Am I being attacked?

The event log shows repeated errors, perhaps 12 or so, multiple times per day.  Here is a typical error with server name xx'd out.

The dynamic registration of the DNS record '_ldap._tcp.xxxxx.com. 600 IN SRV 0 100 389 DELL1420.xxxxx.com.' failed on the following DNS server:  

DNS server IP address: 63.87.227.170
Returned Response Code (RCODE): 5
Returned Status Code: 9017  

For computers and users to locate this domain controller, this record must be registered in DNS.  

There are slight differences but each time, the IP address 63.187.227.170 is in there.
I do not recognize the DNS server IP address: 63.87.227.170 which appears in each.  It's not the DNS address to which my NIC cards are set.  

My connection goes thru a router with NAT.  I can block that IP address but don't know if I should.  Nor do I know how to check where that IP address originates.

Any advice?
FrittersAsked:
Who is Participating?
 
FrittersConnect With a Mentor Author Commented:
There was nothing in the responses that led to a solution.  Further search of other threads found a suggestion that the NIC in the server should only point to itself in the DNS field and reference the IP DNS addresses elsewhere.  I made that change and the I have not seen the error since.  
0
 
slemmesmiCommented:
Dear Fritters,

you can find more information about the 63.187.227.170 e.g. via http://samspade.org/whois/63.187.227.170

Maybe you have a service (e.g. for automated updates) which needs to access 63.187.227.170?

Kind regards,
Soren
0
 
slemmesmiCommented:
Dear Fritters,

also check out your public IP (which you receive through NAT) via http://showip.net/ - maybe you'll find your IP is the 63.187.227.170 or an IP within that range.

Kind regards,
Soren
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
slemmesmiCommented:
Dear Fritters,

you may also want to check out http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/afe3e73a-e62b-4dfd-9605-72f3002907c4
It appears to me your computer (DELL1420.xxxxx.com) is member of a domain (xxxxx.com), and that it is trying to lookup it's directory (the _ldap._tcp.xxxxx.com).
When you're connected via NAT, and do not have configured your DNS server to be those within the domain, you may see the above error, when using a public DNS server (that hasn't got any entry for your _ldap._tcp.xxxxx.com).
Please check with "ipconfig /all" what your DNS server is. Could it be it's an external and what is the IP of this?

Kind regards,
Soren
0
 
Mal OsborneAlpha GeekCommented:
It seems that you have two NICs in your server, and are attempting to register both of them in DNS. You only need to register the internal IP address.  Clear the "register this connection" checkbox on the second connections properties.
0
 
FrittersAuthor Commented:
Soren - no, my public IP address begins with 24.xxx.xxx.xxx

The questionable IP address comes up as within Sprint's range.  I have nothing to do with Sprint.

My public DNS addresses begin with 68, not 63.

This is fairly recent, since February.   To my knowledge, there have been no changes to the server since then.  

I can't make heads or tails of http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/afe3e73a-e62b-4dfd-9605-72f3002907c4 which seems to talking about multiple servers in the domain.

I have one single server running SBS 2003.  That machine IS the "holder" of the local DNS table (if my terminology is correct).  So it's never had trouble seeing "itself".  This 63 address is foreign.  

How can I check what process is trying to access that address?  
0
 
slemmesmiCommented:
Dear Fritters,

the best tool I am aware of for monitoring processes access addresses is the TCPView from MIcrosoft/Sysinternals - check it out on http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx

P.S. I very much doubt you are being attacked...

Kind regards,
Soren
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.