Can anyone explain these messages

Jim Reid jim at rfc1035.com
Tue Dec 5 23:45:58 UTC 2000 

>>>>> "Mike" == O'Neill, Mike <mike.oneill at myflorida.com> writes:

    Mike> Inside DNS server(168.82.56.50) behind our PIX firewall
    Mike> encountering messages from an outside DNS
    Mike> server(199.1.17.22).

    Mike> 199.1.17.22 is not allowed inside our network.

That question is probably best answered by Cisco's PIX support
people. The above message looks like it's coming from the firewall,
not a name server. I'd guess at either a misconfiguration of the
firewall or else there's a backdoor route to 199.1.17.22 on your
network. ie Packets with 199.1.17.22 as a source address are being
picked up by internal network interface. The log messages you showed
suggest that the problem is just a warning, so perhaps the rejected
traffic is innocuous? Maybe something is broken on 199.1.17.22,
perhaps a misconfigured forwarding name server or resolver? Or maybe
it's picking up incorrent information from the DNS which says it can
query 168.82.56.50 for some name.

    Mike> Contacted administrator for DNS at 199.1.17.22, they can not
    Mike> ping to,traceroute to or access 168.82.56.50 via port 53
    Mike> This is as it should be.

But could it be that an application or name server at 199.1.17.22 has
a valid reason to query your name server for something? You say that
access is denied to 199.1.17.22 and "this is as it should be", but if
that's the case, why is that sending queries to your name server?
There's no way anyone here can answer that unless you show packet
traces or query logs. Even then it's doubtful if anyone on the list
can help. You really need to sort this out with the administrator of
199.1.17.22.

    Mike> Any ideas on what these DNS messages mean as seen in
    Mike> 168.82.56.50's log ?

    Mike> 001204	15:29:59	Dns	Warning	None	5506	NA
    Mike> FDHCTLH00	DNS Server encountered invalid domain name offset in packet.
    Mike> Offset is the error.
    Mike> 001204	15:29:59	Dns	Warning	None	5504	NA
    Mike> FDHCTLH00	DNS Server encountered invalid domain name in packet from
    Mike> 199.1.17.22. Packet is rejected.

Again, ask whoever supports your PIX box. These messages do not
resemble anything that a BIND implementation reports.

More information about the bind-users mailing list