Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Flushing the DNS Resolver Cache doesn't work

Posted on 2003-11-10
12
Medium Priority
?
7,452 Views
Last Modified: 2007-12-19
Hi everyone!

I'm running Windows 2000 with Service Pack 4, patched with all the security updates available.

However, when I try accessing some sites, for example, Google, the page doesn't load.  Apparently, the domain resolves to the wrong ip address, and this is only true for this computer on my network.  Other computers who use the same DNS server as I, have no problem resolving the hostname to the correct ip address.

I have traced this problem to the DNS Resolver Cache.  When I run:

ipconfig/displaydns

I get a long list of hostnames and corresponding ip addresses.  Of one, in particular is this:

   google.com.
   ------------------------------------------------------
     Record Name . . . . . : google.com
     Record Type . . . . . : 1
     Time To Live  . . . . : 31531709
     Data Length . . . . . : 4
     Section . . . . . . . : Answer
     A (Host) Record . . . :
                       207.44.220.30

This is the wrong ip address, as you can figure out.  So I flush the dns resolver cache, with ipconfig/flushdns and I use the command ipconfig/registerdns, but somehow, these records do not get flushed and erased.  They are still there if I call up the contents of the cache with ipconfig/displaydns again.

I have tried stoping the dns resolver service, but to no avail.  I have also tried looking at the event viewer in win2k, but no suspicious warnings or errors seem to stand out.

How do I fix this problem, and erase the dns resolver cache fully?  Or, if that is not the problem, what is the problem then?  I can verify that it is not a problem with the DNS server, as other users using the same dns server, have no problems.  Or even other operating systems on the same machine, for that matter.

Thanks for all your help!
0
Comment
Question by:rohan_leader
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 3
  • +1
12 Comments
 
LVL 18

Expert Comment

by:chicagoan
ID: 9720043
0
 
LVL 85

Expert Comment

by:oBdA
ID: 9721160
Check out your hosts file (no extension) in %SystemRoot%\system32\driver\etc; you'll probably find the google entry there.
But that entry has indeed entered your system by some spyware, so check out chicagoan's link.
0
 
LVL 2

Author Comment

by:rohan_leader
ID: 9724150
I've run to this point, 3 different spy-ware detectors, Adaware, Search and Destroy and Net Cop,  I have found "spy-ware" and removed them with the tool that found them.  However, none seem to help.

The DNS Resolver Cache generated by ipconfig/displaydns is the same as ever.

Any other ideas?
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 2

Author Comment

by:rohan_leader
ID: 9724167
Also, just to note, I have also checked out the hosts file that oBdA pointed out, and inspected it comparing it to an example on the web.  I have concluded that it is fine and is not the cause of the problem.
0
 
LVL 18

Expert Comment

by:chicagoan
ID: 9725982
You might consider uninstalling your modem and network cards... all networking... rebooting and reisntalling
ALso check your running processes and figure out what they all are, a good exercise in any event
0
 
LVL 85

Accepted Solution

by:
oBdA earned 500 total points
ID: 9754300
Just to make sure I got you right: When you run "ipconfig /flushdns" and immediately afterwards (without trying nslookup or browsing to a webpage or whatever) "ipconfig /displaydns", you already have the "google" entry in there?
After running "ipconfig /flushdns", all that's supposed to be in the cache are the contents of the "hosts" file (including the reverse lookup entries "in-addr.arpa"). The default hosts file contains only one entry, "127.0.0.1       localhost".
What I would try next, since it's easy to test: rename the hosts file to hosts.bak. Create a new hosts file, with only one entry
127.0.0.1       localhost
(tab(s) and/or space(s) inbetween the IP and "localhost"). Change the security settings to deny(!) write access for everyone. Reboot and run ipconfig /displaydns to check if the "google" entry is still there.
0
 
LVL 85

Expert Comment

by:oBdA
ID: 9754314
Oh, and maybe a stupid question, but for the sake of completeness: do you have your Windows Explorer options set to show file extensions, and to show hidden files?
0
 
LVL 2

Author Comment

by:rohan_leader
ID: 9754857
I just wanted to clarify the solution.  

Apparently, there was a rogue hosts file in C:\Windows\HELP.  For some reason or another, the google entry was in this hosts file.  I never thought that ipconfig/displaydns would look in this directory for the help file, but for some reason, it did.

A quick find, for the hosts file in the windows directory told me this, and I renamed it, poof, the problem was gone.  Thanks to all who helped.

Indeed, reinstalling would have solved this problem, but its not my computer, so that was not a viable option for me.

No spyware in this one!
0
 

Expert Comment

by:nekote
ID: 10241855
Failure to flush DNS cache using:
ipconfig /flushdns

It's 2 things.

#1, apparently the static entries created via the "hosts" file can't be flushed.
If you really want to get rid of them, they have to be removed from the "hosts" file.
Typically, the "hosts" file is used as a simple and highly effective way to prevent connections to spyware / malware / adware.
Setting the (static) IP address of a domain name to 127.0.0.1 (yourself - the "localhost" machine), effectively prevents potential connections via DNS!  (Wouldn't do anything for hard coded IP addresses).


#2, the ipconfig /displaydns appears to have a bug.
It only *PARTIALLY* lists the entries in the DNS resolver cache (about 50?) before abruptly truncating the output.
MS probably never considered there might be ~4,000+ entries (of malware domains) cached there!
(http://www.mvps.org/winhelp2002/hosts.htm)
0
 
LVL 18

Expert Comment

by:chicagoan
ID: 10243055
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DataDasePath has been modified and hosts has been modified and a file has been created in windows\help

this doesn't happen magically

it's either spyware/adware or a trojan (qhosts, etc.)
0
 
LVL 2

Author Comment

by:rohan_leader
ID: 10243178
chicagoan.. you are right.  This value is now set to:

 %SystemRoot%\help

I want to change this if possible back to its default value.  What is it?
0
 
LVL 18

Expert Comment

by:chicagoan
ID: 10243267
>Comment from chicagoan
>Date: 11/10/2003 11:48PM EST
>sounds like spyware

>Comment from rohan_leader
>Date: 11/11/2003 01:08PM EST
>I have found "spy-ware" and removed them with the tool that found them.  However, none seem to help
Some utilities work better than others :)


%SystemRoot%\System32\drivers\etc is the default value
0

Featured Post

Understanding Web Applications

Without even knowing it, most of us are using web applications on a daily basis. Gmail and Yahoo email, Twitter, Facebook, and eBay are used by most of us daily—and they are web applications. We often confuse these web applications tools for websites.  So, what is the difference?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question