Am I being attacked?

The event log shows repeated errors, perhaps 12 or so, multiple times per day.  Here is a typical error with server name xx'd out.

The dynamic registration of the DNS record '_ldap._tcp.xxxxx.com. 600 IN SRV 0 100 389 DELL1420.xxxxx.com.' failed on the following DNS server:  

DNS server IP address: 63.87.227.170
Returned Response Code (RCODE): 5
Returned Status Code: 9017  

For computers and users to locate this domain controller, this record must be registered in DNS.  

There are slight differences but each time, the IP address 63.187.227.170 is in there.
I do not recognize the DNS server IP address: 63.87.227.170 which appears in each.  It's not the DNS address to which my NIC cards are set.  

My connection goes thru a router with NAT.  I can block that IP address but don't know if I should.  Nor do I know how to check where that IP address originates.

Any advice?
FrittersAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

slemmesmiCommented:
Dear Fritters,

you can find more information about the 63.187.227.170 e.g. via http://samspade.org/whois/63.187.227.170

Maybe you have a service (e.g. for automated updates) which needs to access 63.187.227.170?

Kind regards,
Soren
0
slemmesmiCommented:
Dear Fritters,

also check out your public IP (which you receive through NAT) via http://showip.net/ - maybe you'll find your IP is the 63.187.227.170 or an IP within that range.

Kind regards,
Soren
0
slemmesmiCommented:
Dear Fritters,

you may also want to check out http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/afe3e73a-e62b-4dfd-9605-72f3002907c4
It appears to me your computer (DELL1420.xxxxx.com) is member of a domain (xxxxx.com), and that it is trying to lookup it's directory (the _ldap._tcp.xxxxx.com).
When you're connected via NAT, and do not have configured your DNS server to be those within the domain, you may see the above error, when using a public DNS server (that hasn't got any entry for your _ldap._tcp.xxxxx.com).
Please check with "ipconfig /all" what your DNS server is. Could it be it's an external and what is the IP of this?

Kind regards,
Soren
0
Challenges in Government Cyber Security

Has cyber security been a challenge in your government organization? Are you looking to improve your government's network security? Learn more about how to improve your government organization's security by viewing our on-demand webinar!

Mal OsborneAlpha GeekCommented:
It seems that you have two NICs in your server, and are attempting to register both of them in DNS. You only need to register the internal IP address.  Clear the "register this connection" checkbox on the second connections properties.
0
FrittersAuthor Commented:
Soren - no, my public IP address begins with 24.xxx.xxx.xxx

The questionable IP address comes up as within Sprint's range.  I have nothing to do with Sprint.

My public DNS addresses begin with 68, not 63.

This is fairly recent, since February.   To my knowledge, there have been no changes to the server since then.  

I can't make heads or tails of http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/afe3e73a-e62b-4dfd-9605-72f3002907c4 which seems to talking about multiple servers in the domain.

I have one single server running SBS 2003.  That machine IS the "holder" of the local DNS table (if my terminology is correct).  So it's never had trouble seeing "itself".  This 63 address is foreign.  

How can I check what process is trying to access that address?  
0
slemmesmiCommented:
Dear Fritters,

the best tool I am aware of for monitoring processes access addresses is the TCPView from MIcrosoft/Sysinternals - check it out on http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx

P.S. I very much doubt you are being attacked...

Kind regards,
Soren
0
FrittersAuthor Commented:
There was nothing in the responses that led to a solution.  Further search of other threads found a suggestion that the NIC in the server should only point to itself in the DNS field and reference the IP DNS addresses elsewhere.  I made that change and the I have not seen the error since.  
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.