Event 5504 Invalid Domain Name

[rdroske]

I have recently started getting lots of warnings in the logs of my DNS servers. The text reads "DNS Server encountered invalid domain name in packet from 198.41.0.4.
Packet is rejected." Also from other IP's but all of them turn out to be the root servers.

Anyone else getting these?

 

[MissyAngel]

Two weeks ago they started appearing in my DNS logs too and so far I haven't had any luck...Like you, they all appear to be root servers...

 

[ashpp]

Got any incorrectly formatted hosts on the network (ie. _)? Usually this warning can be safely ignored.

http://eventid.net/display.asp?eventid=5504&source=

Ash.

 

[rdroske]

I actually stopped getting them about 4 weeks ago (2/14)? Odd, they just stopped. I knew they could be ignored but they generate a warning in the log and these are monitored and set off alarms on my network, just inconvenient.

 

[AUSanders79]

Hmmm. I'm getting the same thing. All coming from various Root servers. Thing is, we've got two internal DNS Servers running and only the primary is getting hit. Everyone keeps referring me to EventID.net, but that says nothing useful. Esp when Microsoft's fixes don't work. Anyone got anything else on this??

 

[MissyAngel]

I had checked out EventID.net already and thought that there was nothing useful there; but it turns out that several older, infrequently used systems were turned on recently and they all contained underscores in their names. I renamed them two days ago and haven't seen any errors in the logs yet, but we'll see...I'll keep you all posted.

 

[MissyAngel]

Just an update: Renaming the older systems that we recently put back into use seemed to take care of the problem, as the errors haven't occured since. Out of curiousity, though, underscores are considered invalid characters? I was always under the impression that they are acceptable...

 

[ashpp]

They are invalid characters as per the RFC for the DNS system. That doesn't mean on certain DNS implementations they won't work.

Ash.

 

[LTM1264]

I have been getting the event ID 5504 for a few weeks. Sounds like this is refered to as "cache pollution", Please see the Knowledge Base article Q241352 for step-by-step instructions. Although I followed the steps outlined, the warnings are still in the event log. Do you have any idea how to get rid of them?

 

[jimmytan2]

res://c:\windows\system\shdoclc.dll/dnserror.htm

 

[AXISPNOC]

Just started receiving 5504 errors on my Primary (Win2KSp3 PDC) DNS server. The secondaries don't show this error. All of the errors are from various Root DNS Servers. I tried the pollution fix, and this did not work. I am not sure why this is happening but it just started about a week ago. I realize that Microsoft says you can safely ignore this message, however I would like to know why it started happening. My servers have been operational for a year now, and I have not made any major changes, especially in the DNS.

 

[hsleviant]

I just started seeing the same 5504 Event warning in the past few days. Upgraded Win2K SBS to SP4 (from SP2). The upgrade disabled the SYSVOL share; had major problem with NTFRS events thinking that SYSVOL root had been moved. Restoring the share in the registry corrected the connection errors, and putting in the dummy NEW_ROOT_WHATEVER file for NTFRS cleared NTFRS errors. But...now I'm seeing event 5504 warnings (and one event 9999 warning), grouped closely in time, and numbering in the 10-15 separate warnings per "bundle" of events, that invalid domain names exist in packets from 206.13.29.12, which is one of the Pacific Bell DSL name servers for our DSL service. Many hours will pass, and then I'll see another run of 10-15 of these events. The option is enabled under DNS to prevent DNS pollution. Any ideas? Does PacBell have a problem? Does our server? I'm not seeing anything wrong on my end to explain this. As above poster mentioned, I still want to figure out where this is coming from.

 

[scurl1968]

I am getting them too. Mine started on July 13th but stopped over this past week-end. I have two internal DNS servers running Win2K with SP3. I also read MS's KB article about cache pollution but already had both servers configured to prevent this. We have a solid FreeBSD firewall up and haven't noticed any suspicious behavior on that. Interestingly, we also use PacBell for our T-1 and I set up forwarders on our DNS servers to the PacBell servers, and some of the event errors do list the PacBell DNS server as the offending domain. I also know that PacBell has recently had to upgrade their router IOS's to close a DoS security hole. I'm not sure if this has anything to do with these event errors, but I thought that was an interesting coincidence.

Here's what I read on the Experts-Exchange website:
As the message is suggesting, the DNS server has received an invalid domain name. By invalid it means that it contains invalid characters. MS DNS only supports 0-9, a-z, A-Z, . (dot), and - (hyphen) as part of a domain name. Some other DNS servers may not strictly enforce RFC 952 (DOD INTERNET HOST TABLE SPECIFICATION) so invalid names reach the DNS server and the 5504 message is recorded. Usually this happens when Forwarders are used by the DNS server. Microsoft suggested to one user to turn off the forwarder in order to eliminate these messages. There used to be a Knowledge Base article "Q246797 - DNS EVENT IDS 5504, 9999, AND 5000 FILL EVENT VIEWER" but is no longer available.
Another condition that may generated these messages is when the Internet connection is saturated or not working properly (losing packets). Because of the poor Internet connection, the DNS may receive incomplete or corrupted data and 5504 is generated.

Article Q154554 (not available anymore) stated that Windows NT 4.0 DNS server does not enforce the name restrictions, and will do WINS lookup for host names containing invalid characters. It is not recommended to use invalid host names. Other DNS server may have problems with names containing invalid characters."