none
Forum FAQ: How to troubleshoot DNS Event 5504 error

    General discussion

  • Symptom

    A DNS server may frequently record the Event ID 5504 error in the event log:

     

    Event Type: Warning
    Event Source: DNS
    Event Category: None
    Event ID: 5504
    User: N/A
    Computer: Computer_name
    Description: The DNS server encountered an invalid domain name in a packet from IP_Address .
    The packet is rejected.

     

    Cause

    Event ID 5504 is logged when a DNS Server receives a packet containing an invalid domain name. There are many possible causes.

     

    1.      The DNS cache becomes corrupt with invalid domain names.

    2.      The DNS Server receives a spoofed response.

    3.      The DNS response contains domain names with characters other than 0-9, a-z, A-Z, . (Period), and - (Hyphen).

    4.      The DNS Server has been configured with invalid forwarders

    5.      The network the DNS server resides on is busy or not working properly.

     

    Resolution

    The following are general troubleshooting steps for this issue:

     

    1. Secure the DNS cache against pollution.

     

    a)     Open DNS Management snap-in and then open the Properties dialog for the DNS server.

    b)     Click the Advanced tab, check the Secure Cache against Pollution option, and then click OK.

    c)      After enabling this setting, right-click the applicable DNS server and select Clear Cache, then restart the DNS Server service.

    2. Verify that the forwarder list on the DNS server is pointing to recursive DNS servers.  To view the forwarders, please perform the following steps:

     

    a)     Open DNS Management snap-in and then open the Properties dialog for the DNS server.

    b)     Click the Forwarders tab, you can view the existing forwarders.

     

    3. Some third party DNS servers may be using records of a type that aren’t supported by Windows DNS servers, such as the DNAME resource record.

     

    920162     Event 5504 is logged when a Windows Server 2003-based DNS server receives a packet that contains a DNAME resource record

    http://support.microsoft.com/default.aspx?scid=kb;EN-US;920162

     

    4. Another example where DNS will produce the Event ID 5504 error is when Extended DNS (EDNS) packets are received but the server that is attempting to resolve the EDNS traffic doesn’t support EDNS or have it enabled. An easy workaround is to disable EDNS.

     

    dnscmd /Config /EnableEDnsProbes 0

     

    More Information

    Troubleshooting DNS

    http://technet2.microsoft.com/WindowsServer/en/library/de2aa69d-1155-4dc9-a651-e836

    2f6a81c81033.mspx?mfr=true

     

    DNS Best Practices

    http://technet2.microsoft.com/WindowsServer/en/library/59d7a747-48dc-42cc-8986-c73d

    b47398a21033.mspx?mfr=true

     

    Applies to

     

    • Windows Server® 2003 operating system
    • Windows Server® 2008 operating system
    • Windows Server® 2008 R2 operating system

    Monday, February 22, 2010 8:50 AM

All replies

  • I'm not sure whether this is the appropriate place to add this but - a (possible) cause that I have seen which is not mentioned above is a request for an AAAA record (IPv6 address) being responded to with an A record (IPv4 address).

    DNS debug logging (Windows 2008 R2 SP1) captured requests to 192.225.156.200 and the corresponding responses. In each case the response was followed in the debug log by the event “The DNS server encountered an invalid domain name in a packet from 192.225.156.200. The packet will be rejected. The event data contains the DNS packet.

    The domain name in the response was the same as that in the query, and looks OK.

    The logged query shows an AAAA record (IPv6 address) request and the logged response returned an A record (IPv4 address).

    http://www.rfc-editor.org/rfc/rfc4074.txtCommon Misbehavior Against DNS Queries for IPv6 Addresses” says, under “Expected Behavior”:

       Suppose that an authoritative server has an A RR but has no AAAA RR

       for a host name.  Then, the server should return a response to a

       query for an AAAA RR of the name with the response code (RCODE) being

       0 (indicating no error) and with an empty answer section (see

       Sections 4.3.2 and 6.2.4 of [1]).  Such a response indicates that

       there is at least one RR of a different type than AAAA for the

       queried name, and the stub resolver can then look for A RRs.


    Tuesday, April 21, 2015 9:59 AM