Tracing DNS requests

%3CLINGO-SUB%20id%3D%22lingo-sub-1197627%22%20slang%3D%22en-US%22%3ETracing%20DNS%20requests%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1197627%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20all.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOur%20Windows%20DNS%20server%20has%20been%20logging%20hundreds%20of%20reverse%20dns%20requests%20for%20two%20IP's.%26nbsp%3B%20These%20are%20being%20logged%20every%2030%20seconds%20or%20so.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CEM%3EThe%20DNS%20server%20encountered%20an%20invalid%20domain%20name%20in%20a%20packet%20from%20104.236.146.124.%20The%20packet%20will%20be%20rejected.%20The%20event%20data%20contains%20the%20DNS%20packet.%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3EThe%20DNS%20server%20encountered%20an%20invalid%20domain%20name%20in%20a%20packet%20from%20192.34.59.231.%20The%20packet%20will%20be%20rejected.%20The%20event%20data%20contains%20the%20DNS%20packet.%3C%2FEM%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E104.236.146.124%20resolves%20to%20whopper.fastlink.net%3C%2FP%3E%3CP%3E192.34.59.231%20resolves%20to%20thumper.fastlink.net%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20enabled%20debugging%20on%20the%20dns%20server%20to%20try%20trace%20what%20this%20is%20but%20am%20unsure%20how%20to%20interpret%20it.%26nbsp%3B%20Here%20are%20the%20three%20entries%20that%20are%20logged%20for%20each%20request%3A%3C%2FP%3E%3CP%3E---------------------------------------------------------%3C%2FP%3E%3CP%3E%3CEM%3E27%2F02%2F2020%202%3A16%3A04%20PM%200B7C%20PACKET%200000007719B8B6F0%20UDP%20Snd%20192.34.59.231%20dc1f%20Q%20%5B0000%20NOERROR%5D%20PTR%20(2)60(3)118(2)96(3)156(7)in-addr(4)arpa(0)%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3EUDP%20question%20info%20at%200000007719B8B6F0%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3ESocket%20%3D%2011464%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3ERemote%20addr%20192.34.59.231%2C%20port%2053%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3ETime%20Query%3D0%2C%20Queued%3D0%2C%20Expire%3D0%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3EBuf%20length%20%3D%200x0fa0%20(4000)%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3EMsg%20length%20%3D%200x002c%20(44)%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3EMessage%3A%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3EXID%200xdc1f%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3EFlags%200x0000%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3EQR%200%20(QUESTION)%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3EOPCODE%200%20(QUERY)%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3EAA%200%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3ETC%200%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3ERD%200%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3ERA%200%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3EZ%200%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3ECD%200%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3EAD%200%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3ERCODE%200%20(NOERROR)%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3EQCOUNT%201%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3EACOUNT%200%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3ENSCOUNT%200%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3EARCOUNT%200%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3EQUESTION%20SECTION%3A%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3EOffset%20%3D%200x000c%2C%20RR%20count%20%3D%200%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3EName%20%22(2)60(3)118(2)96(3)156(7)in-addr(4)arpa(0)%22%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3EQTYPE%20PTR%20(12)%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3EQCLASS%201%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3EANSWER%20SECTION%3A%20%3C%2FEM%3E%3CEM%3Eempty%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3EAUTHORITY%20SECTION%3A%3C%2FEM%3E%20%3CEM%3Eempty%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3EADDITIONAL%20SECTION%3A%20%3C%2FEM%3E%3CEM%3Eempty%3C%2FEM%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3E%3CEM%3E27%2F02%2F2020%202%3A16%3A04%20PM%200B7C%20PACKET%2000000077143B2410%20UDP%20Rcv%20192.34.59.231%20dc1f%20R%20Q%20%5B0580%20REFUSED%5D%20%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3EUDP%20response%20info%20at%2000000077143B2410%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3ESocket%20%3D%2011464%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3ERemote%20addr%20192.34.59.231%2C%20port%2053%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3ETime%20Query%3D183354%2C%20Queued%3D0%2C%20Expire%3D0%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3EBuf%20length%20%3D%200x0fa0%20(4000)%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3EMsg%20length%20%3D%200x000c%20(12)%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3EMessage%3A%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3EXID%200xdc1f%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3EFlags%200x8005%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3EQR%201%20(RESPONSE)%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3EOPCODE%200%20(QUERY)%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3EAA%200%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3ETC%200%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3ERD%200%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3ERA%200%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3EZ%200%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3ECD%200%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3EAD%200%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3ERCODE%205%20(REFUSED)%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3EQCOUNT%200%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3EACOUNT%200%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3ENSCOUNT%200%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3EARCOUNT%200%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3EQUESTION%20SECTION%3A%20%3C%2FEM%3E%3CEM%3Eempty%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3EANSWER%20SECTION%3A%3C%2FEM%3E%20%3CEM%3Eempty%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3EAUTHORITY%20SECTION%3A%20%3C%2FEM%3E%3CEM%3Eempty%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3EADDITIONAL%20SECTION%3A%20%3C%2FEM%3E%3CEM%3Eempty%3C%2FEM%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3E%3CEM%3E27%2F02%2F2020%202%3A16%3A04%20PM%200B7C%20EVENT%20The%20DNS%20server%20encountered%20an%20invalid%20domain%20name%20in%20a%20packet%20from%20192.34.59.231.%20The%20packet%20will%20be%20rejected.%20The%20event%20data%20contains%20the%20DNS%20packet.%3C%2FEM%3E%3C%2FP%3E%3CP%3E---------------------------------------------------------%3C%2FP%3E%3CP%3ECan%20anyone%20advise%20what%20these%20are%20and%20how%20I%20might%20go%20about%20tracing%20where%20these%20requests%20are%20originating%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ethanks%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ejc%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1419631%22%20slang%3D%22en-US%22%3ERe%3A%20Tracing%20DNS%20requests%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1419631%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F539470%22%20target%3D%22_blank%22%3E%40whatwaht%3C%2FA%3E%26nbsp%3BWe%20have%20the%20same%20issue.%20Did%20you%20find%20the%20solution%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Hi all.

 

Our Windows DNS server has been logging hundreds of reverse dns requests for two IP's.  These are being logged every 30 seconds or so.

 

The DNS server encountered an invalid domain name in a packet from 104.236.146.124. The packet will be rejected. The event data contains the DNS packet.
The DNS server encountered an invalid domain name in a packet from 192.34.59.231. The packet will be rejected. The event data contains the DNS packet.

 

104.236.146.124 resolves to whopper.fastlink.net

192.34.59.231 resolves to thumper.fastlink.net

 

I enabled debugging on the dns server to try trace what this is but am unsure how to interpret it.  Here are the three entries that are logged for each request:

---------------------------------------------------------

27/02/2020 2:16:04 PM 0B7C PACKET 0000007719B8B6F0 UDP Snd 192.34.59.231 dc1f Q [0000 NOERROR] PTR (2)60(3)118(2)96(3)156(7)in-addr(4)arpa(0)
UDP question info at 0000007719B8B6F0
Socket = 11464
Remote addr 192.34.59.231, port 53
Time Query=0, Queued=0, Expire=0
Buf length = 0x0fa0 (4000)
Msg length = 0x002c (44)
Message:
XID 0xdc1f
Flags 0x0000
QR 0 (QUESTION)
OPCODE 0 (QUERY)
AA 0
TC 0
RD 0
RA 0
Z 0
CD 0
AD 0
RCODE 0 (NOERROR)
QCOUNT 1
ACOUNT 0
NSCOUNT 0
ARCOUNT 0
QUESTION SECTION:
Offset = 0x000c, RR count = 0
Name "(2)60(3)118(2)96(3)156(7)in-addr(4)arpa(0)"
QTYPE PTR (12)
QCLASS 1
ANSWER SECTION: empty
AUTHORITY SECTION: empty
ADDITIONAL SECTION: empty

27/02/2020 2:16:04 PM 0B7C PACKET 00000077143B2410 UDP Rcv 192.34.59.231 dc1f R Q [0580 REFUSED]
UDP response info at 00000077143B2410
Socket = 11464
Remote addr 192.34.59.231, port 53
Time Query=183354, Queued=0, Expire=0
Buf length = 0x0fa0 (4000)
Msg length = 0x000c (12)
Message:
XID 0xdc1f
Flags 0x8005
QR 1 (RESPONSE)
OPCODE 0 (QUERY)
AA 0
TC 0
RD 0
RA 0
Z 0
CD 0
AD 0
RCODE 5 (REFUSED)
QCOUNT 0
ACOUNT 0
NSCOUNT 0
ARCOUNT 0
QUESTION SECTION: empty
ANSWER SECTION: empty
AUTHORITY SECTION: empty
ADDITIONAL SECTION: empty

27/02/2020 2:16:04 PM 0B7C EVENT The DNS server encountered an invalid domain name in a packet from 192.34.59.231. The packet will be rejected. The event data contains the DNS packet.

---------------------------------------------------------

Can anyone advise what these are and how I might go about tracing where these requests are originating?

 

thanks

 

jc

1 Reply
Highlighted

@whatwaht We have the same issue. Did you find the solution?