“Random” DNS Client Events Warnigs in Administrative Events logs

Topic

New Reply

Hi,

I’ve noticed that I regularly (anywhere between once every other day or so to 2-3 times a day) get DNS Client Events Warnings in the Administrative Events log. I seem to recall seeing these on my old Windows XP laptop as well. Most of the time they are not to any website that I’ve visited (or have ever visited). Here are the last few examples:

Log Name: System
Source: Microsoft-Windows-DNS-Client
Date: 8/19/2012 1:26:29 PM
Event ID: 1014
Task Category: None
Level: Warning
Keywords:
User: NETWORK SERVICE
Computer: *********
Description:
Name resolution for the name platform.twitter.com timed out after none of the configured DNS servers responded.

Log Name: System
Source: Microsoft-Windows-DNS-Client
Date: 8/19/2012 12:31:13 PM
Event ID: 1014
Task Category: None
Level: Warning
Keywords:
User: NETWORK SERVICE
Computer: *********
Description:
Name resolution for the name http://www.flickr.com timed out after none of the configured DNS servers responded.

Log Name: System
Source: Microsoft-Windows-DNS-Client
Date: 8/18/2012 1:52:10 PM
Event ID: 1014
Task Category: None
Level: Warning
Keywords:
User: NETWORK SERVICE
Computer: *********
Description:
Name resolution for the name taiwangirl.higo2meme.info timed out after none of the configured DNS servers responded.

Log Name: System
Source: Microsoft-Windows-DNS-Client
Date: 8/18/2012 12:55:39 PM
Event ID: 1014
Task Category: None
Level: Warning
Keywords:
User: NETWORK SERVICE
Computer: *********
Description:
Name resolution for the name http://www.discriminations.us timed out after none of the configured DNS servers responded.

Log Name: System
Source: Microsoft-Windows-DNS-Client
Date: 8/18/2012 11:40:20 AM
Event ID: 1014
Task Category: None
Level: Warning
Keywords:
User: NETWORK SERVICE
Computer: *********
Description:
Name resolution for the name http://www.thehumorwriter.com timed out after none of the configured DNS servers responded.

A scan with Microsoft Security Essentials and Spybot show nothing nefarious. (I realize there are better A/V scans to do, but I really don’t do a lot of random internet surfing.)

My thought is that there are ads on websites that create these events when the link embedded in the ad can’t resolved or something? I use Firefox with Ad-Blocker Plus, but I guess it doesn’t stop these DNS website look-ups from happening? What is happening? Does your computer actually connect to these sites, or is the browser just looking up the address in case you click on an ad or something? (And how do they still show up with Ad-Block Plus doing its thing?)

I did some internet research, and there wasn’t a lot about this — though I did see one message board thread where someone asked the same thing (and their theory was similar to mine above), and while everyone posted that he had something bad on his system (I notice most people immediately respond with that), he actually had a completely clean install of the OS and was completely protected, etc. — so he (as I do) figured it wasn’t a virus or spyware thing.

Any thoughts? Thanks!

Reply | Quote

Replies

Something to think about and mull over…
See if you can go over your list of installed programs, or add-ons, to identify any component of which that may have ads in them that might be “phoning home” or communicating with their parent network for ad streams.
This doesn’t necessarily represent a compromise or infection to your system, just advertisements usually associated with some freeware.

Reply | Quote

Thanks for the reply! The only installed programs that are “freeware” are Paint.NET, VLC Player, FileZilla Client (I think, unless it came with the laptop), Foxit Reader, and ImgBurn. The only add-ons I have are for Firefox: FireFTP, Ad-Block Plus, Flash (usually disabled) and VLC Player plugin. I did get another entry this morning and I think the only website I visited was this one! (I may have gone to Wikipedia to look up a process, but I think that was after it showed up.)

Log Name: System
Source: Microsoft-Windows-DNS-Client
Date: 8/20/2012 7:11:57 AM
Event ID: 1014
Task Category: None
Level: Warning
Keywords:
User: NETWORK SERVICE
Computer: ********
Description:
Name resolution for the name http://www.thehumorwriter.com timed out after none of the configured DNS servers responded.

But if something were calling home from a program, that program (or service) would have to be running, right? I’m posting my running services below (though I can post those that aren’t running too, if needed) and attaching images of my running processes.

IKE and AuthIP IPsec Keying Modules Started
Intel(R) Management and Security Application Local Management Service Started
Intel(R) Management and Security Application User Notification Service Started
Intel(R) Rapid Storage Technology Started
IP Helper Started
Microsoft Antimalware Service Started
Multimedia Class Scheduler Started
Network Connections Started
Network List Service Started
Network Location Awareness Started
Network Store Interface Service Started
Plug and Play Started
PnP-X IP Bus Enumerator Started
Power Started
Print Spooler Started
Program Compatibility Assistant Service Started
Remote Procedure Call (RPC) Started
RPC Endpoint Mapper Started
Security Accounts Manager Started
Security Center Started
Server Started
Shell Hardware Detection Started
SSDP Discovery Started
Superfetch Started
System Event Notification Service Started
Task Scheduler Started
TCP/IP NetBIOS Helper Started
Themes Started
User Profile Service Started
Windows Audio Started
Windows Audio Endpoint Builder Started
Windows Driver Foundation – User-mode Driver Framework Started
Windows Event Log Started
Windows Firewall Started
Windows Font Cache Service Started
Windows Image Acquisition (WIA) Started
Windows Management Instrumentation Started
Windows Search Started
Windows Update Started
WLAN AutoConfig Started
Workstation Started
ZAtheros Bt&Wlan Coex Agent Started

Based on all this, any other thoughts? What exactly is happening with these DNS Client Events? Especially all the ones that I’m assuming are successful and don’t show up in a log? And are there any settings with Windows Firewall or internet connection stuff or anywhere else that would help prevent them (if necessary)?

I guess it’s not a big deal if it’s normal and nothing “real” is actually being sent/received when they’re successful events? What is being sent or received?

Thanks again!

Reply | Quote

It really sounds like your DNS servers are not responding. Are you using the ones recommended by your ISP?

Try adding the Google DNS servers to the list and see if that resolves the problem. They are 8.8.8.8 and 8.8.4.4.

Jock

Reply | Quote

It really sounds like your DNS servers are not responding. Are you using the ones recommended by your ISP?

Try adding the Google DNS servers to the list and see if that resolves the problem. They are 8.8.8.8 and 8.8.4.4.

Jock

Thanks for the reply! I’m not sure how to do that. And, technically, I guess it doesn’t bother me that I’m getting these errors — I’m more concerned with why the computer is trying to connect to these sites that I’ve never visited (and all the ones it is successfully connecting to that don’t get logged). If it’s normal behavior, then I’ll stop worrying about it — though I’d like to know what exactly is happening and why. If it’s not normal, then I’ll have to do something about it. Do you know what it’s all about?

And I’m not sure what’s recommended by my ISP (or where to set that). I live in a 5-apartment building that the internet is provided for. The wireless base is in another apartment. The wireless is password secure, but can be used by anyone who lives in the building.

Reply | Quote

Have you tried to flush your DNS Cache?

Open up a command prompt (Start > Run > “cmd.exe” > OK).

Type in the command: ipconfig /flushdns (notice the space between the g and the/)

Reply | Quote

Thanks for the reply! I will try this, but let me ask first… what does this do and how would it help with the issue? (I just like to know things before I do them, if that’s cool?) And does the fact that the secure wireless internet is shared within the apartment building mean anything in regards to this (as described in my last post)?

Reply | Quote

Explanation of what it is. It might not work, but it might. It takes a couple of minutes so you will not tie yourself up for an extended period.

Reply | Quote

Explanation of what it is. It might not work, but it might. It takes a couple of minutes so you will not tie yourself up for an extended period.

Okay, thanks. I can try to give this a shot. But it sounds like this is a potential solution for the errors showing up in the log. I’m not actually concerned about the errors themselves, but more so the “successes” and what it means. The errors just give me a heads up that my computer is trying to call these web addresses even though I’ve never visited those websites. So, I’m guessing, there is a much larger amount of “non-errors” (i.e. successful name resolutions). I really just want to know if this is normal and what is actually happening. Is it just ads on websites? Ads or something from my ISP?

Why does this happen and what is it actually doing? Is it going to a website? Is it just checking if the address is legitimate if I decided to click on something to go to the website? Is it sending or receiving any “important” information to/from my computer? Why does it happen? (Not the error, but the thing itself.) Know what I mean? Thanks again!

Reply | Quote

Thanks again for the replies, but does anyone know what is actually happening with the call outs to these websites (not why certain ones don’t go through, but why they happen in the first place). Is it ads on websites? Thanks for the help.

Reply | Quote

Some of the failures listed in your errors are pretty ordinary site references (flickr and twitter), a couple of others are questionable (discriminations.us looks like a blog of some kind) and thehumorwriter.com does not seem to exist. These can get referenced by any web page, html email or embedded ad which contains links to these sites for resources, such as images or logos. Just accessing another page referencing these urls can cause your browser or email client to attempt a link. It does not necessarily mean a separate app is running on your system and attempting these links.

A tutorial on DNS and how to add DNS servers to your configuration:
http://www.sevenforums.com/tutorials/15037-dns-addressing-how-change-windows-7-a.html

Jock

Reply | Quote

Thanks for the reply! I remember that I used to use Open DNS on my old laptop. I went ahead and made the switch – and flushed the DNS cache per Medico’s suggestion (especially since I was switching DNS).

However, I made a mistake and typed in the ipconfig /flushdns into the run box instead of opening a command window from the run box, then typing it it. (I think I also tried running the regular ipconfig command the same way.) I could see the command box pop open and text fly by, then close. Obviously, that’s not the way you’re supposed to do it (and I did it the right way now), but doing it that wrong way, does that cause anything weird…?

Also, after (I think) making the changes above, I saw this DNS Client Event in the log:

Log Name: System
Source: Microsoft-Windows-DNS-Client
Date: 8/21/2012 1:30:27 PM
Event ID: 1006
Task Category: None
Level: Warning
Keywords:
User: LOCAL SERVICE
Computer: ********
Description:
The client was unable to validate the following as active DNS server(s) that can service this client. The server(s) may be temporarily unavailable, or may be incorrectly configured. 192.168.0.1

What’s this about? (I looked up that address and it looks like it has something to do with a router – so I guess there is a router in the building. But that would be an IP address not a DNS server, right?)

Thanks again for the help!

Reply | Quote

192.168.0.1 is the IP address of the router. It is normal to use your router as the primary DNS server; what that means is the DNS server(s) in the router’s configuration will be the ones used in doing name resolution.

Your problem is you don’t own that router, so likely don’t know what DNS servers it is using. That error in the log confirms there may be a problem with the router’s DNS setup. Which is exactly why it was recommended you use some additional ones in your local configuration.

Most likely the DNS servers in the router’s config are the ISP-provided ones, and those are often unresponsive. It is also conceivable that public router has been hacked.

All of this ties in with the events you have been experiencing. I would remove 192.168.0.1 as a DNS server and substitute a known good set.

Jock

Reply | Quote

I would remove 192.168.0.1 as a DNS server and substitute a known good set.

How do I do that? Or is that what I’ve already done by adding the DNS servers to the wireless (instead of letting it automatically determine them) as described in the instructions you posted a link to? Or do I need to actually remove that 192.address manually somehow/somewhere?

Here are a few other warnings/errors that could (?) be related that I was getting and still get:

Log Name: System
Source: Microsoft-Windows-WLAN-AutoConfig
Date: 8/21/2012 2:47:31 PM
Event ID: 4001
Task Category: None
Level: Warning
Keywords:
User: SYSTEM
Computer: *****
Description:
WLAN AutoConfig service has successfully stopped.

Log Name: Application
Source: Microsoft-Windows-WMI
Date: 8/21/2012 2:49:44 PM
Event ID: 10
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: *****
Description:
Event filter with query “SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA “Win32_Processor” AND TargetInstance.LoadPercentage > 99″ could not be reactivated in namespace “//./root/CIMV2” because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Log Name: System
Source: Microsoft-Windows-WLAN-AutoConfig
Date: 8/21/2012 2:47:31 PM
Event ID: 4001
Task Category: None
Level: Warning
Keywords:
User: SYSTEM
Computer: *****
Description:
WLAN AutoConfig service has successfully stopped.

Log Name: System
Source: Microsoft-Windows-WLAN-AutoConfig
Date: 8/21/2012 8:44:39 PM
Event ID: 10002
Task Category: None
Level: Warning
Keywords:
User: SYSTEM
Computer: *****
Description:
WLAN Extensibility Module has stopped.
Module Path: C:Windowssystem32athihvs.dll

Log Name: Microsoft-Windows-Dhcp-Client/Admin
Source: Microsoft-Windows-Dhcp-Client
Date: 8/21/2012 8:55:14 PM
Event ID: 1003
Task Category: Address Configuration State Event
Level: Warning
Keywords:
User: LOCAL SERVICE
Computer: *****
Description:
Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address ************. The following error occurred: 0x79. Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.

Log Name: Microsoft-Windows-Dhcp-Client/Admin
Source: Microsoft-Windows-Dhcp-Client
Date: 8/21/2012 8:57:17 PM
Event ID: 1001
Task Category: Address Configuration State Event
Level: Error
Keywords:
User: LOCAL SERVICE
Computer: *****
Description:
Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address ****************. The following error occurred: 0x79. Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.

What does all that mean? Related? Anything to be done?

And if the router is hacked, what does that mean for me exactly? Can someone get on my computer? (My wife has an iPad, which doesn’t have A/V, so could someone get on that?)

Please note: Neither of us stay connected to the wireless internet full-time (off more than on). And I often turn it on and off.

Thanks for walking through this with me — I appreciate the help and look forward to hearing back! Have a nice night.

Reply | Quote

If you unchecked obtain DNS server address automatically and filled the the server addresses to use per the tutorial, then you should be OK on the DNS front.

It is conceivable though unlikely the DNS servers in the wireless router were changed to point to rogue servers for the purpose of routing web traffic to malware sites. If that is done it can introduce significant delays in DNS lookup response times, which might have been the cause of your original problem which is why I mentioned it.

The other event log items you posted are not related to DNS; rather to DHCP – the part that assigns your computer a local ip address (in the 192.168.0.### range). If it doesn’t work you will not have internet connectivity. Those may be temporary if the DHCP server is busy or short of available addresses.

Frequent disconnect/reconnect events make that type of error more likely, but it should be transitory – your computer will keep trying.

I know little or nothing about iPad security, sorry. Those wee thingies are too small for these old eyes.

Jock

Reply | Quote

I did do what the tutorial (and you) said regarding DNS. It sill has Obtain IP address automatically chosen. And I didn’t change anything for Internet Protocol Version 6 (TCP/IPv6) properties/settings (leave that alone and let it obtain it’s IP and DNS stuff automatically, correct?). What’s that one (Version 6) for? Is it even used?

The internet does usually seem semi-slow to connect to websites (meaning, it’s not instantaneous, but takes a couple seconds usually).

So is there anything to “worry” about regarding my laptop and the wireless internet/router and “baddies”, etc.?

Thanks again!

Reply | Quote

Just checking back on this again before we close out this thread. Any last thoughts on my last post/questions?

And what is this error related to and is it anything to be concerned about?

Log Name: Application
Source: Microsoft-Windows-WMI
Date: 8/27/2012 5:58:00 AM
Event ID: 10
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: ********
Description:
Event filter with query “SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA “Win32_Processor” AND TargetInstance.LoadPercentage > 99″ could not be reactivated in namespace “//./root/CIMV2” because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

Thanks again!

Reply | Quote

Update: Apparently, this error is normal and can be ignored:

http://support.microsoft.com/default.aspx?scid=kb;en-US;2545227

Reply | Quote

Thanks for posting that update and link. This one has had me scratching my head.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

Reply | Quote

You’re welcome!

Reply | Quote

Thanks for posting that update and link. This one has had me scratching my head.

Hey, how do I get a “1” over in the # of times thanked now that I got tanked in this thread?

Reply | Quote

The thanks only show up if someone clicks on the Thanks icon in the lower left of the post. For every official Thanks we get we get quite a few thank you’s without having the icon clicked. That’s just the way it works.

I just gave you a thanks for that post. How’s that! :rolleyes:

Reply | Quote

I just gave you a “Thanks”, too. Pardon my oversight:confused:

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

Reply | Quote

Well, crud! I thought just thanking in the post somehow added it… so I need to go back and do it the right way for all the help I got. Sorry!

And it wasn’t a big deal really for me (really!), I was just curious… but thank you both for adding it! At least it shows that I helped someone once (sort of), since I’ve been helped by others a ton of times!

Edit: Done! And thanks again!

Reply | Quote

Well, I thought I did it, but now it looks like all the official thanks I clicked on didn’t take. :confused:

Am I doing it wrong somehow? I just want to give credit where credit is due, as I really do appreciate all the help. So let me know and I’ll do it right.

Edit: Got it to work. I didn’t have cookies on… Sorry!

Reply | Quote

After leaving official thanks, the numbers do not change until you refresh the browser, or leave then come back to the thread.

Reply | Quote

I had actually tried that, but it didn’t make a difference for me. It was a cookies thing, it seems. Once I turned on cookies, then clicked the thanks buttons, it showed that I was leaving a thanks, etc.

Reply | Quote