Malformed packets from 127.0.0.1 every ~62.5 seconds

On a 2008r2 Domain Controller, with Exchange Exchange 2010 installed (I am very aware that this is not optimal, but when you inherit a client network...)

Event ID 5502 repeated every ~62.5 seconds with the text

The DNS server received a bad TCP-based DNS message from 127.0.0.1.  The packet was rejected or ignored. The event data contains the DNS packet.

Open in new window


As Wireshark is unable to capture from loopback, I used RawCap  to capture traffic on the loopback interface for several minutes, and then opened up the capture in WireShark, which shows a repeated malformed packet as per the attached.

While I have stopped the event from showing by changing DNS event logging from "All events" to "Errors and warnings", I am interested in why might be causing this, especially with the frequency of recurrence...
LVL 37
ArneLoviusAsked:
Who is Participating?
 
gheistCommented:
nslookup timeout is 2s. so something sleeps 1min, then does nslookup then sleeps again.
0
 
gheistCommented:
Is it some montiring script checking DNS is up with TCP? like nagios/zabbix whatever?
0
 
ArneLoviusAuthor Commented:
I haven't found anything obviously scheduled, and as the source is 127.0.0.1 it has to be local to the server.

The cycle time of ~62.5 seconds makes me think that its an internal process rather than a scheduled one, but I'm quite happy to admit that I;m stumped by it :-)
0
 
gheistCommented:
Hard to guess better.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.