Can someone explain these entries to me?

Dev Shed Forums Sponsor:

January 11th, 2012, 08:59 AM

jjj0923

Registered User

Join Date: Apr 2007

Posts: 12

Time spent in forums: 1 h 35 m 9 sec
Reputation Power: 0

Can someone explain these entries to me?

ok - so I was doing a little test on my backup dns server this morning, making sure it got activity when I pulled the plug on the primary dns server. Mind you - it's really not a backup since both of my dns servers are primary servers (the 2nd dns server is not configured a s a secondary to the other).

In any event I turned on debug logging to make sure queries were being made against it and I'm seeing a lot of strange entries and not sure how to interpret the data.

It's a Microsoft DNS Server and it's authoritative for our 50 or so domain names.

so - for instance the last line here looks lik it's from www.quickcopy.com.br looking for a resolution for myserver.com?

by the way: 64.36.241.206 is this particular server and 64.36.241.204 is one of my caching only dns server which we use (we have a few)

is that correct?

just askin...

20120111 09:42:10 A24 PACKET 0238A220 UDP Snd 98.115.187.6 0000 R Q [8085 A DR NOERROR] A (12)myserver(3)com(0)
20120111 09:42:17 A24 PACKET 00EF8A20 UDP Rcv 64.36.241.204 7364 Q [0000 NOERROR] A (3)www(10)rickdotson(3)com(12)myserver(3)com(0)
20120111 09:42:17 A24 PACKET 00EF8A20 UDP Snd 64.36.241.204 7364 R Q [8384 A R NXDOMAIN] A (3)www(10)rickdotson(3)com(12)myserver(3)com(0)
20120111 09:42:23 A24 PACKET 023801C0 UDP Rcv 64.36.241.206 d33f Q [0001 D NOERROR] PTR (1)3(6)187(3)114(2)98(7)in-addr(4)arpa(0)
20120111 09:42:23 A24 PACKET 023801C0 UDP Snd 64.36.241.206 d33f R Q [8085 A DR NOERROR] PTR (1)6(3)187(3)115(2)98(7)in-addr(4)arpa(0)
20120111 09:43:58 A24 PACKET 0238A220 UDP Rcv 64.36.241.204 e599 Q [0000 NOERROR] A (3)www(20)freelimewiredownload(3)net(12)myserver(3)com(0)
20120111 09:43:58 A24 PACKET 0238A220 UDP Snd 64.36.241.204 e599 R Q [8384 A R NXDOMAIN] A (3)www(20)freelimewiredownload(3)net(12)myserver(3)com(0)
20120111 09:44:27 A24 PACKET 00EF8A20 UDP Rcv 64.36.241.204 c10f Q [0000 NOERROR] A (3)www(8)guiaunai(3)com(2)br(12)myserver(3)com(0)
20120111 09:44:27 A24 PACKET 00EF8A20 UDP Snd 64.36.241.204 c10f R Q [8384 A R NXDOMAIN] A (3)www(8)guiaunai(3)com(2)br(12)myserver(3)com(0)
20120111 09:46:22 A24 PACKET 023801C0 UDP Rcv 64.36.241.204 6019 Q [0000 NOERROR] A (3)www(9)quickcopy(3)com(2)au(12)myserver(3)com(0)
20120111 09:46:22 A24 PACKET 023801C0 UDP Snd 64.36.241.204 6019 R Q [8384 A R NXDOMAIN] A (3)www(9)quickcopy(3)com(2)au(12)myserver(3)com(0)

January 11th, 2012, 10:53 AM

CaptPikel

Contributing User

Join Date: Nov 2010

Location: Florida

Posts: 240

Time spent in forums: 3 Days 13 h 6 m 12 sec
Reputation Power: 2

Quote:

Originally Posted by jjj0923

64.36.241.204 6019 Q [0000 NOERROR] A (3)www(9)quickcopy(3)com(2)au(12)myserver(3)com(0)
20120111 09:46:22 A24 PACKET 023801C0 UDP Snd 64.36.241.204 6019 R Q [8384 A R NXDOMAIN] A (3)www(9)quickcopy(3)com(2)au(12)myserver(3)com(0)

The above is an example of a query and a response. The one with the "Q" is the query and "Q R" is the query response. The "Rcv" is a received packet and "Snd" is the packet sent out. The query was for www.quickcopy.com.au.myserver.com. That host apparently doesn't exist so the response was an NXDOMAIN response. I'm not too familiar with Windows DNS honestly since I've only really used BIND. This might be a configuration problem such as a missing period in a zone or just clients sending out queries appending them with "myserver.com" as a search operation (probably handed out by DHCP).