Solved

Flushing the DNS Resolver Cache doesn't work

Posted on 2003-11-10
12
7,441 Views
Last Modified: 2007-12-19
Hi everyone!

I'm running Windows 2000 with Service Pack 4, patched with all the security updates available.

However, when I try accessing some sites, for example, Google, the page doesn't load.  Apparently, the domain resolves to the wrong ip address, and this is only true for this computer on my network.  Other computers who use the same DNS server as I, have no problem resolving the hostname to the correct ip address.

I have traced this problem to the DNS Resolver Cache.  When I run:

ipconfig/displaydns

I get a long list of hostnames and corresponding ip addresses.  Of one, in particular is this:

   google.com.
   ------------------------------------------------------
     Record Name . . . . . : google.com
     Record Type . . . . . : 1
     Time To Live  . . . . : 31531709
     Data Length . . . . . : 4
     Section . . . . . . . : Answer
     A (Host) Record . . . :
                       207.44.220.30

This is the wrong ip address, as you can figure out.  So I flush the dns resolver cache, with ipconfig/flushdns and I use the command ipconfig/registerdns, but somehow, these records do not get flushed and erased.  They are still there if I call up the contents of the cache with ipconfig/displaydns again.

I have tried stoping the dns resolver service, but to no avail.  I have also tried looking at the event viewer in win2k, but no suspicious warnings or errors seem to stand out.

How do I fix this problem, and erase the dns resolver cache fully?  Or, if that is not the problem, what is the problem then?  I can verify that it is not a problem with the DNS server, as other users using the same dns server, have no problems.  Or even other operating systems on the same machine, for that matter.

Thanks for all your help!
0
Comment
Question by:rohan_leader
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 3
  • +1
12 Comments
 
LVL 18

Expert Comment

by:chicagoan
ID: 9720043
0
 
LVL 85

Expert Comment

by:oBdA
ID: 9721160
Check out your hosts file (no extension) in %SystemRoot%\system32\driver\etc; you'll probably find the google entry there.
But that entry has indeed entered your system by some spyware, so check out chicagoan's link.
0
 
LVL 2

Author Comment

by:rohan_leader
ID: 9724150
I've run to this point, 3 different spy-ware detectors, Adaware, Search and Destroy and Net Cop,  I have found "spy-ware" and removed them with the tool that found them.  However, none seem to help.

The DNS Resolver Cache generated by ipconfig/displaydns is the same as ever.

Any other ideas?
0
Don't Cry: How Liquid Web is Ensuring Security

WannaCry is just the start. Read how Liquid Web is protecting itself and its customers against new threats.

 
LVL 2

Author Comment

by:rohan_leader
ID: 9724167
Also, just to note, I have also checked out the hosts file that oBdA pointed out, and inspected it comparing it to an example on the web.  I have concluded that it is fine and is not the cause of the problem.
0
 
LVL 18

Expert Comment

by:chicagoan
ID: 9725982
You might consider uninstalling your modem and network cards... all networking... rebooting and reisntalling
ALso check your running processes and figure out what they all are, a good exercise in any event
0
 
LVL 85

Accepted Solution

by:
oBdA earned 125 total points
ID: 9754300
Just to make sure I got you right: When you run "ipconfig /flushdns" and immediately afterwards (without trying nslookup or browsing to a webpage or whatever) "ipconfig /displaydns", you already have the "google" entry in there?
After running "ipconfig /flushdns", all that's supposed to be in the cache are the contents of the "hosts" file (including the reverse lookup entries "in-addr.arpa"). The default hosts file contains only one entry, "127.0.0.1       localhost".
What I would try next, since it's easy to test: rename the hosts file to hosts.bak. Create a new hosts file, with only one entry
127.0.0.1       localhost
(tab(s) and/or space(s) inbetween the IP and "localhost"). Change the security settings to deny(!) write access for everyone. Reboot and run ipconfig /displaydns to check if the "google" entry is still there.
0
 
LVL 85

Expert Comment

by:oBdA
ID: 9754314
Oh, and maybe a stupid question, but for the sake of completeness: do you have your Windows Explorer options set to show file extensions, and to show hidden files?
0
 
LVL 2

Author Comment

by:rohan_leader
ID: 9754857
I just wanted to clarify the solution.  

Apparently, there was a rogue hosts file in C:\Windows\HELP.  For some reason or another, the google entry was in this hosts file.  I never thought that ipconfig/displaydns would look in this directory for the help file, but for some reason, it did.

A quick find, for the hosts file in the windows directory told me this, and I renamed it, poof, the problem was gone.  Thanks to all who helped.

Indeed, reinstalling would have solved this problem, but its not my computer, so that was not a viable option for me.

No spyware in this one!
0
 

Expert Comment

by:nekote
ID: 10241855
Failure to flush DNS cache using:
ipconfig /flushdns

It's 2 things.

#1, apparently the static entries created via the "hosts" file can't be flushed.
If you really want to get rid of them, they have to be removed from the "hosts" file.
Typically, the "hosts" file is used as a simple and highly effective way to prevent connections to spyware / malware / adware.
Setting the (static) IP address of a domain name to 127.0.0.1 (yourself - the "localhost" machine), effectively prevents potential connections via DNS!  (Wouldn't do anything for hard coded IP addresses).


#2, the ipconfig /displaydns appears to have a bug.
It only *PARTIALLY* lists the entries in the DNS resolver cache (about 50?) before abruptly truncating the output.
MS probably never considered there might be ~4,000+ entries (of malware domains) cached there!
(http://www.mvps.org/winhelp2002/hosts.htm)
0
 
LVL 18

Expert Comment

by:chicagoan
ID: 10243055
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DataDasePath has been modified and hosts has been modified and a file has been created in windows\help

this doesn't happen magically

it's either spyware/adware or a trojan (qhosts, etc.)
0
 
LVL 2

Author Comment

by:rohan_leader
ID: 10243178
chicagoan.. you are right.  This value is now set to:

 %SystemRoot%\help

I want to change this if possible back to its default value.  What is it?
0
 
LVL 18

Expert Comment

by:chicagoan
ID: 10243267
>Comment from chicagoan
>Date: 11/10/2003 11:48PM EST
>sounds like spyware

>Comment from rohan_leader
>Date: 11/11/2003 01:08PM EST
>I have found "spy-ware" and removed them with the tool that found them.  However, none seem to help
Some utilities work better than others :)


%SystemRoot%\System32\drivers\etc is the default value
0

Featured Post

Raise the IQ of Your IT Alerts

From IT major incidents to manufacturing line slowdowns, every business process generates insights that need to reach the people required to take action. You need a platform that integrates with your business tools to create fully enabled DevOps toolchains.

You need xMatters.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question