#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2007
    Posts
    19
    Rep Power
    0

    Can someone explain these entries to me?


    ok - so I was doing a little test on my backup dns server this morning, making sure it got activity when I pulled the plug on the primary dns server. Mind you - it's really not a backup since both of my dns servers are primary servers (the 2nd dns server is not configured a s a secondary to the other).

    In any event I turned on debug logging to make sure queries were being made against it and I'm seeing a lot of strange entries and not sure how to interpret the data.

    It's a Microsoft DNS Server and it's authoritative for our 50 or so domain names.

    so - for instance the last line here looks lik it's from www.quickcopy.com.br looking for a resolution for myserver.com?

    by the way: 64.36.241.206 is this particular server and 64.36.241.204 is one of my caching only dns server which we use (we have a few)

    is that correct?

    just askin...

    20120111 09:42:10 A24 PACKET 0238A220 UDP Snd 98.115.187.6 0000 R Q [8085 A DR NOERROR] A (12)myserver(3)com(0)
    20120111 09:42:17 A24 PACKET 00EF8A20 UDP Rcv 64.36.241.204 7364 Q [0000 NOERROR] A (3)www(10)rickdotson(3)com(12)myserver(3)com(0)
    20120111 09:42:17 A24 PACKET 00EF8A20 UDP Snd 64.36.241.204 7364 R Q [8384 A R NXDOMAIN] A (3)www(10)rickdotson(3)com(12)myserver(3)com(0)
    20120111 09:42:23 A24 PACKET 023801C0 UDP Rcv 64.36.241.206 d33f Q [0001 D NOERROR] PTR (1)3(6)187(3)114(2)98(7)in-addr(4)arpa(0)
    20120111 09:42:23 A24 PACKET 023801C0 UDP Snd 64.36.241.206 d33f R Q [8085 A DR NOERROR] PTR (1)6(3)187(3)115(2)98(7)in-addr(4)arpa(0)
    20120111 09:43:58 A24 PACKET 0238A220 UDP Rcv 64.36.241.204 e599 Q [0000 NOERROR] A (3)www(20)freelimewiredownload(3)net(12)myserver(3)com(0)
    20120111 09:43:58 A24 PACKET 0238A220 UDP Snd 64.36.241.204 e599 R Q [8384 A R NXDOMAIN] A (3)www(20)freelimewiredownload(3)net(12)myserver(3)com(0)
    20120111 09:44:27 A24 PACKET 00EF8A20 UDP Rcv 64.36.241.204 c10f Q [0000 NOERROR] A (3)www(8)guiaunai(3)com(2)br(12)myserver(3)com(0)
    20120111 09:44:27 A24 PACKET 00EF8A20 UDP Snd 64.36.241.204 c10f R Q [8384 A R NXDOMAIN] A (3)www(8)guiaunai(3)com(2)br(12)myserver(3)com(0)
    20120111 09:46:22 A24 PACKET 023801C0 UDP Rcv 64.36.241.204 6019 Q [0000 NOERROR] A (3)www(9)quickcopy(3)com(2)au(12)myserver(3)com(0)
    20120111 09:46:22 A24 PACKET 023801C0 UDP Snd 64.36.241.204 6019 R Q [8384 A R NXDOMAIN] A (3)www(9)quickcopy(3)com(2)au(12)myserver(3)com(0)
  2. #2
  3. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2010
    Location
    Florida
    Posts
    248
    Rep Power
    4
    Originally Posted by jjj0923
    64.36.241.204 6019 Q [0000 NOERROR] A (3)www(9)quickcopy(3)com(2)au(12)myserver(3)com(0)
    20120111 09:46:22 A24 PACKET 023801C0 UDP Snd 64.36.241.204 6019 R Q [8384 A R NXDOMAIN] A (3)www(9)quickcopy(3)com(2)au(12)myserver(3)com(0)
    The above is an example of a query and a response. The one with the "Q" is the query and "Q R" is the query response. The "Rcv" is a received packet and "Snd" is the packet sent out. The query was for www.quickcopy.com.au.myserver.com. That host apparently doesn't exist so the response was an NXDOMAIN response. I'm not too familiar with Windows DNS honestly since I've only really used BIND. This might be a configuration problem such as a missing period in a zone or just clients sending out queries appending them with "myserver.com" as a search operation (probably handed out by DHCP).

IMN logo majestic logo threadwatch logo seochat tools logo