Solved

DNS resolver cache content still shows after /flushdns

Posted on 2006-06-20
22
1,964 Views
Last Modified: 2009-07-29
I am trying to get rid of the content of dns cache which some are porn sites that I never ever go into.  After I did ipconfig/flushdns and /displaydns, it still shows the same addresses.  What could be wrong here folks.  Need some guidance.  Thanks to all.
0
Comment
Question by:r_yague
  • 5
  • 4
  • 3
  • +6
22 Comments
 
LVL 12

Assisted Solution

by:Scotty_cisco
Scotty_cisco earned 55 total points
ID: 16945661
can you reboot the pc?

Thanks
scott
0
 
LVL 13

Assisted Solution

by:prashsax
prashsax earned 55 total points
ID: 16945704
have you check the hosts file.

Its located under c:\windows\system32\drivers\etc\hosts


All these records can be listed here.

Please open it in notepad and check.
0
 
LVL 30

Accepted Solution

by:
ded9 earned 55 total points
ID: 16945774
go to "start, control panel, administration tools,services,then look for DNS Client, and make sure it's started, and set to manual

if in manual set to automatic


Reps
points

0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 30

Expert Comment

by:ded9
ID: 16945794
If above does not work
 Try this
command

dnscmdServerName /clearcache

Reps


0
 
LVL 30

Expert Comment

by:ded9
ID: 16945834
Also try this
Clearing the Cache

1.Start the DNS Manager from Administrative Tools.

2.From the left-tree view, select the applicable DNS server.

3.On the Action menu, click Clear Cache.

Reps
0
 
LVL 25

Assisted Solution

by:mikeleebrla
mikeleebrla earned 110 total points
ID: 16946516
hold up,,, you are trying to clear this on a dns server, or a DNS client

doing "After I did ipconfig/flushdns and /displaydns" will only clear the DNS CLIENT cache.

remember, most dns servers are also dns clients.
0
 

Author Comment

by:r_yague
ID: 16946616
None of these seemed to work:  Still waiting for that one solution.

-  from Scotty_cisco----I rebooted pc....same result
-  from prashsax--------I checked this path > c:\windows\system32\drivers\etc\hosts,  "lmhosts.txt" instead of "hosts",  showed 2 ip addresses,  then, what's next?
-  from ded9-------------DNS service already set to automatic, same result
-  from ded9-------------dnscmdServerName /clearcache, no such command
-  from ded9-------------here is no DNS Manager from administrative tools (this is stand alone PC, not domain pc
0
 
LVL 13

Expert Comment

by:prashsax
ID: 16946694
So you don't have hosts file in your system.

Their must exists this hosts file at that location.




0
 
LVL 25

Assisted Solution

by:Ron Malmstead
Ron Malmstead earned 55 total points
ID: 16947231
prashsax is right.

If the file is missing, you can restore it from your i386 folder as well.

Sounds to me like you got a spyware/malware problem that is modifying your host file.

Make sure your folder properties is set to show hidden files, and show system files.  Sometimes malware virii will change the Hosts file and give it hidden attributes.

once you get that one figured out,  I would reboot into safe mode and run some scans.
0
 

Author Comment

by:r_yague
ID: 16947330
I set to show hidden files and "hosts" file showed this sample lines.  Now what should I do with them?

# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

127.0.0.1       localhost
127.0.0.1      008k.com      # Added by SNM
127.0.0.1      00hq.com      # Added by SNM
127.0.0.1      100sexlinks.com      # Added by SNM
127.0.0.1      157.238.62.14      # Added by SNM
127.0.0.1      17-plus.com      # Added by SNM

127.0.0.1      1-domains-registrations.com      # Added by SNM
127.0.0.1      1sexparty.com      # Added by SNM
127.0.0.1      1stpagehere.com      # Added by SNM
127.0.0.1      2020search.com      # Added by SNM                                    
etc....etc...
0
 
LVL 57

Assisted Solution

by:giltjr
giltjr earned 60 total points
ID: 16947683
What is SNM?  Delete all lines that you do not know what they are for.  Please note that some software will add hosts file entries with the loopback address (127.0.0.1) as the IP address to prevent you from going there.
0
 
LVL 7

Assisted Solution

by:Kumar_Jayant123
Kumar_Jayant123 earned 55 total points
ID: 16948487
Hi,

The DNS Cache goes off once you restart the DNS server Service.

What if you uppluf your network card, Restart the DNS Service, Do a Ipconfig /flushdns and try to ping the website.

There are some Porn site which gets stored in your system and comes up like the default page of the System.

I would recomend do a thorow Virus checkup.

Kumar
0
 
LVL 4

Assisted Solution

by:ansh_gupta
ansh_gupta earned 55 total points
ID: 16949651
The host file clearly is bad. You only need to have 127.0.0.1       localhost there. remove everything else.

0
 
LVL 7

Expert Comment

by:Kumar_Jayant123
ID: 16949712
Hi,

Delete the Host file and rename the Host.sam file and remove the extention .sam.

or

copy a host file from a different server.

0
 
LVL 13

Expert Comment

by:prashsax
ID: 16951945
That is what I was asking you.

Their are the bad records you want to get rid off.

# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

127.0.0.1       localhost


This is how it should look like.(By default)

Now make sure that you are not using some of these entries to access some websites.

The best option is to backup your current host file and then delete all entries from it and make it look like the above.



0
 
LVL 57

Expert Comment

by:giltjr
ID: 16952293
Before he starts wiping out the hosts file, he need to figure out what the Added by SNM means.  I don't know what product it was, but I have worked with somebody that installed a software product that blocked web sites that had adult content.

It did this by adding host file entires with the host names of the sites to be block to the hosts file with and IP address of the loop back address.

The reason that these hosts show up in the ipconfig /displaydsn after you do a ipconfig /flushdsn is that Windows reads the hosts file and preloads everything in it so that it limits the number of times it must read the file.

So, first step is to figure out what added or is adding these entries to the hosts file.

The bad part of using the hosts file to block sites is performance.  The person I worked with was complaining about "slow response time surfing the web".  There were so many entries in the hosts file (it was over 6KB) that it took six seconds to scan it to find out if the host name he was trying to reslove was in the hosts file or not.  After cleaning up the hosts file surfing the web was much faster.
0
 

Author Comment

by:r_yague
ID: 16952320
Kumar_jayant123, there is no DNS server Service.  Only DNS client service

ansh_gupta, everything is on 127.0.0.1.  You mean to say keep all of them?  This is now getting confusing.

Kumar_jayan123, there is no Host.sam.  But there is lmhost.sam.  Also,  what server am I going to copy from.  My computer is not a server but a standalone desktop.

0
 
LVL 13

Expert Comment

by:prashsax
ID: 16952474
I totally agree with giltjr.

This is done by some Parental Control Software(Or something like that).

Since the IP address is loopback address, the purpose is very clear.(Stop access to these sites)

Deleting these entries would mean that your pc would resolve correct ip address to these sites and can access them.


0
 
LVL 25

Assisted Solution

by:mikeleebrla
mikeleebrla earned 110 total points
ID: 16952537
if any program does internet blocking by using the host file it is a POS and needs to be removed right away.  Do you realize that there are BILLIONs of websites out there and adding them all to the hostfile is the dumbest thing on earth.

More than likely SNM is an old admin who didn't know what he was doing and tried to block 'bad' sites by adding them to the hostfile with the loopback address.
Further evidence that SNM didn't know what he/she was doing is the fact that they had an IP pointed to an IP in the host file:

127.0.0.1     157.238.62.14     # Added by SNM

sorry, but this has no effect what-so-ever since whenver the PC tries to access 157.238.62.14 it will do so directly, and never even look at the hostfile.
0
 
LVL 30

Expert Comment

by:ded9
ID: 16952575
it seems malware stuff

Scan computer
reps
0
 
LVL 57

Expert Comment

by:giltjr
ID: 16952854
Well, I do agree that using the hosts file is not the brightest way to handle site blocking and whatever/whoever is updating the host file obvioulsy does not understand how it works and is just blindly adding entries.  Some of the entries are not adult related and some are no longer valid.

If this is what this person is using and he "cleans up" his host file, his PC can now get to sites that they may beleive are blocked.  Which could cause problems if this is a computer that kids use.  

Of couse if it is not getting updates there are many (10's, 100's, 1,000's, who knows) sites created daily that are not being blocked.

You could issue the following command:

    find /V "127.0.0.1" hosts > newhosts

This will put all lines that do NOT contain the string 127.0.0.1 in the file hosts into the file called newhosts.  If new hosts contains ANY lines, you need to evalutate them to see if they are still valid.  If they are, then I would suggest that you rename hosts to oldhosts.  Edit newhosts and add:

   127.0.0.1 localhost

as the first line and save it.  Then rename newhosts to hosts.

If newhosts was empty then copy hosts to oldhosts.  Edit hosts and delete EVERYTHING after the line:

    127.0.0.1 localhost

and save.  Then do ipconfig /flushdsn and ipconfig /displaydns and the entries should be gone.


However, I guess it is time for the author to respond back.  

Do you, did you have anytype of parental control software, pop-up blocker or advertisment blockers on this computer?

Do you know who or what SNM is/was?
0
 
LVL 13

Expert Comment

by:prashsax
ID: 16952947
I was talking about these entries.

>127.0.0.1     1sexparty.com     # Added by SNM
>127.0.0.1     1stpagehere.com     # Added by SNM
0

Featured Post

The New “Normal” in Modern Enterprise Operations

DevOps for the modern enterprise offers many benefits — increased agility, productivity, and more, but digital transformation isn’t easy, especially if you’re not addressing the right issues. Register for the webinar to dive into the “new normal” for enterprise modern ops.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
For many of us, the  holiday season kindles the natural urge to give back to our friends, family members and communities. While it's easy for friends to notice the impact of such deeds, understanding the contributions of businesses and enterprises i…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question