Forum FAQ: How to troubleshoot DNS Event 5504 error

symptom

a dns server may record event id 5504 error in event log:

 

event type: warning
event source: dns
event category: none
event id: 5504
user: n/a
computer: computer_name
description: dns server encountered invalid domain name in packet ip_address .
the packet rejected.

 

cause

event id 5504 logged when dns server receives packet containing invalid domain name. there many possible causes.

 

1.      the dns cache becomes corrupt invalid domain names.

2.      the dns server receives spoofed response.

3.      the dns response contains domain names characters other 0-9, a-z, a-z, . (period), , - (hyphen).

4.      the dns server has been configured invalid forwarders

5.      the network dns server resides on busy or not working properly.

 

resolution

the following general troubleshooting steps issue:

 

1. secure dns cache against pollution.

 

a)     open dns management snap-in , open properties dialog dns server.

b)     click advanced tab, check secure cache against pollution option, , click ok.

c)      after enabling setting, right-click applicable dns server , select clear cache, restart dns server service.

2. verify forwarder list on dns server pointing recursive dns servers.  to view forwarders, please perform following steps:

 

a)     open dns management snap-in , open properties dialog dns server.

b)     click forwarders tab, can view existing forwarders.

 

3. third party dns servers may using records of type aren’t supported windows dns servers, such dname resource record.

 

920162     event 5504 logged when windows server 2003-based dns server receives packet contains dname resource record

http://support.microsoft.com/default.aspx?scid=kb;en-us;920162

 

4. example dns produce event id 5504 error when extended dns (edns) packets received server attempting resolve edns traffic doesn’t support edns or have enabled. easy workaround disable edns.

 

dnscmd /config /enableednsprobes 0

 

more information

troubleshooting dns

http://technet2.microsoft.com/windowsserver/en/library/de2aa69d-1155-4dc9-a651-e836

2f6a81c81033.mspx?mfr=true

 

dns best practices

http://technet2.microsoft.com/windowsserver/en/library/59d7a747-48dc-42cc-8986-c73d

b47398a21033.mspx?mfr=true

 

applies to

 

• windows server® 2003 operating system
• windows server® 2008 operating system
• windows server® 2008 r2 operating system
  
  

i'm not sure whether appropriate place add - (possible) cause have seen not mentioned above request aaaa record (ipv6 address) being responded record (ipv4 address).

dns debug logging (windows 2008 r2 sp1) captured requests 192.225.156.200 , corresponding responses. in each case response followed in debug log event “the dns server encountered invalid domain name in packet 192.225.156.200. packet rejected. event data contains dns packet.”

the domain name in response same in query, , looks ok.

the logged query shows aaaa record (ipv6 address) request , logged response returned record (ipv4 address).

http://www.rfc-editor.org/rfc/rfc4074.txt “common misbehavior against dns queries ipv6 addresses” says, under “expected behavior”:

   suppose authoritative server has rr has no aaaa rr

   host name.  then, server should return response a

   query aaaa rr of name response code (rcode) being

   0 (indicating no error) , empty answer section (see

   sections 4.3.2 , 6.2.4 of [1]).  such response indicates that

   there @ least 1 rr of different type aaaa the

   queried name, , stub resolver can rrs.

Windows Server  >  Network Infrastructure Servers