External IP addresses showing up in internal DNS logs??

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Guest
Archived from groups: microsoft.public.win2000.dns (More info?)

I turned on the logging feature on both of my DNS servers to monitor the DNS
traffic and see if I could troubleshoot some DNS issues we have been having.
I turned on all the logging features query, notify, update, questions,
answers, send, receive, UDP, TCP, Full packets, Write Through. Unfortunately
I don't know how to read the logs (Doohh!).

Here is an example in one of my DNS logs. (See Below) This is an internal
DNS server (Windows 2000 AS - updated to the most recent critical updates
and service packs) and there is/are external IP showing up in both the SND
and RCV packet captures.

I don't have forwarding enabled, (yet) should I? and should I have external
IPs in my DNS logs both under the SND and RCV packet captures?

What are the best practices on DNS logging for MS servers?

Thanks in advance for the help.
Mike H.

Packet Capture from MS W2k AS Server DNS log
******************************************************************************
Snd 210.94.0.15 09a0 Q [0000 NOERROR]
(3)143(2)58(2)98(3)222(7)in-addr(4)arpa(0)
UDP question info at 022E900C
Socket = 400
Remote addr 210.94.0.15, port 53
Time Query=0, Queued=0, Expire=0
Buf length = 0x0200 (512)
Msg length = 0x002c (44)
Message:
XID 0x09a0
Flags 0x0000
QR 0 (question)
OPCODE 0 (QUERY)
AA 0
TC 0
RD 0
RA 0
Z 0
RCODE 0 (NOERROR)
QCOUNT 0x1
ACOUNT 0x0
NSCOUNT 0x0
ARCOUNT 0x0
Offset = 0x000c, RR count = 0
Name "(3)143(2)58(2)98(3)222(7)in-addr(4)arpa(0)"
QTYPE PTR (12)
QCLASS 1
ANSWER SECTION:
AUTHORITY SECTION:
ADDITIONAL SECTION:
*********************************************************************************
 
Archived from groups: microsoft.public.win2000.dns (More info?)

In news:%23JS0kz3cFHA.3932@TK2MSFTNGP12.phx.gbl,
Michael H. <hawesmm@NO-MORE-SPAM-hotmail..com> posted this:
> I turned on the logging feature on both of my DNS servers to monitor
> the DNS
> traffic and see if I could troubleshoot some DNS issues we have been
> having.
> I turned on all the logging features query, notify, update, questions,
> answers, send, receive, UDP, TCP, Full packets, Write Through.
> Unfortunately
> I don't know how to read the logs (Doohh!).
>
> Here is an example in one of my DNS logs. (See Below) This is an
> internal
> DNS server (Windows 2000 AS - updated to the most recent critical
> updates
> and service packs) and there is/are external IP showing up in both
> the SND
> and RCV packet captures.
>
> I don't have forwarding enabled, (yet) should I? and should I have
> external
> IPs in my DNS logs both under the SND and RCV packet captures?

Forwarding is not required but is recommended to off load some of the
external resolution to an external DNS server.
In the entry below I see it is for a reverse lookup which tends to make me
believe you have a mail server.
The public IP you see DNS connecting to (210.94.0.15) is expected since the
DNS server at that IP is authoritative for the PTR
(143.58.98.222.in-addr.arpa) your DNS is looking up. Which by the way, the
PTR does not exist. I also believe this IP is for a Spam server in Korea.

>
> What are the best practices on DNS logging for MS servers?

Long term logging like this is not recommended due to the extra load put on
the DNS service to write these logs, and has been known to cause the DNS
service to fail when under high load. If there is anything you don't want in
an Active Directory environment, is to have the DNS service fail.
This type of logging should be enabled only for short term diagnostics.

>
> Thanks in advance for the help.
> Mike H.
>
> Packet Capture from MS W2k AS Server DNS log
> ******************************************************************************
> Snd 210.94.0.15 09a0 Q [0000 NOERROR]
> (3)143(2)58(2)98(3)222(7)in-addr(4)arpa(0)
> UDP question info at 022E900C
> Socket = 400
> Remote addr 210.94.0.15, port 53
> Time Query=0, Queued=0, Expire=0
> Buf length = 0x0200 (512)
> Msg length = 0x002c (44)
> Message:
> XID 0x09a0
> Flags 0x0000
> QR 0 (question)
> OPCODE 0 (QUERY)
> AA 0
> TC 0
> RD 0
> RA 0
> Z 0
> RCODE 0 (NOERROR)
> QCOUNT 0x1
> ACOUNT 0x0
> NSCOUNT 0x0
> ARCOUNT 0x0
> Offset = 0x000c, RR count = 0
> Name "(3)143(2)58(2)98(3)222(7)in-addr(4)arpa(0)"
> QTYPE PTR (12)
> QCLASS 1
> ANSWER SECTION:
> AUTHORITY SECTION:
> ADDITIONAL SECTION:
> *********************************************************************************



--?
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================
 
Archived from groups: microsoft.public.win2000.dns (More info?)

Thanks Kevin for the answers.

Yes, I do have a mail server (Novell GroupWise) but I'm still wondering if I
should be concerned about having these external IP address show up in my DNS
log?

Is my mail server looking up this address up to confirm existence of the
senders domain? SPAM... is it receiving spam or relaying it and is there a
way to tell with DNS?

Thanks,
Mike H.


"Kevin D. Goodknecht Sr. [MVP]" <admin@nospam.WFTX.US> wrote in message
news:%23Xl4$a5cFHA.3032@TK2MSFTNGP10.phx.gbl...
> In news:%23JS0kz3cFHA.3932@TK2MSFTNGP12.phx.gbl,
> Michael H. <hawesmm@NO-MORE-SPAM-hotmail..com> posted this:
>> I turned on the logging feature on both of my DNS servers to monitor
>> the DNS
>> traffic and see if I could troubleshoot some DNS issues we have been
>> having.
>> I turned on all the logging features query, notify, update, questions,
>> answers, send, receive, UDP, TCP, Full packets, Write Through.
>> Unfortunately
>> I don't know how to read the logs (Doohh!).
>>
>> Here is an example in one of my DNS logs. (See Below) This is an
>> internal
>> DNS server (Windows 2000 AS - updated to the most recent critical
>> updates
>> and service packs) and there is/are external IP showing up in both
>> the SND
>> and RCV packet captures.
>>
>> I don't have forwarding enabled, (yet) should I? and should I have
>> external
>> IPs in my DNS logs both under the SND and RCV packet captures?
>
> Forwarding is not required but is recommended to off load some of the
> external resolution to an external DNS server.
> In the entry below I see it is for a reverse lookup which tends to make me
> believe you have a mail server.
> The public IP you see DNS connecting to (210.94.0.15) is expected since
> the
> DNS server at that IP is authoritative for the PTR
> (143.58.98.222.in-addr.arpa) your DNS is looking up. Which by the way, the
> PTR does not exist. I also believe this IP is for a Spam server in Korea.
>
>>
>> What are the best practices on DNS logging for MS servers?
>
> Long term logging like this is not recommended due to the extra load put
> on
> the DNS service to write these logs, and has been known to cause the DNS
> service to fail when under high load. If there is anything you don't want
> in
> an Active Directory environment, is to have the DNS service fail.
> This type of logging should be enabled only for short term diagnostics.
>
>>
>> Thanks in advance for the help.
>> Mike H.
>>
>> Packet Capture from MS W2k AS Server DNS log
>> ******************************************************************************
>> Snd 210.94.0.15 09a0 Q [0000 NOERROR]
>> (3)143(2)58(2)98(3)222(7)in-addr(4)arpa(0)
>> UDP question info at 022E900C
>> Socket = 400
>> Remote addr 210.94.0.15, port 53
>> Time Query=0, Queued=0, Expire=0
>> Buf length = 0x0200 (512)
>> Msg length = 0x002c (44)
>> Message:
>> XID 0x09a0
>> Flags 0x0000
>> QR 0 (question)
>> OPCODE 0 (QUERY)
>> AA 0
>> TC 0
>> RD 0
>> RA 0
>> Z 0
>> RCODE 0 (NOERROR)
>> QCOUNT 0x1
>> ACOUNT 0x0
>> NSCOUNT 0x0
>> ARCOUNT 0x0
>> Offset = 0x000c, RR count = 0
>> Name "(3)143(2)58(2)98(3)222(7)in-addr(4)arpa(0)"
>> QTYPE PTR (12)
>> QCLASS 1
>> ANSWER SECTION:
>> AUTHORITY SECTION:
>> ADDITIONAL SECTION:
>> *********************************************************************************
>
>
>
> --?
> Best regards,
> Kevin D4 Dad Goodknecht Sr. [MVP]
> Hope This Helps
> ===================================
> When responding to posts, please "Reply to Group"
> via your newsreader so that others may learn and
> benefit from your issue, to respond directly to
> me remove the nospam. from my email address.
> ===================================
> http://www.lonestaramerica.com/
> ===================================
> Use Outlook Express?... Get OE_Quotefix:
> It will strip signature out and more
> http://home.in.tum.de/~jain/software/oe-quotefix/
> ===================================
> Keep a back up of your OE settings and folders
> with OEBackup:
> http://www.oehelp.com/OEBackup/Default.aspx
> ===================================
>
>
 
Archived from groups: microsoft.public.win2000.dns (More info?)

In news:%234hIqCddFHA.3620@TK2MSFTNGP09.phx.gbl,
Mike H. <ddplyr@NO-MORE-SPAM-gmail.com> posted this:
> Thanks Kevin for the answers.
>
> Yes, I do have a mail server (Novell GroupWise) but I'm still
> wondering if I
> should be concerned about having these external IP address show up in
> my DNS
> log?

No you should be concerned with this, it is normal for mail servers to do
this PTR lookup.

>
> Is my mail server looking up this address up to confirm existence of
> the
> senders domain?

Your mail server looks up the IP of any mail server sending mail to it. Some
mail servers use this to decide if it is going to accept mail from the
server for the domain.

SPAM... is it receiving spam or relaying it and is
> there a
> way to tell with DNS?

No you can't tell with DNS if your mail server is accepting spam or relaying
mail.


--?
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================