOERROR]
(5)_ldap(4)_tcp(2)dc(6)_msdcs(3)dc1(9)adexpedia(3)com(0)
Snd 10.10.20.86 209d R Q [8385 A DR NXDOMAIN]
(5)_ldap(4)_tcp(2)dc(6)_msdcs(3)dc1(9)adexpedia(3)com(0)

Any assistance with an explanation and possibly a fix would be greatly
appreciated. If there is a good source for troubleshooting W2K DNS or
reading the logs I would welcome the reading.

 

[relay_denied]

Very Interesting! Unfortanutley I took the job well after these machines
were installed. Have you taken any further action or are you living with it
They are indeed W2K servers on the internal side of a 'split horizon',
and I would not rule out the possibility of what you describe? I really find
the fact that I am creating significant additional traffic on root servers
more than annoying and close to unaccetable.

Another thing, have you found any good documetation/description of the data
found in W2K DNS logging. A lot of data goes in, but deciphering it all
seems extremely combersum and poorly documented.

Thank you for responding;

Paul

r> I first starting seeing misconfigured SRV lookups scattered
r> about, but I now have seen little storms of these like as many
r> as 150 or so right in a row. It is not only a nuisance to us
r> but these get forwarded to root servers since the lookup ends
r> in a machine name instead of a known domain name.

Annoying, isn't it ? I was trying to track down the cause of such irritants
last year, in an effort to reduce the DNS query leakage from a "split horizon"
setup. I never had the opportunity to find the root cause of the problem, but
I had narrowed it down as far as the culprits all seemingly being Windows NT
2000 machines that had initially been installed as members of a Workgroup
rather than as members of a Domain. Check whether this is the case for

you.

 

[relay_denied]

I apologize, maybe I should rephrase my response and question. If the
requests are coming from the W2K servers on the local network, and I know
the address of the offender, what would be the next step to figuring out why
this is happening.

Thank You,

Paul

In my mind, I would first want to track down where these are comming from.
I would start with NetMon (or other) and filter on DNS packets and try catch
some of these comming or going on the DNS server. You should then be able
to determine the IP address (and hence box) where these are comming from.

--
William Stacey, MVP

First of all thank you for reading and especially for any assistance.

We experience odd pauses at times in some network services such as MSMQ,
mail delivery, or others that at least led me to look at the DNS logging for
any information I may find. although I am not convinced yet my problem lies
completely in DNS, there certainly is a peculiarity.

I first starting seeing misconfigured SRV lookups scattered about, but I now
have seen little storms of these like as many as 150 or so right in a row.
It is not only a nuisance to us but these get forwarded to root servers
since the lookup ends in a machine name instead of a known domain name.

I have looked quite exhaustively for an explanation or even an explanation
of what I am looking at when I have complete logging on. There seems to be
very little describing the logs and nothing on these misconfigured lookups.

I have included just a few examples, it is just a few from the top of

one

of
the storms. There are two types of error.

Machine name at end instead of domain name, these come in storms

Rcv 10.10.20.97 26e4 Q [0001 D NOERROR]
(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(3)PV3(0)
Snd 202.12.27.33 188d Q [0000 NOERROR]
(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(3)PV3(0)
Rcv 10.10.21.41 4e2e Q [0001 D NOERROR]

(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(5)LSSE2(0)

Snd 202.12.27.33 2094 Q [0000 NOERROR]

(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(5)LSSE2(0)

Rcv 192.168.1.161 93a6 Q [0001 D NOERROR]
(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(2)P2(0)
Snd 202.12.27.33 289a Q [0000 NOERROR]
(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(2)P2(0)
Rcv 10.10.20.59 93fa Q [0001 D NOERROR]

(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(4)SQL2(0)

Snd 202.12.27.33 18a0 Q [0000 NOERROR]

(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(4)SQL2(0)

Rcv 10.10.21.36 e1e0 Q [0001 D NOERROR]

(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(5)LPUB1(0)

Snd 202.12.27.33 28ac Q [0000 NOERROR]

(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(5)LPUB1(0)

Rcv 10.10.21.30 476f Q [0001 D NOERROR]

(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(8)DEVADMIN

(0)
Snd 202.12.27.33 38b6 Q [0000 NOERROR]

(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(8)DEVADMIN

(0)
Rcv 10.10.20.45 b01a Q [0001 D NOERROR]
(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(3)NS2(0)
Snd 202.12.27.33 38bd Q [0000 NOERROR]
(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(3)NS2(0)
Rcv 10.10.20.83 0b53 Q [0001 D NOERROR]

(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(4)SSE1(0)

Snd 202.12.27.33 28c0 Q [0000 NOERROR]

(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(4)SSE1(0)

Rcv 10.10.20.95 1ba1 Q [0001 D NOERROR]

(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(4)SSE3(0)

Machine name injected into path, dc1(9) these are scattered about:

Rcv 10.10.20.86 ca9b Q [0001 D NOERROR]

(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(3)dc1(9)ad

expedia(3)com(0)
Snd 10.10.20.86 ca9b R Q [8385 A DR NXDOMAIN]

(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(3)dc1(9)ad

expedia(3)com(0)
Rcv 10.10.20.86 209d Q [0001 D NOERROR]
(5)_ldap(4)_tcp(2)dc(6)_msdcs(3)dc1(9)adexpedia(3)com(0)
Snd 10.10.20.86 209d R Q [8385 A DR NXDOMAIN]
(5)_ldap(4)_tcp(2)dc(6)_msdcs(3)dc1(9)adexpedia(3)com(0)

Any assistance with an explanation and possibly a fix would be greatly
appreciated. If there is a good source for troubleshooting W2K DNS or
reading the logs I would welcome the reading.

 

[Jonathan de Boyne Pollard]

r> Have you taken any further action or are you living with it

No.

r> have you found any good documetation/description
r> of the data found in W2K DNS [debug] logging.

No. (Mind you, I haven't really needed to look.) But if one copies such a
log to a file, and publishes that file on a web site, there are several people
here who can aid one in deciphering it.

 

[Ace Fekay [MVP]]

In

I apologize, maybe I should rephrase my response and question. If the
requests are coming from the W2K servers on the local network, and I
know the address of the offender, what would be the next step to
figuring out why this is happening.

Thank You,

Paul

Can we see an unedited ipconfig /all of the offending machine please?
Also, is the offending machine mutlihomed?
Is DNS installed on it?

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Roger Abell [MVP]]

Hi Paul,

It looked as if you have multiple machines sending these requests
that in turn were forwarded.
Can you generalize what is the same in terms of the software load
between these machines ? OS versions ? Services started ?
AD leveraging application installed ?

Roger

I apologize, maybe I should rephrase my response and question. If the
requests are coming from the W2K servers on the local network, and I know
the address of the offender, what would be the next step to figuring out why
this is happening.

Thank You,

Paul

In my mind, I would first want to track down where these are comming from.
I would start with NetMon (or other) and filter on DNS packets and try catch
some of these comming or going on the DNS server. You should then be able
to determine the IP address (and hence box) where these are comming from.

--
William Stacey, MVP

logging
for I
now

to

be

very little describing the logs and nothing on these misconfigured lookups.

I have included just a few examples, it is just a few from the top of

one

of
the storms. There are two types of error.

Machine name at end instead of domain name, these come in storms

Rcv 10.10.20.97 26e4 Q [0001 D NOERROR]
(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(3)PV3(0)
Snd 202.12.27.33 188d Q [0000 NOERROR]
(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(3)PV3(0)
Rcv 10.10.21.41 4e2e Q [0001 D NOERROR]

(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(5)LSSE2(0)

Snd 202.12.27.33 2094 Q [0000 NOERROR]

(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(5)LSSE2(0)

Rcv 192.168.1.161 93a6 Q [0001 D NOERROR]
(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(2)P2(0)
Snd 202.12.27.33 289a Q [0000 NOERROR]
(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(2)P2(0)
Rcv 10.10.20.59 93fa Q [0001 D NOERROR]

(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(4)SQL2(0)

Snd 202.12.27.33 18a0 Q [0000 NOERROR]

(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(4)SQL2(0)

Rcv 10.10.21.36 e1e0 Q [0001 D NOERROR]

(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(5)LPUB1(0)

Snd 202.12.27.33 28ac Q [0000 NOERROR]

(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(5)LPUB1(0)

Rcv 10.10.21.30 476f Q [0001 D NOERROR]

(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(8)DEVADMIN

(0)
Snd 202.12.27.33 38b6 Q [0000 NOERROR]

(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(8)DEVADMIN

(0)
Rcv 10.10.20.45 b01a Q [0001 D NOERROR]
(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(3)NS2(0)
Snd 202.12.27.33 38bd Q [0000 NOERROR]
(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(3)NS2(0)
Rcv 10.10.20.83 0b53 Q [0001 D NOERROR]

(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(4)SSE1(0)

Snd 202.12.27.33 28c0 Q [0000 NOERROR]

(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(4)SSE1(0)

Rcv 10.10.20.95 1ba1 Q [0001 D NOERROR]

(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(4)SSE3(0)

Machine name injected into path, dc1(9) these are scattered about:

Rcv 10.10.20.86 ca9b Q [0001 D NOERROR]

(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(3)dc1(9)ad

expedia(3)com(0)
Snd 10.10.20.86 ca9b R Q [8385 A DR NXDOMAIN]

(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(3)dc1(9)ad

expedia(3)com(0)
Rcv 10.10.20.86 209d Q [0001 D NOERROR]
(5)_ldap(4)_tcp(2)dc(6)_msdcs(3)dc1(9)adexpedia(3)com(0)
Snd 10.10.20.86 209d R Q [8385 A DR NXDOMAIN]
(5)_ldap(4)_tcp(2)dc(6)_msdcs(3)dc1(9)adexpedia(3)com(0)

Any assistance with an explanation and possibly a fix would be greatly
appreciated. If there is a good source for troubleshooting W2K DNS or
reading the logs I would welcome the reading.

 

[relay_denied]

Sorry for the size of the post. I hope this is what you were asking for. No machines in the example are dual homed and .86 is our main DNS server.

Here are ill formed requests from .86 and ipconfig /all - This machine is a DC and the first choice DNS Server in the net for all machines in this site


Rcv 10.10.20.86 bdba Q [0001 D NOERROR] (5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(3)DC3(0)
Snd 202.12.27.33 3c64 Q [0000 NOERROR] (5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(3)DC3(0)
Rcv 202.12.27.33 3c64 R Q [0384 A NXDOMAIN] (5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(3)DC3(0)
Snd 10.10.20.86 bdba R Q [0384 A NXDOMAIN] (5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(3)DC3(0)
Rcv 10.10.20.86 5abc Q [0001 D NOERROR] (5)_ldap(4)_tcp(2)dc(6)_msdcs(3)DC3(0)
Snd 202.12.27.33 1c6d Q [0000 NOERROR] (5)_ldap(4)_tcp(2)dc(6)_msdcs(3)DC3(0)
Rcv 10.10.20.86 aabd Q [0001 D NOERROR] (5)_ldap(4)_tcp(2)dc(6)_msdcs(3)DC3(0)
Snd 202.12.27.33 3470 Q [0000 NOERROR] (5)_ldap(4)_tcp(2)dc(6)_msdcs(3)DC3(0)
Rcv 202.12.27.33 1c6d R Q [0384 A NXDOMAIN] (5)_ldap(4)_tcp(2)dc(6)_msdcs(3)DC3(0)
Snd 10.10.20.86 5abc R Q [0384 A NXDOMAIN] (5)_ldap(4)_tcp(2)dc(6)_msdcs(3)DC3(0)
Rcv 202.12.27.33 3470 R Q [0384 A NXDOMAIN] (5)_ldap(4)_tcp(2)dc(6)_msdcs(3)DC3(0)
Snd 10.10.20.86 aabd R Q [0384 A NXDOMAIN] (5)_ldap(4)_tcp(2)dc(6)_msdcs(3)DC3(0)

Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

C:\Documents and Settings\pturner>ipconfig /all

Windows 2000 IP Configuration

Host Name . . . . . . . . . . . . : dc3
Primary DNS Suffix . . . . . . . : anydomain.com
Node Type . . . . . . . . . . . . : Broadcast
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : anydomain.com

Ethernet adapter Internal:

Connection-specific DNS Suffix . : anydomain.com
Description . . . . . . . . . . . : HP NC7760 Gigabit Server Adapter
Physical Address. . . . . . . . . : 00-0B-CD-AF-BB-2D
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.10.20.86
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : 10.10.20.30
DNS Servers . . . . . . . . . . . : 10.10.20.86


Here are ill formed requests from .102 and ipconfig /all - This is just a memeber server


Rcv 10.10.20.102 eeb5 Q [0001 D NOERROR] (5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(3)dc0(9)anydomain(3)com(0)
Snd 10.10.20.102 eeb5 R Q [8385 A DR NXDOMAIN] (5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(3)dc0(9)anydomain(3)com(0)
Rcv 10.10.20.102 f5b6 Q [0001 D NOERROR] (5)_ldap(4)_tcp(2)dc(6)_msdcs(3)dc0(9)anydomain(3)com(0)
Snd 10.10.20.102 f5b6 R Q [8385 A DR NXDOMAIN] (5)_ldap(4)_tcp(2)dc(6)_msdcs(3)dc0(9)anydomain(3)com(0)
Rcv 10.10.20.102 39b6 Q [0001 D NOERROR] (5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(3)DC1(9)anydomain(3)com(0)
Snd 10.10.20.102 39b6 R Q [8385 A DR NXDOMAIN] (5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(3)DC1(9)anydomain(3)com(0)
Rcv 10.10.20.102 4cb6 Q [0001 D NOERROR] (5)_ldap(4)_tcp(2)dc(6)_msdcs(3)DC1(9)anydomain(3)com(0)
Snd 10.10.20.102 4cb6 R Q [8385 A DR NXDOMAIN] (5)_ldap(4)_tcp(2)dc(6)_msdcs(3)DC1(9)anydomain(3)com(0)
Rcv 10.10.20.102 feb7 Q [0001 D NOERROR] (5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(3)DC0(0)
Snd 10.10.20.102 feb7 R Q [8381 DR NXDOMAIN] (5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(3)DC0(0)
Rcv 10.10.20.102 6fb7 Q [0001 D NOERROR] (5)_ldap(4)_tcp(2)dc(6)_msdcs(3)DC0(0)
Snd 10.10.20.102 6fb7 R Q [8381 DR NXDOMAIN] (5)_ldap(4)_tcp(2)dc(6)_msdcs(3)DC0(0)


C:\WINNT\system32>ipconfig /all

Windows 2000 IP Configuration

Host Name . . . . . . . . . . . . : e2
Primary DNS Suffix . . . . . . . : anydomain.com
Node Type . . . . . . . . . . . . : Broadcast
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : anydomain.com

Ethernet adapter Internal:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : NetServer 10/100TX PCI LAN Adapter #
2
Physical Address. . . . . . . . . : 00-30-6E-06-08-62
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.10.20.102
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : 10.10.20.30
DNS Servers . . . . . . . . . . . : 10.10.20.86
10.10.20.33



Here are correct requests and ipconfig /all from .70 - This is a member server running Exchange 2000 (this machine never ill forms a request)


Rcv 10.10.20.70 dbe2 Q [0001 D NOERROR] (5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(9)anydomain(3)com(0)
Snd 10.10.20.70 dbe2 R Q [8085 A DR NOERROR] (5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(9)anydomain(3)com(0)

C:\WINNT\system32>ipconfig /all

Windows 2000 IP Configuration

Host Name . . . . . . . . . . . . : e1
Primary DNS Suffix . . . . . . . : anydomain.com
Node Type . . . . . . . . . . . . : Broadcast
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : anydomain.com

Ethernet adapter Internal:

Connection-specific DNS Suffix . : anydomain.com
Description . . . . . . . . . . . : HP NC7760 Gigabit Server Adapter
Physical Address. . . . . . . . . : 00-0B-CD-1C-FC-F4
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.10.20.70
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : 10.10.0.1
DNS Servers . . . . . . . . . . . : 10.10.20.86
10.10.20.33

Here is a full packet log of an ill formed request from .86

Rcv 10.10.20.86 0a2c Q [0001 D NOERROR] (5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(3)DC3(0)
UDP question info at 0122037C
Socket = 360
Remote addr 10.10.20.86, port 4797
Time Query=5717166, Queued=0, Expire=0
Buf length = 0x0200 (512)
Msg length = 0x0049 (73)
Message:
XID 0x0a2c
Flags 0x0100
QR 0 (question)
OPCODE 0 (QUERY)
AA 0
TC 0
RD 1
RA 0
Z 0
RCODE 0 (NOERROR)
QCOUNT 0x1
ACOUNT 0x0
NSCOUNT 0x0
ARCOUNT 0x0
Offset = 0x000c, RR count = 0
Name "(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(3)DC3(0)"
QTYPE SRV (33)
QCLASS 1
ANSWER SECTION:
AUTHORITY SECTION:
ADDITIONAL SECTION:

Snd 202.12.27.33 2580 Q [0000 NOERROR] (5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(3)DC3(0)
UDP question info at 010EC38C
Socket = 376
Remote addr 202.12.27.33, port 53
Time Query=0, Queued=0, Expire=0
Buf length = 0x0200 (512)
Msg length = 0x0049 (73)
Message:
XID 0x2580
Flags 0x0000
QR 0 (question)
OPCODE 0 (QUERY)
AA 0
TC 0
RD 0
RA 0
Z 0
RCODE 0 (NOERROR)
QCOUNT 0x1
ACOUNT 0x0
NSCOUNT 0x0
ARCOUNT 0x0
Offset = 0x000c, RR count = 0
Name "(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(3)DC3(0)"
QTYPE SRV (33)
QCLASS 1
ANSWER SECTION:
AUTHORITY SECTION:
ADDITIONAL SECTION:

 

[relay_denied]

These requests are coming from multiple machines. There seems to be very
little common ground between them other than W2K, SP4, all latest updates
installed (we try to stay on top of this). The type of ill formation that
gets no domain name at the end do get forwarded to root servers (no fowarder
set). The ill formation that injects the machines name in the center of SRV
lookup stay local but just never get a correct response. I have even seen
the machines change the request, working farther up the folder structure of
the SRV records. Seems like they keep trying for some sort of an answer to
no avail.

Rcv 10.10.20.86 bdba Q [0001 D NOERROR]
(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(3)DC3(0)
Snd 202.12.27.33 3c64 Q [0000 NOERROR]
(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(3)DC3(0)
Rcv 10.10.20.86 5abc Q [0001 D NOERROR]
(5)_ldap(4)_tcp(2)dc(6)_msdcs(3)DC3(0)
Snd 202.12.27.33 1c6d Q [0000 NOERROR]
(5)_ldap(4)_tcp(2)dc(6)_msdcs(3)DC3(0)

Nothing really strange in the services list, a couple have some home grown
services but not consistant across all machines. Some certainly get used
more than others. We collect performance statistics every 15 minutes and
query it at the end of the day. Most machines stay below our thresholds:
Processor 50%, Paging 20%, commited RAM in use 50%, etc... . These are
mainly HP DL320 and DL380s.

I am not sure what you mean by AD leveraging application?

Really wish I was listing something really weird here, but we are a pretty
straight forward shop. Have you given you anything you can use? any ideas?
This at times really generates a lot of traffic.

Hi Paul,

It looked as if you have multiple machines sending these requests
that in turn were forwarded.
Can you generalize what is the same in terms of the software load
between these machines ? OS versions ? Services started ?
AD leveraging application installed ?

Roger

I apologize, maybe I should rephrase my response and question. If the
requests are coming from the W2K servers on the local network, and I know
the address of the offender, what would be the next step to figuring out why
this is happening.

Thank You,

Paul

but

I

now
have seen little storms of these like as many as 150 or so right in

a
row.

It is not only a nuisance to us but these get forwarded to root servers
since the lookup ends in a machine name instead of a known domain name.

I have looked quite exhaustively for an explanation or even an explanation
of what I am looking at when I have complete logging on. There seems

to

be
very little describing the logs and nothing on these misconfigured
lookups.

I have included just a few examples, it is just a few from the top

of
one

of
the storms. There are two types of error.

Machine name at end instead of domain name, these come in storms

Rcv 10.10.20.97 26e4 Q [0001 D NOERROR]

(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(3)PV3(0)

Snd 202.12.27.33 188d Q [0000 NOERROR]

(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(3)PV3(0)

Rcv 10.10.21.41 4e2e Q [0001 D NOERROR]

(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(5)LSSE2(0)

Snd 202.12.27.33 2094 Q [0000 NOERROR]

(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(5)LSSE2(0)

Rcv 192.168.1.161 93a6 Q [0001 D NOERROR]

(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(2)P2(0)

Snd 202.12.27.33 289a Q [0000 NOERROR]

(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(2)P2(0)

Rcv 10.10.20.59 93fa Q [0001 D NOERROR]

(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(4)SQL2(0)

Snd 202.12.27.33 18a0 Q [0000 NOERROR]

(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(4)SQL2(0)

Rcv 10.10.21.36 e1e0 Q [0001 D NOERROR]

(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(5)LPUB1(0)

Snd 202.12.27.33 28ac Q [0000 NOERROR]

(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(5)LPUB1(0)

Rcv 10.10.21.30 476f Q [0001 D NOERROR]

(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(8)DEVADMIN

(0)
Snd 202.12.27.33 38b6 Q [0000 NOERROR]

(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(8)DEVADMIN

(0)
Rcv 10.10.20.45 b01a Q [0001 D NOERROR]

(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(3)NS2(0)

Snd 202.12.27.33 38bd Q [0000 NOERROR]

(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(3)NS2(0)

Rcv 10.10.20.83 0b53 Q [0001 D NOERROR]

(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(4)SSE1(0)

Snd 202.12.27.33 28c0 Q [0000 NOERROR]

(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(4)SSE1(0)

Rcv 10.10.20.95 1ba1 Q [0001 D NOERROR]

(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(4)SSE3(0)

Machine name injected into path, dc1(9) these are scattered about:

Rcv 10.10.20.86 ca9b Q [0001 D NOERROR]

(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(3)dc1(9)ad

expedia(3)com(0)
Snd 10.10.20.86 ca9b R Q [8385 A DR NXDOMAIN]

(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(3)dc1(9)ad

expedia(3)com(0)
Rcv 10.10.20.86 209d Q [0001 D NOERROR]
(5)_ldap(4)_tcp(2)dc(6)_msdcs(3)dc1(9)adexpedia(3)com(0)
Snd 10.10.20.86 209d R Q [8385 A DR NXDOMAIN]
(5)_ldap(4)_tcp(2)dc(6)_msdcs(3)dc1(9)adexpedia(3)com(0)

Any assistance with an explanation and possibly a fix would be greatly
appreciated. If there is a good source for troubleshooting W2K DNS or
reading the logs I would welcome the reading.

 

[Ace Fekay [MVP]]

Hmm, Your ipconfigs look good actually. No single label names, pointing to your own internal DNS, etc.

I'm very curious why this IP comes up:

Name: m.root-servers.net
Address: 202.12.27.33

because it's one of the root servers, as you can see and it shows up along with your internal server. The only thing that I can think of that would cause this is if you had a single label domain name, but from your ipconfigs, assuming it's in the corrrect format, is not a single label name (such as "domain" is incorrect, but "domain.com" is correct). SInce you munged your actual domain name, I'm going to assume you munged it with the correct format. Also, are there any other zones on your DNS server that maybe single label?

Also, try this, check your Nameserver tab in your zone properties, make sure the correct name and IP of your DNS server(s) are in there, and also try a different forwarder, such as 4.2.2.2. If that itself doesn't work, also click on "do not use recursion" in the bottom of the forwarder box.

Also, make sure you do not forward to each other, but rather individually out to the ISP. That can cause a forwarding loop (and may cause this).

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
--
=================================

Sorry for the size of the post. I hope this is what you were asking for. No machines in the example are dual homed and .86 is our main DNS server.

Here are ill formed requests from .86 and ipconfig /all - This machine is a DC and the first choice DNS Server in the net for all machines in this site


Rcv 10.10.20.86 bdba Q [0001 D NOERROR] (5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(3)DC3(0)
Snd 202.12.27.33 3c64 Q [0000 NOERROR] (5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(3)DC3(0)
Rcv 202.12.27.33 3c64 R Q [0384 A NXDOMAIN] (5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(3)DC3(0)
Snd 10.10.20.86 bdba R Q [0384 A NXDOMAIN] (5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(3)DC3(0)
Rcv 10.10.20.86 5abc Q [0001 D NOERROR] (5)_ldap(4)_tcp(2)dc(6)_msdcs(3)DC3(0)
Snd 202.12.27.33 1c6d Q [0000 NOERROR] (5)_ldap(4)_tcp(2)dc(6)_msdcs(3)DC3(0)
Rcv 10.10.20.86 aabd Q [0001 D NOERROR] (5)_ldap(4)_tcp(2)dc(6)_msdcs(3)DC3(0)
Snd 202.12.27.33 3470 Q [0000 NOERROR] (5)_ldap(4)_tcp(2)dc(6)_msdcs(3)DC3(0)
Rcv 202.12.27.33 1c6d R Q [0384 A NXDOMAIN] (5)_ldap(4)_tcp(2)dc(6)_msdcs(3)DC3(0)
Snd 10.10.20.86 5abc R Q [0384 A NXDOMAIN] (5)_ldap(4)_tcp(2)dc(6)_msdcs(3)DC3(0)
Rcv 202.12.27.33 3470 R Q [0384 A NXDOMAIN] (5)_ldap(4)_tcp(2)dc(6)_msdcs(3)DC3(0)
Snd 10.10.20.86 aabd R Q [0384 A NXDOMAIN] (5)_ldap(4)_tcp(2)dc(6)_msdcs(3)DC3(0)

Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

C:\Documents and Settings\pturner>ipconfig /all

Windows 2000 IP Configuration

Host Name . . . . . . . . . . . . : dc3
Primary DNS Suffix . . . . . . . : anydomain.com
Node Type . . . . . . . . . . . . : Broadcast
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : anydomain.com

Ethernet adapter Internal:

Connection-specific DNS Suffix . : anydomain.com
Description . . . . . . . . . . . : HP NC7760 Gigabit Server Adapter
Physical Address. . . . . . . . . : 00-0B-CD-AF-BB-2D
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.10.20.86
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : 10.10.20.30
DNS Servers . . . . . . . . . . . : 10.10.20.86


Here are ill formed requests from .102 and ipconfig /all - This is just a memeber server


Rcv 10.10.20.102 eeb5 Q [0001 D NOERROR] (5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(3)dc0(9)anydomain(3)com(0)
Snd 10.10.20.102 eeb5 R Q [8385 A DR NXDOMAIN] (5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(3)dc0(9)anydomain(3)com(0)
Rcv 10.10.20.102 f5b6 Q [0001 D NOERROR] (5)_ldap(4)_tcp(2)dc(6)_msdcs(3)dc0(9)anydomain(3)com(0)
Snd 10.10.20.102 f5b6 R Q [8385 A DR NXDOMAIN] (5)_ldap(4)_tcp(2)dc(6)_msdcs(3)dc0(9)anydomain(3)com(0)
Rcv 10.10.20.102 39b6 Q [0001 D NOERROR] (5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(3)DC1(9)anydomain(3)com(0)
Snd 10.10.20.102 39b6 R Q [8385 A DR NXDOMAIN] (5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(3)DC1(9)anydomain(3)com(0)
Rcv 10.10.20.102 4cb6 Q [0001 D NOERROR] (5)_ldap(4)_tcp(2)dc(6)_msdcs(3)DC1(9)anydomain(3)com(0)
Snd 10.10.20.102 4cb6 R Q [8385 A DR NXDOMAIN] (5)_ldap(4)_tcp(2)dc(6)_msdcs(3)DC1(9)anydomain(3)com(0)
Rcv 10.10.20.102 feb7 Q [0001 D NOERROR] (5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(3)DC0(0)
Snd 10.10.20.102 feb7 R Q [8381 DR NXDOMAIN] (5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(3)DC0(0)
Rcv 10.10.20.102 6fb7 Q [0001 D NOERROR] (5)_ldap(4)_tcp(2)dc(6)_msdcs(3)DC0(0)
Snd 10.10.20.102 6fb7 R Q [8381 DR NXDOMAIN] (5)_ldap(4)_tcp(2)dc(6)_msdcs(3)DC0(0)


C:\WINNT\system32>ipconfig /all

Windows 2000 IP Configuration

Host Name . . . . . . . . . . . . : e2
Primary DNS Suffix . . . . . . . : anydomain.com
Node Type . . . . . . . . . . . . : Broadcast
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : anydomain.com

Ethernet adapter Internal:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : NetServer 10/100TX PCI LAN Adapter #
2
Physical Address. . . . . . . . . : 00-30-6E-06-08-62
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.10.20.102
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : 10.10.20.30
DNS Servers . . . . . . . . . . . : 10.10.20.86
10.10.20.33



Here are correct requests and ipconfig /all from .70 - This is a member server running Exchange 2000 (this machine never ill forms a request)


Rcv 10.10.20.70 dbe2 Q [0001 D NOERROR] (5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(9)anydomain(3)com(0)
Snd 10.10.20.70 dbe2 R Q [8085 A DR NOERROR] (5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(9)anydomain(3)com(0)

C:\WINNT\system32>ipconfig /all

Windows 2000 IP Configuration

Host Name . . . . . . . . . . . . : e1
Primary DNS Suffix . . . . . . . : anydomain.com
Node Type . . . . . . . . . . . . : Broadcast
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : anydomain.com

Ethernet adapter Internal:

Connection-specific DNS Suffix . : anydomain.com
Description . . . . . . . . . . . : HP NC7760 Gigabit Server Adapter
Physical Address. . . . . . . . . : 00-0B-CD-1C-FC-F4
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.10.20.70
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : 10.10.0.1
DNS Servers . . . . . . . . . . . : 10.10.20.86
10.10.20.33

Here is a full packet log of an ill formed request from .86

Rcv 10.10.20.86 0a2c Q [0001 D NOERROR] (5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(3)DC3(0)
UDP question info at 0122037C
Socket = 360
Remote addr 10.10.20.86, port 4797
Time Query=5717166, Queued=0, Expire=0
Buf length = 0x0200 (512)
Msg length = 0x0049 (73)
Message:
XID 0x0a2c
Flags 0x0100
QR 0 (question)
OPCODE 0 (QUERY)
AA 0
TC 0
RD 1
RA 0
Z 0
RCODE 0 (NOERROR)
QCOUNT 0x1
ACOUNT 0x0
NSCOUNT 0x0
ARCOUNT 0x0
Offset = 0x000c, RR count = 0
Name "(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(3)DC3(0)"
QTYPE SRV (33)
QCLASS 1
ANSWER SECTION:
AUTHORITY SECTION:
ADDITIONAL SECTION:

Snd 202.12.27.33 2580 Q [0000 NOERROR] (5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(3)DC3(0)
UDP question info at 010EC38C
Socket = 376
Remote addr 202.12.27.33, port 53
Time Query=0, Queued=0, Expire=0
Buf length = 0x0200 (512)
Msg length = 0x0049 (73)
Message:
XID 0x2580
Flags 0x0000
QR 0 (question)
OPCODE 0 (QUERY)
AA 0
TC 0
RD 0
RA 0
Z 0
RCODE 0 (NOERROR)
QCOUNT 0x1
ACOUNT 0x0
NSCOUNT 0x0
ARCOUNT 0x0
Offset = 0x000c, RR count = 0
Name "(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(3)DC3(0)"
QTYPE SRV (33)
QCLASS 1
ANSWER SECTION:
AUTHORITY SECTION:
ADDITIONAL SECTION:

 

[Kevin D. Goodknecht [MVP]]

In Ace Fekay [MVP] <PleaseSubstituteMyActualFirstName&[email protected]>
posted a question
Then Kevin replied below:
: Hmm, Your ipconfigs look good actually. No single label names,
: pointing to your own internal DNS, etc.
:
: I'm very curious why this IP comes up:
:: Name: m.root-servers.net
:: Address: 202.12.27.33
: because it's one of the root servers, as you can see and it shows up
: along with your internal server. The only thing that I can think of
: that would cause this is if you had a single label domain name, but
: from your ipconfigs, assuming it's in the corrrect format, is not a
: single label name (such as "domain" is incorrect, but "domain.com" is
: correct). SInce you munged your actual domain name, I'm going to
: assume you munged it with the correct format. Also, are there any
: other zones on your DNS server that maybe single label?
:
Maybe he has a member with an incorrect primary DNS suffix.

 

[Ace Fekay [MVP]]

In

Maybe he has a member with an incorrect primary DNS suffix.

Or maybe even with an underscore in the it.


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[relay_denied]

Well I believe because the query does not end in a domain name known by the
local DNS server. We do not have forwarders configured so it falls back on
root hints.

Ya, this is a good one. I am really unable to find any other info out there.
I would like to find a source of info describing all the things you see when
doing full packet logging. Maybe there are some clues in there.

In Ace Fekay [MVP]

 

[relay_denied]

I spent one night going to all the machines forming these lookups and made
sure the DNS config box was correct and consistent. There are about 20
machines doing this. There are a couple Q articles that talk about improper
suffixes, underscores, single names, and the such. I have read them $-(

You guys aren't ready to give up are you? It's just getting good.

Thank You for all your replies so far.


"Ace Fekay [MVP]"

 

[Kevin D. Goodknecht [MVP]]

In Ace Fekay [MVP] <PleaseSubstituteMyActualFirstName&[email protected]>
posted a question
Then Kevin replied below:
: Hmm, Your ipconfigs look good actually. No single label names,
: pointing to your own internal DNS, etc.
:
Are you sure?
DNS Servers . . . . . . . . . . . : 10.10.20.86
10.10.20.33<------What DNS
server is this I don't see it on the ipconfig fior the DC he posted.

 

[Roger Abell [MVP]]

Well, what I meant by AD-leveraging is any third-party or
home-grown app that uses AD-awareness. This is either
happening due to MS software, or something that wants
to locate an ldap server and knows how to go about it.
For example, any code that tries to use an ldap moniker
in an ASs or Adsi binding action, etc..

For example, the following docs a new flag added at SP1
to avoid the problem when a servername is given to an
ldap bind action. However, it is up to the developer to
use the flag, and also if you read closely, to make sure
that they no longer use GetObject, replacing those with
OpenObject.
http://support.microsoft.com/default.aspx?scid=kb;en-us;258507&Product=win2000



The records you just quoted show it (on 10.10.20.86 )
trying to find an Ldap service in its site, and then to find
one for the forestroot domain.
The problem is simply that it (whatever it is) thinks that
the forestroot domain is DC3 instead of the correct value.

The records in your original post showed the same thing
happening, except it exampled it cycling through about
8 or 9 names in place of the DC3.

The records you posted in reply to Ace elsewhere in this
thread show it doing this, following a pattern of normal
DNS suffix appending, hence first
<host>.anydomain.com is tried, then simply <host>

Now, in initial post, the salt-and-peppered about
examples, where it used for the domain such as
(3)dc1(9)adexpedia(3)com(0)
are 1) most bizzard, 2) in this example from the same
machine (10.10.20.86 ) as the DC3 records exampled
in this post, and 3) perhap a very big clue as to what is
originating this (why adexpedia.com - others like this,
or always this?).

When you look at the (non-salt-and-peppered) queries
is there any correspondance between sender's IP and
hostname ??
Ex.
here we have
10.10.20.86 DC3
or in initial post
10.10.20.97 PV3
10.10.21.41 LSSE2
192.168.1.161 P2
10.10.20.59 SQL2
10.10.21.36 LPUB1
10.10.21.30 DEVADMIN
10.10.20.45 NS2
10.10.20.83 SSE1
10.10.20.95 SSE3
We are not that lucky are we, as to have this hostname
of the sender being used in place as its domain ?
Is there any rhyme or reason why the machine indicated
by IP would be trying to ldap bind to the host they try?
From their hostnames I would guess they are not all DCs.

Following up on your stating that you have raked the
KBs over, we then need to be creative in absence of
info from relevant articles. Is there any ability to watch
(sysmon trace) a machine to profile CPU time by process
over a time period during it might be possible to timestamp
correlate with its sending to Tcp to port 53 at your DNS
server IP ? (Probably impossible to do if a given machine
just does the 4 or so malformed queries in a short time and
then does not do it again for a lengthy time).
I am just trying to get at what it is that is doing this.

--
Roger

These requests are coming from multiple machines. There seems to be very
little common ground between them other than W2K, SP4, all latest updates
installed (we try to stay on top of this). The type of ill formation that
gets no domain name at the end do get forwarded to root servers (no fowarder
set). The ill formation that injects the machines name in the center of SRV
lookup stay local but just never get a correct response. I have even seen
the machines change the request, working farther up the folder structure of
the SRV records. Seems like they keep trying for some sort of an answer to
no avail.

Rcv 10.10.20.86 bdba Q [0001 D NOERROR]
(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(3)DC3(0)
Snd 202.12.27.33 3c64 Q [0000 NOERROR]
(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(3)DC3(0)
Rcv 10.10.20.86 5abc Q [0001 D NOERROR]
(5)_ldap(4)_tcp(2)dc(6)_msdcs(3)DC3(0)
Snd 202.12.27.33 1c6d Q [0000 NOERROR]
(5)_ldap(4)_tcp(2)dc(6)_msdcs(3)DC3(0)

Nothing really strange in the services list, a couple have some home grown
services but not consistant across all machines. Some certainly get used
more than others. We collect performance statistics every 15 minutes and
query it at the end of the day. Most machines stay below our thresholds:
Processor 50%, Paging 20%, commited RAM in use 50%, etc... . These are
mainly HP DL320 and DL380s.

I am not sure what you mean by AD leveraging application?

Really wish I was listing something really weird here, but we are a pretty
straight forward shop. Have you given you anything you can use? any ideas?
This at times really generates a lot of traffic.

Hi Paul,

It looked as if you have multiple machines sending these requests
that in turn were forwarded.
Can you generalize what is the same in terms of the software load
between these machines ? OS versions ? Services started ?
AD leveraging application installed ?

Roger
out
why be
able but

in

a

row.
It is not only a nuisance to us but these get forwarded to root servers
since the lookup ends in a machine name instead of a known domain name.

I have looked quite exhaustively for an explanation or even an
explanation
of what I am looking at when I have complete logging on. There

seems
to

be
very little describing the logs and nothing on these misconfigured
lookups.

I have included just a few examples, it is just a few from the top of
one
of
the storms. There are two types of error.

Machine name at end instead of domain name, these come in storms

Rcv 10.10.20.97 26e4 Q [0001 D NOERROR]

(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(3)PV3(0)
Snd 202.12.27.33 188d Q [0000 NOERROR]

(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(3)PV3(0)
Rcv 10.10.21.41 4e2e Q [0001 D NOERROR]

(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(5)LSSE2(0)

Snd 202.12.27.33 2094 Q [0000 NOERROR]

(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(5)LSSE2(0)

Rcv 192.168.1.161 93a6 Q [0001 D NOERROR]

(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(2)P2(0)
Snd 202.12.27.33 289a Q [0000 NOERROR]

(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(2)P2(0)
Rcv 10.10.20.59 93fa Q [0001 D NOERROR]

(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(4)SQL2(0)

Snd 202.12.27.33 18a0 Q [0000 NOERROR]

(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(4)SQL2(0)

Rcv 10.10.21.36 e1e0 Q [0001 D NOERROR]

(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(5)LPUB1(0)

Snd 202.12.27.33 28ac Q [0000 NOERROR]

(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(5)LPUB1(0)

Rcv 10.10.21.30 476f Q [0001 D NOERROR]

(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(8)DEVADMIN

(0)
Snd 202.12.27.33 38b6 Q [0000 NOERROR]

(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(8)DEVADMIN

(0)
Rcv 10.10.20.45 b01a Q [0001 D NOERROR]

(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(3)NS2(0)
Snd 202.12.27.33 38bd Q [0000 NOERROR]

(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(3)NS2(0)
Rcv 10.10.20.83 0b53 Q [0001 D NOERROR]

(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(4)SSE1(0)

Snd 202.12.27.33 28c0 Q [0000 NOERROR]

(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(4)SSE1(0)

Rcv 10.10.20.95 1ba1 Q [0001 D NOERROR]

(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(4)SSE3(0)

Machine name injected into path, dc1(9) these are scattered about:

Rcv 10.10.20.86 ca9b Q [0001 D NOERROR]

(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(3)dc1(9)ad

expedia(3)com(0)
Snd 10.10.20.86 ca9b R Q [8385 A DR NXDOMAIN]

(5)_ldap(4)_tcp(23)Default-First-Site-Name(6)_sites(2)dc(6)_msdcs(3)dc1(9)ad

expedia(3)com(0)
Rcv 10.10.20.86 209d Q [0001 D NOERROR]
(5)_ldap(4)_tcp(2)dc(6)_msdcs(3)dc1(9)adexpedia(3)com(0)
Snd 10.10.20.86 209d R Q [8385 A DR NXDOMAIN]
(5)_ldap(4)_tcp(2)dc(6)_msdcs(3)dc1(9)adexpedia(3)com(0)

Any assistance with an explanation and possibly a fix would be greatly
appreciated. If there is a good source for troubleshooting W2K DNS or
reading the logs I would welcome the reading.

 

[Ace Fekay [MVP]]

In

Well I believe because the query does not end in a domain name known
by the local DNS server. We do not have forwarders configured so it
falls back on root hints.

Ya, this is a good one. I am really unable to find any other info out
there. I would like to find a source of info describing all the
things you see when doing full packet logging. Maybe there are some
clues in there.

Configure a forwarder, try 4.2.2.2. It's just a recommended way to make your
Internet resolution more efficient. See what happens after that.

Haven't given up yet. See Kevin's post about that IP address he caught (that
I missed):

DNS Servers . . . . . . . . . . . : 10.10.20.86
10.10.20.33 <-----This one
here!!!

What is it? As Kevin said, it doesn't show up on the DC?? DNS configs must
be consistent across the enterprise as per their content.


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory