Announcement

Collapse
No announcement yet.

DNS Event ID 404, 407, 408

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • DNS Event ID 404, 407, 408

    This is a small business 2 servers 12 machines.
    Primary server does everything DNS, DHCP, file and app hosting etc. The machine has been working flawlessly since install until now. The second server is an old server 2003 box that hosts a single application all dns requests are forwarded to the primary server.

    Primary server: 192.168.1.18
    DNS listening on 192.168.1.18 interface
    Default gateway is 192.168.1.1 (sonicwall) (no settings changed there either)
    Default DNS: 192.168.1.18
    DNS Forwarders: 192.168.1.1, 8.8.8.8, 8.8.4.4

    Secondary server: 192.168.1.17
    DNS listening on 192.168.1.17 interface
    Default gateway is 192.168.1.1 (sonicwall) (no settings changed there either)
    Default DNS: 192.168.1.17
    DNS Forwarders: 192.168.1.18

    We recently had our static block changed due to ATT selling all of their lines and services here in CT. We got switched from the 163 block to the 32 block. After that issue with the modem was corrected due to the static IP change the DNS is not working properly. We have started to get Event ID error 404, 407, 408, 4013 as well.

    No settings have changed in the primary DNS server and we have confirmed that. The primary DNS server and the client computers can work locally and ping by IP address and DNS address but cannot access the internet by DNS or IP ping and of course cannot browse the web.

    This is the strange thing the 2nd server which DNS only points to the first server can access the internet and local network by DNS and IP. If I shutdown the primary DNS server the 2nd server cannot get outside the local network. I find it very odd that this server can access the internet but the primary server hosting all the DNS requests and it's clients cannot.

    It also appears that the networking adapter is sometimes getting stuck in identifying mode after a server reboot and claims there is no local or internet connectivity. There obviously is because I'm RDP into the server from a local machine on their network.

    We have tried the following:

    remove the DNS\Parameters\ ListenAddress value (event id 40 - this value does not exist in the registry.

    Reset the network interface, updated network drivers, winsock reset, shutdown DNS and netlogon and flushed dns, rebooted the server, checked the settings a zillion times,

    For a temporary work around I have set all the client machines with a primary dns of 192.168.1.18 and a secondary dns of 8.8.8.8 so that they can access files on their server and get out to the web.

    Anyone have any suggestions we are stumped on this one?

  • #2
    Re: DNS Event ID 404, 407, 408

    have you run a recursive dns test from the primary dns server?
    you can do this from the DNS MMC Snapin.

    also, from a command prompt on that server, open NSLookup
    then home it to 8.8.8.8
    (so, server 8.8.8.8 )
    then try and do DNS queries

    the other thing to check is your Sonicwall. It looks like your primaryWindowsServer has a forwarder address of the Sonicwall.
    If the Sonicwall has an invalid forwarder, it'll mess all that shit up.


    lastly - does INTERNAL dns work ?

    ie, can you ping internal-server.internal.com ?
    Last edited by biggles77; 23rd August 2014, 17:43. Reason: Fix the 8 ) smilie issue
    Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

    Comment


    • #3
      Re: DNS Event ID 404, 407, 408

      Originally posted by tehcamel View Post
      have you run a recursive dns test from the primary dns server?
      you can do this from the DNS MMC Snapin.

      also, from a command prompt on that server, open NSLookup
      then home it to 8.8.8.8
      (so, server 8.8.8.
      then try and do DNS queries

      the other thing to check is your Sonicwall. It looks like your primaryWindowsServer has a forwarder address of the Sonicwall.
      If the Sonicwall has an invalid forwarder, it'll mess all that shit up.


      lastly - does INTERNAL dns work ?

      ie, can you ping internal-server.internal.com ?
      Thanks for the reply!

      I can ping the internal server by its PC name and FQDN, the DNS fails to work whether or not the sonicwall is specified as a forwarder. The DNS set on the sonicwall is also 8.8.8.8 and 8.8.4.4 we have also tried entering in the ISP DNS servers on the sonicwall and server DNS with no change.

      An nslookup of 8.8.8.8 - 8.8.4.4 - 68.94.157.1 (ISP DNS) times out.

      Recursive DNS query fails....

      Comment


      • #4
        Re: DNS Event ID 404, 407, 408

        bump.......................

        Comment


        • #5
          Re: DNS Event ID 404, 407, 408

          firstly - don't bump threads. We're all community members, giving our time and experirence freely. We don't always get to respond straight away. (In my case, I'd gone to bed.)

          run a wireshark capture and work out why your dns packets are failing.

          you may be able to run it on the server, but you may also need to mirror the wan port on your sonicwall and capture there
          Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

          Comment


          • #6
            Re: DNS Event ID 404, 407, 408

            Sorry about that new to this forum. I have been following the forum for a few years but this is my first time posting. I'll run the wire capture tomorrow and post back.

            Thanks.

            Comment


            • #7
              Re: DNS Event ID 404, 407, 408

              Do you have the relevant access rules on the SonicWALL to allow access out?

              You should have a LAN > WAN rule that allows DNS (UDP pt53) out for the relevant server. You should also have an inbound rule allowing the DNS server to reply.

              When the ISP changes we made waht happened on your router?? Was there a router change at all?

              Comment


              • #8
                Re: DNS Event ID 404, 407, 408

                Hey thanks for the reply.

                I don't believe its a firewall issue because i completely opened the firewall for inbound and outbound traffic to the server for testing purposes only and still no go.

                Yes setting on the router have changed since the new modem had been installed.

                The static IP (we got new 32 block), subnet, gateway and DNS address. (i have tried google, open dns, and ISP dns at this point).

                I have set all the local clients to static dns of the server 192.168.1.18 so they can access their files and 8.8.8.8 so they can access the web. So the issue is definitely isolated to the server. Internal DNS works fine with the server by FQDN, PC name, IP.

                Another thing I should mention not sure if this matter is the new modem they gave us does not have a true bridge mode instead the modem receives a static IP from our static pool and then a public subnet is setup within the modem which then serves the router another static IP address from our pool and those two statics communicate to get out to the internet.

                I ran a wireshark packet capture and found this:


                lots of standard dns query responses coming back as server failures with various error codes between server and clients.

                The server is sending packets to google DNS 8.8.8.8 but upon response ICMP error Destination unreachable (port unreachable)

                I tried to attach my wireshark packet capture but the upload keeps timing out.

                Comment


                • #9
                  Re: DNS Event ID 404, 407, 408

                  Additional information. It being Sunday here in the States and no one being at the office I have noticed quite a bit of SMB traffic passing from only one client machine to the server. I assumed a virus and have started a malwarebytes scan and found a trojan which maybe the cause of all this not sure yet. The Trojan got right past Trend Micro (which I think is garbage).

                  Comment


                  • #10
                    Re: DNS Event ID 404, 407, 408

                    2 infected machines but I cleaned them out and still no joy. Same ICMP errors and DNS not being able to get back to the server. Any suggestions?

                    Thanks

                    Comment


                    • #11
                      Re: DNS Event ID 404, 407, 408

                      Originally posted by Jsnyder View Post
                      2 infected machines but I cleaned them out and still no joy. Same ICMP errors and DNS not being able to get back to the server. Any suggestions?

                      Thanks
                      SO have you had an ISP change then?? Or just a change of IP Addresses?? YOu mention ATT selling off the services so I would presume that this is a new ISP? Could be ATT is blocking DNS from other networks than their own. Tried using 8.8.8.8 as a forwarder?

                      Your second issue with the server being unable to access the internet appears to be related to the fact that you are forwarding all queries to the main server and if it is powered off it won't be able to access DNS.

                      Also I would remove 8.8.8.8 from all clients and servers and work on getting DNS working correctly.

                      Comment


                      • #12
                        Re: DNS Event ID 404, 407, 408

                        Thanks everyone for the help I really appreciate it.

                        I solved the issue. It turned out that when we got our new static IP I had made the appropriate changes in the sonicwall to reflect this new static IP in NAT and firewall rules. However, the NAT rule did not save and that's why the DNS packets were routing out to the internet and not coming back in. I attempted to change the NAT rule again however the rule would not save. I tried to delete the rule and recreate it and the Sonicwall kept booting me out. So, I reset the Sonicwall and loaded the Sonicwall backup configuration and then changed the rule again and it saved without issue and the problem was solved. So, it appears something happened to the Sonicwall that wasn't allowing that NAT rule to be changed.

                        Thanks again!

                        Comment


                        • #13
                          Re: DNS Event ID 404, 407, 408

                          Glad you got it sorted and thanks for posting back with that news. Much appreciated.
                          1 1 was a racehorse.
                          2 2 was 1 2.
                          1 1 1 1 race 1 day,
                          2 2 1 1 2

                          Comment

                          Working...
                          X