Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 5504 Source: DNS

Source
Level
Description
DNS Server encountered invalid domain name in packet from <IP address>. Packet is rejected.
Comments
 
This problem may occur because Windows Server 2003 does not support DNAME resource records as specified in Request for Comments (RFC) 2672. See ME920162 for a hotfix applicable to Microsoft Windows Server 2003.

See MSW2KDB for additional information about this event.
We use our ISP's DNS server as forwarders. I called them and got the address of a different server from the current one we were using and changed my forwarder address to that one. We have not had this event ID since.
I have come across this event at two clients and I have resolved the problem using the same technique. The issue shows itself very similar to Tracy Willingham's comment, a DNS Event 5504 every 10-20 minutes, however all DNS settings were ok, with no forwarding, and clearing the DNS cache did not help.
For client ABC's issue, I used a packet sniffer to see what was "invalid" in the DNS packet replies. It showed that the packets were caused by ABC's Exchange 2003 server sending "postmaster@abc.com - mail non-deliverable" notifications to spoofed email addresses/domains. The postmaster emails would not time-out from the Exchange queues - so, every 15 minutes it would resend the notifications and receive the invalid packet (with the spoofed address/domain) in reply. To resolve the problem, I went into each queue containing a postmaster message to a spoofed address and I deleted it (without NDR) and cleared the DNS cache. If you should continue to receive the event, use a packet sniffer (I used Ethereal) to see which other domain names are being queried and delete the respective queued postmaster message(s).
I was getting this event several times every 10-20 minutes for about 2 weeks. The IP address listed in the description belonged to doubleclick.net. At the same time our internet had become very slow. I fixed the problem by checking that our ISP's DNS IP addresses were set as forwarders. There was an address there but it did not belong to our ISP. After the change, the internet returned to normal speed and the events stopped occurring.
As the message is suggesting, the DNS server has received an invalid domain name. By invalid it means that it contains invalid characters. MS DNS only supports 0-9, a-z, A-Z, . (dot), and - (hyphen) as part of a domain name. Some other DNS servers may not strictly enforce RFC 952 (DOD INTERNET HOST TABLE SPECIFICATION) so invalid names reach the DNS server and the 5504 message is recorded.  Usually this happens when Forwarders are used by the DNS server. Microsoft suggested to one user to turn off the forwarder in order to eliminate these messages. There used to be a Knowledge Base article "ME246797 - DNS EVENT IDS 5504, 9999, AND 5000 FILL EVENT VIEWER" but is no longer available.
Another condition that may generated these messages is when the Internet connection is saturated or not working properly (losing packets). Because of the poor Internet connection, the DNS may receive incomplete or corrupted data and 5504 is generated.

Article ME154554 (not available anymore) stated that Windows NT 4.0 DNS server does not enforce the name restrictions, and will do WINS lookup for host names containing invalid characters. It is not recommended to use invalid host names. Other DNS server may have problems with names containing invalid characters."

Several newsgroup posts listed 216.73.xx.xx as the IP address. These addresses point to various ns.doubleclick.net DNS servers and apparently these servers providing resolution for the DoubleClick ad servers are generating this type of problems.


See ME838969 for a hotfix applicable to Microsoft Windows 2000.

From a newsgroup post: "I spoke to MS about this, they say to turn off the forwarder to make this error go away".
See ME241352 on how to prevent DNS Cache Polution.
As per ME314803, certain queries to the DNS server (like a reverse lookup) result in a response that contains a damaged data section, and this can occur when the data in the packet uses compression. Between other symptoms, this event may be recorded.

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net.

Read more...

 

Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.

Read more...