Solved

Flushing the DNS Resolver Cache doesn't work

Posted on 2003-11-10
12
7,425 Views
Last Modified: 2007-12-19
Hi everyone!

I'm running Windows 2000 with Service Pack 4, patched with all the security updates available.

However, when I try accessing some sites, for example, Google, the page doesn't load.  Apparently, the domain resolves to the wrong ip address, and this is only true for this computer on my network.  Other computers who use the same DNS server as I, have no problem resolving the hostname to the correct ip address.

I have traced this problem to the DNS Resolver Cache.  When I run:

ipconfig/displaydns

I get a long list of hostnames and corresponding ip addresses.  Of one, in particular is this:

   google.com.
   ------------------------------------------------------
     Record Name . . . . . : google.com
     Record Type . . . . . : 1
     Time To Live  . . . . : 31531709
     Data Length . . . . . : 4
     Section . . . . . . . : Answer
     A (Host) Record . . . :
                       207.44.220.30

This is the wrong ip address, as you can figure out.  So I flush the dns resolver cache, with ipconfig/flushdns and I use the command ipconfig/registerdns, but somehow, these records do not get flushed and erased.  They are still there if I call up the contents of the cache with ipconfig/displaydns again.

I have tried stoping the dns resolver service, but to no avail.  I have also tried looking at the event viewer in win2k, but no suspicious warnings or errors seem to stand out.

How do I fix this problem, and erase the dns resolver cache fully?  Or, if that is not the problem, what is the problem then?  I can verify that it is not a problem with the DNS server, as other users using the same dns server, have no problems.  Or even other operating systems on the same machine, for that matter.

Thanks for all your help!
0
Comment
Question by:rohan_leader
  • 4
  • 4
  • 3
  • +1
12 Comments
 
LVL 18

Expert Comment

by:chicagoan
ID: 9720043
0
 
LVL 83

Expert Comment

by:oBdA
ID: 9721160
Check out your hosts file (no extension) in %SystemRoot%\system32\driver\etc; you'll probably find the google entry there.
But that entry has indeed entered your system by some spyware, so check out chicagoan's link.
0
 
LVL 2

Author Comment

by:rohan_leader
ID: 9724150
I've run to this point, 3 different spy-ware detectors, Adaware, Search and Destroy and Net Cop,  I have found "spy-ware" and removed them with the tool that found them.  However, none seem to help.

The DNS Resolver Cache generated by ipconfig/displaydns is the same as ever.

Any other ideas?
0
 
LVL 2

Author Comment

by:rohan_leader
ID: 9724167
Also, just to note, I have also checked out the hosts file that oBdA pointed out, and inspected it comparing it to an example on the web.  I have concluded that it is fine and is not the cause of the problem.
0
 
LVL 18

Expert Comment

by:chicagoan
ID: 9725982
You might consider uninstalling your modem and network cards... all networking... rebooting and reisntalling
ALso check your running processes and figure out what they all are, a good exercise in any event
0
 
LVL 83

Accepted Solution

by:
oBdA earned 125 total points
ID: 9754300
Just to make sure I got you right: When you run "ipconfig /flushdns" and immediately afterwards (without trying nslookup or browsing to a webpage or whatever) "ipconfig /displaydns", you already have the "google" entry in there?
After running "ipconfig /flushdns", all that's supposed to be in the cache are the contents of the "hosts" file (including the reverse lookup entries "in-addr.arpa"). The default hosts file contains only one entry, "127.0.0.1       localhost".
What I would try next, since it's easy to test: rename the hosts file to hosts.bak. Create a new hosts file, with only one entry
127.0.0.1       localhost
(tab(s) and/or space(s) inbetween the IP and "localhost"). Change the security settings to deny(!) write access for everyone. Reboot and run ipconfig /displaydns to check if the "google" entry is still there.
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 83

Expert Comment

by:oBdA
ID: 9754314
Oh, and maybe a stupid question, but for the sake of completeness: do you have your Windows Explorer options set to show file extensions, and to show hidden files?
0
 
LVL 2

Author Comment

by:rohan_leader
ID: 9754857
I just wanted to clarify the solution.  

Apparently, there was a rogue hosts file in C:\Windows\HELP.  For some reason or another, the google entry was in this hosts file.  I never thought that ipconfig/displaydns would look in this directory for the help file, but for some reason, it did.

A quick find, for the hosts file in the windows directory told me this, and I renamed it, poof, the problem was gone.  Thanks to all who helped.

Indeed, reinstalling would have solved this problem, but its not my computer, so that was not a viable option for me.

No spyware in this one!
0
 

Expert Comment

by:nekote
ID: 10241855
Failure to flush DNS cache using:
ipconfig /flushdns

It's 2 things.

#1, apparently the static entries created via the "hosts" file can't be flushed.
If you really want to get rid of them, they have to be removed from the "hosts" file.
Typically, the "hosts" file is used as a simple and highly effective way to prevent connections to spyware / malware / adware.
Setting the (static) IP address of a domain name to 127.0.0.1 (yourself - the "localhost" machine), effectively prevents potential connections via DNS!  (Wouldn't do anything for hard coded IP addresses).


#2, the ipconfig /displaydns appears to have a bug.
It only *PARTIALLY* lists the entries in the DNS resolver cache (about 50?) before abruptly truncating the output.
MS probably never considered there might be ~4,000+ entries (of malware domains) cached there!
(http://www.mvps.org/winhelp2002/hosts.htm)
0
 
LVL 18

Expert Comment

by:chicagoan
ID: 10243055
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DataDasePath has been modified and hosts has been modified and a file has been created in windows\help

this doesn't happen magically

it's either spyware/adware or a trojan (qhosts, etc.)
0
 
LVL 2

Author Comment

by:rohan_leader
ID: 10243178
chicagoan.. you are right.  This value is now set to:

 %SystemRoot%\help

I want to change this if possible back to its default value.  What is it?
0
 
LVL 18

Expert Comment

by:chicagoan
ID: 10243267
>Comment from chicagoan
>Date: 11/10/2003 11:48PM EST
>sounds like spyware

>Comment from rohan_leader
>Date: 11/11/2003 01:08PM EST
>I have found "spy-ware" and removed them with the tool that found them.  However, none seem to help
Some utilities work better than others :)


%SystemRoot%\System32\drivers\etc is the default value
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Occasionally you run into the website or two that will not resolve properly using your own DNS servers.  Some people simply set up global forwarders for their DNS server.  I don’t recommend doing this because it can cause problems resolving addresse…
Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now