[Dshield] dns & routing

Guy Barnum GuyBarnum at Armscole.com
Fri Jun 25 21:39:00 GMT 2004

Kinda off topic but I'm thinking you guys could offer much needed
insight into this DNS nightmare I'm having on a windows server.  There
are Lots of errors and problems but I'll keep this narrowed down to the
main symptoms.

I'm getting 20-30 Microsoft web proxy errors a minute, non stop, in the
application log with event id: 14120.

My log files are so over loaded with DNS and ISA errors the event
viewing capability on the server is failing.  Its tough to find
'intentional bad things' in the server logs when they are this bloated
or bombing out completely.

I was getting as many DNS errors in the DNS server log until I fixed
missing entries in the LAT and rebuilt the tables.  Neither NIC or
gateway on the server was listed in the LAT.  The DNS server errors have
stopped completely for the last 2 hours since fixing the LAT.

Users logging on to the network intermittently failed to reconnect any
and all mapped drives although they could still surf and get email.
They could not reconnect to mapped drives for up to 5-10 minutes and
sometimes not at all until the magic MS ctrl-alt-del fix is used,
meanwhile all of the other machines on the network are visible and

I can find little information online about event id 14120 with minimal
instructions to "check for a conflict between the LAT and routing
table".  I'm looking at the results of 'route print' from the command
line and trying to figure out if it matches up to the LAT and how to get
it that way.

First questions that come to mind; am I correct in assuming the missing
entries in the LAT alone could cause the errors connecting to the server
at logon time?  Should the routing table mirror the LAT?  How do you get
the two to match?  What else should I look for as a possible cause?  For
that matter what would cause errors like I've seen with neither of the
servers NIC's or gateway IP's listed in the LAT?

I would appreciate pointers to good information and instructional
resources as much as any direct help!


P.S. in case anyone asks about the IP's ISA can't create a packet for in
the message body of the 14120 event id error; the IP's range across
any/every valid (some few invalid) address any of the users on the
network have browsed to.  I've manually checked a great number of them
with every kind of web site in the range including Microsoft, CBS and
others - no pattern there.

More information about the list mailing list