Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations bkrike on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

DNS excessive traffic root hints

Status
Not open for further replies.
archaic

archaic

IS-IT--Management
Feb 28, 2002
5
GB
All,

I have been getting constant continous execessive traffic to root servers for the last few weeks from the dns.exe process. The server is at Windows 2000 SP4 with the latest patches and ver 5.0.2195.6715 of dns.exe.

Everything is configured for standard domain setup and is giving the same behaviour if I use forwarders instead of root hints.

The Network monitor output is below for the queries it is sending and receiving continously.

Can anyone tell me if this is an MS bug or a configuration error?
-----------------------------------------------------------
-----------------------------------------------------------
165 12.984375 LOCAL 000F24ABEFC0 DNS 0x3A7E:Std Qry for . of type Host Addr on class INET addr. SILSCRS01 193.0.14.129 IP
Frame: Base frame properties
Frame: Time of capture = 2/9/2005 11:26:13.796
Frame: Time delta from previous physical frame: 0 microseconds
Frame: Frame number: 165
Frame: Total frame length: 59 bytes
Frame: Capture frame length: 59 bytes
Frame: Frame data: Number of data bytes remaining = 59 (0x003B)
ETHERNET: ETYPE = 0x0800 : Protocol = IP: DOD Internet Protocol
ETHERNET: Destination address : 000F24ABEFC0
ETHERNET: .......0 = Individual address
ETHERNET: ......0. = Universally administered address
ETHERNET: Source address : 000BCDAFC9E3
ETHERNET: .......0 = No routing information present
ETHERNET: ......0. = Universally administered address
ETHERNET: Frame Length : 59 (0x003B)
ETHERNET: Ethernet Type : 0x0800 (IP: DOD Internet Protocol)
ETHERNET: Ethernet Data: Number of data bytes remaining = 45 (0x002D)
IP: ID = 0xA772; Proto = UDP; Len: 45
IP: Version = 4 (0x4)
IP: Header Length = 20 (0x14)
IP: Precedence = Routine
IP: Type of Service = Normal Service
IP: Total Length = 45 (0x2D)
IP: Identification = 42866 (0xA772)
IP: Flags Summary = 0 (0x0)
IP: .......0 = Last fragment in datagram
IP: ......0. = May fragment datagram if necessary
IP: Fragment Offset = 0 (0x0) bytes
IP: Time to Live = 128 (0x80)
IP: Protocol = UDP - User Datagram
IP: Checksum = ERROR: CheckSum is 0x0000, Should be 0x0222
IP: Source Address = 192.168.1.2
IP: Destination Address = 193.0.14.129
IP: Data: Number of data bytes remaining = 25 (0x0019)
UDP: Src Port: Unknown, (1179); Dst Port: DNS (53); Length = 25 (0x19)
UDP: Source Port = 0x049B
UDP: Destination Port = DNS
UDP: Total length = 25 (0x19) bytes
UDP: UDP Checksum = 0x2D41
UDP: Data: Number of data bytes remaining = 17 (0x0011)
DNS: 0x3A7E:Std Qry for . of type Host Addr on class INET addr.
DNS: Query Identifier = 14974 (0x3A7E)
DNS: DNS Flags = Query, OpCode - Std Qry, RCode - No error
DNS: 0............... = Request
DNS: .0000........... = Standard Query
DNS: .....0.......... = Server not authority for domain
DNS: ......0......... = Message complete
DNS: .......0........ = Iterative query desired
DNS: ........0....... = No recursive queries
DNS: .........000.... = Reserved
DNS: ............0000 = No error
DNS: Question Entry Count = 1 (0x1)
DNS: Answer Entry Count = 0 (0x0)
DNS: Name Server Count = 0 (0x0)
DNS: Additional Records Count = 0 (0x0)
DNS: Question Section: . of type Host Addr on class INET addr.
DNS: Question Name: .
DNS: Question Type = Host Address
DNS: Question Class = Internet address class
00000: 00 0F 24 AB EF C0 00 0B CD AF C9 E3 08 00 45 00 ..$....E.
00010: 00 2D A7 72 00 00 80 11 00 00 C0 A8 01 02 C1 00 .-r..?......
00020: 0E 81 04 9B 00 35 00 19 2D 41 3A 7E 00 00 00 01 ..?.5..-A:~....
00030: 00 00 00 00 00 00 00 00 01 00 01 ...........
----------------------------------------------------------
163 12.984375 000F24ABEFC0 LOCAL DNS 0xA3E:Std Qry Resp. Auth. NS is . of type SOA on class INET addr. 193.0.14.129 SILSCRS01 IP
Frame: Base frame properties
Frame: Time of capture = 2/9/2005 11:26:13.796
Frame: Time delta from previous physical frame: 0 microseconds
Frame: Frame number: 163
Frame: Total frame length: 134 bytes
Frame: Capture frame length: 134 bytes
Frame: Frame data: Number of data bytes remaining = 134 (0x0086)
ETHERNET: ETYPE = 0x0800 : Protocol = IP: DOD Internet Protocol
ETHERNET: Destination address : 000BCDAFC9E3
ETHERNET: .......0 = Individual address
ETHERNET: ......0. = Universally administered address
ETHERNET: Source address : 000F24ABEFC0
ETHERNET: .......0 = No routing information present
ETHERNET: ......0. = Universally administered address
ETHERNET: Frame Length : 134 (0x0086)
ETHERNET: Ethernet Type : 0x0800 (IP: DOD Internet Protocol)
ETHERNET: Ethernet Data: Number of data bytes remaining = 120 (0x0078)
IP: ID = 0x0; Proto = UDP; Len: 120
IP: Version = 4 (0x4)
IP: Header Length = 20 (0x14)
IP: Precedence = Routine
IP: Type of Service = Normal Service
IP: Total Length = 120 (0x78)
IP: Identification = 0 (0x0)
IP: Flags Summary = 2 (0x2)
IP: .......0 = Last fragment in datagram
IP: ......1. = Cannot fragment datagram
IP: Fragment Offset = 0 (0x0) bytes
IP: Time to Live = 58 (0x3A)
IP: Protocol = UDP - User Datagram
IP: Checksum = 0xAF49
IP: Source Address = 193.0.14.129
IP: Destination Address = 192.168.1.2
IP: Data: Number of data bytes remaining = 100 (0x0064)
UDP: Src Port: DNS, (53); Dst Port: Unknown (1179); Length = 100 (0x64)
UDP: Source Port = DNS
UDP: Destination Port = 0x049B
UDP: Total length = 100 (0x64) bytes
UDP: UDP Checksum = 0x7342
UDP: Data: Number of data bytes remaining = 92 (0x005C)
DNS: 0xA3E:Std Qry Resp. Auth. NS is . of type SOA on class INET addr.
DNS: Query Identifier = 2622 (0xA3E)
DNS: DNS Flags = Response, OpCode - Std Qry, AA Bits Set, RCode - No error
DNS: 1............... = Response
DNS: .0000........... = Standard Query
DNS: .....1.......... = Server authority for domain
DNS: ......0......... = Message complete
DNS: .......0........ = Iterative query desired
DNS: ........0....... = No recursive queries
DNS: .........000.... = Reserved
DNS: ............0000 = No error
DNS: Question Entry Count = 1 (0x1)
DNS: Answer Entry Count = 0 (0x0)
DNS: Name Server Count = 1 (0x1)
DNS: Additional Records Count = 0 (0x0)
DNS: Question Section: . of type Host Addr on class INET addr.
DNS: Question Name: .
DNS: Question Type = Host Address
DNS: Question Class = Internet address class
DNS: Authority Section: . of type SOA on class INET addr.
DNS: Resource Name: .
DNS: Resource Type = Start of zone of authority
DNS: Resource Class = Internet address class
DNS: Time To Live = 86400 (0x15180)
DNS: Resource Data Length = 64 (0x40)
DNS: Primary Name Server: a.root-servers.net.
DNS: Responsible Authorative Mailbox: nstld.verisign-grs.com.
DNS: Version number = 2005020801 (0x77823081)
DNS: Refresh Interval = 1800 (0x708)
DNS: Retry interval = 900 (0x384)
DNS: Expiration Limit = 604800 (0x93A80)
DNS: Minimum TTL = 86400 (0x15180)
00000: 00 0B CD AF C9 E3 00 0F 24 AB EF C0 08 00 45 00 ....$..E.
00010: 00 78 00 00 40 00 3A 11 AF 49 C1 00 0E 81 C0 A8 .x..@.:.I..
00020: 01 02 00 35 04 9B 00 64 73 42 0A 3E 84 00 00 01 ...5.?.dsB.>?...
00030: 00 00 00 01 00 00 00 00 01 00 01 00 00 06 00 01 ................
00040: 00 01 51 80 00 40 01 61 0C 72 6F 6F 74 2D 73 65 ..Q?.@.a.root-se
00050: 72 76 65 72 73 03 6E 65 74 00 05 6E 73 74 6C 64 rvers.net..nstld
00060: 0C 76 65 72 69 73 69 67 6E 2D 67 72 73 03 63 6F .verisign-grs.co
00070: 6D 00 77 82 30 81 00 00 07 08 00 00 03 84 00 09 m.w?0.......?..
00080: 3A 80 00 01 51 80 :?..Q?

 
Sort by date Sort by votes
See below and article

-----------------------------------------
In news:euAFfosDFHA.2220@TK2MSFTNGP09.phx.gbl,
Kevin D. Goodknecht Sr. [MVP] <admin@nospam.WFTX.US> made a post then I
commented below

> One of your clients may have an incorrect DNS suffix in the DNS suffix
> search list.
> Incorrect in the fact that the DNS suffix is appended by the DNS
> client. If you don't have a zone for the DNS suffix being appended,
> the DNS server will forward or use recursion to find the
> authoritative DNS server for this DNS suffix.
>
> running ipconfig /all from a command prompt will list the DNS
> suffixes being appended. The DNS fuffix search list is pulled from
> the Primary and Connection specific DNS suffix, or it can be manually
> configured.

To add, this can be caused by a single label name lookup. If AD is
configured with a single label name, this can cause this as well, hence why
W2kSP4 and later OS will not register into DNS to avoid the excessive Root
lookups.

I can't tell by the netmon capture if this is the case, nor did Howard
provide any configuration information about his system, since all I see is
the dot (".") lookup in the query request in the capture, therefore that is
why I base this assumption.

For Howard, a single label name example is:
"domain"

And a proper formed name is:
"domain.net", "domain.com", etc.


--?
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.
--?
=================================
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

rzammit82
  • Locked
  • Question
Windows Server 2016 - DNS/AD problem
Replies
1
Views
938
suncit
suncit
fredmartinmaine
  • Locked
  • Question
Domain Controller without DNS Server
Replies
4
Views
851
fredmartinmaine
fredmartinmaine
telecotek1
  • Locked
  • Question
strange DNS issue
Replies
1
Views
427
telecotek1
telecotek1
evr72
  • Locked
  • Question
Wundows Server 2003 DNS can resolve names but not ip addresses
Replies
0
Views
194
evr72
evr72
rrmcguire
  • Locked
  • Question
group policy to set dns
Replies
2
Views
424
rrmcguire
rrmcguire

Part and Inventory Search

Sponsor

Back
Top