Fritters
asked on
Am I being attacked?
The event log shows repeated errors, perhaps 12 or so, multiple times per day. Here is a typical error with server name xx'd out.
The dynamic registration of the DNS record '_ldap._tcp.xxxxx.com. 600 IN SRV 0 100 389 DELL1420.xxxxx.com.' failed on the following DNS server:
DNS server IP address: 63.87.227.170
Returned Response Code (RCODE): 5
Returned Status Code: 9017
For computers and users to locate this domain controller, this record must be registered in DNS.
There are slight differences but each time, the IP address 63.187.227.170 is in there.
I do not recognize the DNS server IP address: 63.87.227.170 which appears in each. It's not the DNS address to which my NIC cards are set.
My connection goes thru a router with NAT. I can block that IP address but don't know if I should. Nor do I know how to check where that IP address originates.
Any advice?
The dynamic registration of the DNS record '_ldap._tcp.xxxxx.com. 600 IN SRV 0 100 389 DELL1420.xxxxx.com.' failed on the following DNS server:
DNS server IP address: 63.87.227.170
Returned Response Code (RCODE): 5
Returned Status Code: 9017
For computers and users to locate this domain controller, this record must be registered in DNS.
There are slight differences but each time, the IP address 63.187.227.170 is in there.
I do not recognize the DNS server IP address: 63.87.227.170 which appears in each. It's not the DNS address to which my NIC cards are set.
My connection goes thru a router with NAT. I can block that IP address but don't know if I should. Nor do I know how to check where that IP address originates.
Any advice?
Dear Fritters,
also check out your public IP (which you receive through NAT) via http://showip.net/ - maybe you'll find your IP is the 63.187.227.170 or an IP within that range.
Kind regards,
Soren
also check out your public IP (which you receive through NAT) via http://showip.net/ - maybe you'll find your IP is the 63.187.227.170 or an IP within that range.
Kind regards,
Soren
Dear Fritters,
you may also want to check out http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/afe3e73a-e62b-4dfd-9605-72f3002907c4
It appears to me your computer (DELL1420.xxxxx.com) is member of a domain (xxxxx.com), and that it is trying to lookup it's directory (the _ldap._tcp.xxxxx.com).
When you're connected via NAT, and do not have configured your DNS server to be those within the domain, you may see the above error, when using a public DNS server (that hasn't got any entry for your _ldap._tcp.xxxxx.com).
Please check with "ipconfig /all" what your DNS server is. Could it be it's an external and what is the IP of this?
Kind regards,
Soren
you may also want to check out http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/afe3e73a-e62b-4dfd-9605-72f3002907c4
It appears to me your computer (DELL1420.xxxxx.com) is member of a domain (xxxxx.com), and that it is trying to lookup it's directory (the _ldap._tcp.xxxxx.com).
When you're connected via NAT, and do not have configured your DNS server to be those within the domain, you may see the above error, when using a public DNS server (that hasn't got any entry for your _ldap._tcp.xxxxx.com).
Please check with "ipconfig /all" what your DNS server is. Could it be it's an external and what is the IP of this?
Kind regards,
Soren
It seems that you have two NICs in your server, and are attempting to register both of them in DNS. You only need to register the internal IP address. Clear the "register this connection" checkbox on the second connections properties.
ASKER
Soren - no, my public IP address begins with 24.xxx.xxx.xxx
The questionable IP address comes up as within Sprint's range. I have nothing to do with Sprint.
My public DNS addresses begin with 68, not 63.
This is fairly recent, since February. To my knowledge, there have been no changes to the server since then.
I can't make heads or tails of http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/afe3e73a-e62b-4dfd-9605-72f3002907c4 which seems to talking about multiple servers in the domain.
I have one single server running SBS 2003. That machine IS the "holder" of the local DNS table (if my terminology is correct). So it's never had trouble seeing "itself". This 63 address is foreign.
How can I check what process is trying to access that address?
The questionable IP address comes up as within Sprint's range. I have nothing to do with Sprint.
My public DNS addresses begin with 68, not 63.
This is fairly recent, since February. To my knowledge, there have been no changes to the server since then.
I can't make heads or tails of http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/afe3e73a-e62b-4dfd-9605-72f3002907c4 which seems to talking about multiple servers in the domain.
I have one single server running SBS 2003. That machine IS the "holder" of the local DNS table (if my terminology is correct). So it's never had trouble seeing "itself". This 63 address is foreign.
How can I check what process is trying to access that address?
Dear Fritters,
the best tool I am aware of for monitoring processes access addresses is the TCPView from MIcrosoft/Sysinternals - check it out on http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx
P.S. I very much doubt you are being attacked...
Kind regards,
Soren
the best tool I am aware of for monitoring processes access addresses is the TCPView from MIcrosoft/Sysinternals - check it out on http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx
P.S. I very much doubt you are being attacked...
Kind regards,
Soren
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
you can find more information about the 63.187.227.170 e.g. via http://samspade.org/whois/63.187.227.170
Maybe you have a service (e.g. for automated updates) which needs to access 63.187.227.170?
Kind regards,
Soren