Solved

DNS resolver cache content still shows after /flushdns

Posted on 2006-06-20
22
1,949 Views
Last Modified: 2009-07-29
I am trying to get rid of the content of dns cache which some are porn sites that I never ever go into.  After I did ipconfig/flushdns and /displaydns, it still shows the same addresses.  What could be wrong here folks.  Need some guidance.  Thanks to all.
0
Comment
Question by:r_yague
  • 5
  • 4
  • 3
  • +6
22 Comments
 
LVL 12

Assisted Solution

by:Scotty_cisco
Scotty_cisco earned 55 total points
ID: 16945661
can you reboot the pc?

Thanks
scott
0
 
LVL 13

Assisted Solution

by:prashsax
prashsax earned 55 total points
ID: 16945704
have you check the hosts file.

Its located under c:\windows\system32\drivers\etc\hosts


All these records can be listed here.

Please open it in notepad and check.
0
 
LVL 30

Accepted Solution

by:
ded9 earned 55 total points
ID: 16945774
go to "start, control panel, administration tools,services,then look for DNS Client, and make sure it's started, and set to manual

if in manual set to automatic


Reps
points

0
 
LVL 30

Expert Comment

by:ded9
ID: 16945794
If above does not work
 Try this
command

dnscmdServerName /clearcache

Reps


0
 
LVL 30

Expert Comment

by:ded9
ID: 16945834
Also try this
Clearing the Cache

1.Start the DNS Manager from Administrative Tools.

2.From the left-tree view, select the applicable DNS server.

3.On the Action menu, click Clear Cache.

Reps
0
 
LVL 25

Assisted Solution

by:mikeleebrla
mikeleebrla earned 110 total points
ID: 16946516
hold up,,, you are trying to clear this on a dns server, or a DNS client

doing "After I did ipconfig/flushdns and /displaydns" will only clear the DNS CLIENT cache.

remember, most dns servers are also dns clients.
0
 

Author Comment

by:r_yague
ID: 16946616
None of these seemed to work:  Still waiting for that one solution.

-  from Scotty_cisco----I rebooted pc....same result
-  from prashsax--------I checked this path > c:\windows\system32\drivers\etc\hosts,  "lmhosts.txt" instead of "hosts",  showed 2 ip addresses,  then, what's next?
-  from ded9-------------DNS service already set to automatic, same result
-  from ded9-------------dnscmdServerName /clearcache, no such command
-  from ded9-------------here is no DNS Manager from administrative tools (this is stand alone PC, not domain pc
0
 
LVL 13

Expert Comment

by:prashsax
ID: 16946694
So you don't have hosts file in your system.

Their must exists this hosts file at that location.




0
 
LVL 25

Assisted Solution

by:Ron M
Ron M earned 55 total points
ID: 16947231
prashsax is right.

If the file is missing, you can restore it from your i386 folder as well.

Sounds to me like you got a spyware/malware problem that is modifying your host file.

Make sure your folder properties is set to show hidden files, and show system files.  Sometimes malware virii will change the Hosts file and give it hidden attributes.

once you get that one figured out,  I would reboot into safe mode and run some scans.
0
 

Author Comment

by:r_yague
ID: 16947330
I set to show hidden files and "hosts" file showed this sample lines.  Now what should I do with them?

# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

127.0.0.1       localhost
127.0.0.1      008k.com      # Added by SNM
127.0.0.1      00hq.com      # Added by SNM
127.0.0.1      100sexlinks.com      # Added by SNM
127.0.0.1      157.238.62.14      # Added by SNM
127.0.0.1      17-plus.com      # Added by SNM

127.0.0.1      1-domains-registrations.com      # Added by SNM
127.0.0.1      1sexparty.com      # Added by SNM
127.0.0.1      1stpagehere.com      # Added by SNM
127.0.0.1      2020search.com      # Added by SNM                                    
etc....etc...
0
 
LVL 57

Assisted Solution

by:giltjr
giltjr earned 60 total points
ID: 16947683
What is SNM?  Delete all lines that you do not know what they are for.  Please note that some software will add hosts file entries with the loopback address (127.0.0.1) as the IP address to prevent you from going there.
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 7

Assisted Solution

by:Kumar_Jayant123
Kumar_Jayant123 earned 55 total points
ID: 16948487
Hi,

The DNS Cache goes off once you restart the DNS server Service.

What if you uppluf your network card, Restart the DNS Service, Do a Ipconfig /flushdns and try to ping the website.

There are some Porn site which gets stored in your system and comes up like the default page of the System.

I would recomend do a thorow Virus checkup.

Kumar
0
 
LVL 4

Assisted Solution

by:ansh_gupta
ansh_gupta earned 55 total points
ID: 16949651
The host file clearly is bad. You only need to have 127.0.0.1       localhost there. remove everything else.

0
 
LVL 7

Expert Comment

by:Kumar_Jayant123
ID: 16949712
Hi,

Delete the Host file and rename the Host.sam file and remove the extention .sam.

or

copy a host file from a different server.

0
 
LVL 13

Expert Comment

by:prashsax
ID: 16951945
That is what I was asking you.

Their are the bad records you want to get rid off.

# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

127.0.0.1       localhost


This is how it should look like.(By default)

Now make sure that you are not using some of these entries to access some websites.

The best option is to backup your current host file and then delete all entries from it and make it look like the above.



0
 
LVL 57

Expert Comment

by:giltjr
ID: 16952293
Before he starts wiping out the hosts file, he need to figure out what the Added by SNM means.  I don't know what product it was, but I have worked with somebody that installed a software product that blocked web sites that had adult content.

It did this by adding host file entires with the host names of the sites to be block to the hosts file with and IP address of the loop back address.

The reason that these hosts show up in the ipconfig /displaydsn after you do a ipconfig /flushdsn is that Windows reads the hosts file and preloads everything in it so that it limits the number of times it must read the file.

So, first step is to figure out what added or is adding these entries to the hosts file.

The bad part of using the hosts file to block sites is performance.  The person I worked with was complaining about "slow response time surfing the web".  There were so many entries in the hosts file (it was over 6KB) that it took six seconds to scan it to find out if the host name he was trying to reslove was in the hosts file or not.  After cleaning up the hosts file surfing the web was much faster.
0
 

Author Comment

by:r_yague
ID: 16952320
Kumar_jayant123, there is no DNS server Service.  Only DNS client service

ansh_gupta, everything is on 127.0.0.1.  You mean to say keep all of them?  This is now getting confusing.

Kumar_jayan123, there is no Host.sam.  But there is lmhost.sam.  Also,  what server am I going to copy from.  My computer is not a server but a standalone desktop.

0
 
LVL 13

Expert Comment

by:prashsax
ID: 16952474
I totally agree with giltjr.

This is done by some Parental Control Software(Or something like that).

Since the IP address is loopback address, the purpose is very clear.(Stop access to these sites)

Deleting these entries would mean that your pc would resolve correct ip address to these sites and can access them.


0
 
LVL 25

Assisted Solution

by:mikeleebrla
mikeleebrla earned 110 total points
ID: 16952537
if any program does internet blocking by using the host file it is a POS and needs to be removed right away.  Do you realize that there are BILLIONs of websites out there and adding them all to the hostfile is the dumbest thing on earth.

More than likely SNM is an old admin who didn't know what he was doing and tried to block 'bad' sites by adding them to the hostfile with the loopback address.
Further evidence that SNM didn't know what he/she was doing is the fact that they had an IP pointed to an IP in the host file:

127.0.0.1     157.238.62.14     # Added by SNM

sorry, but this has no effect what-so-ever since whenver the PC tries to access 157.238.62.14 it will do so directly, and never even look at the hostfile.
0
 
LVL 30

Expert Comment

by:ded9
ID: 16952575
it seems malware stuff

Scan computer
reps
0
 
LVL 57

Expert Comment

by:giltjr
ID: 16952854
Well, I do agree that using the hosts file is not the brightest way to handle site blocking and whatever/whoever is updating the host file obvioulsy does not understand how it works and is just blindly adding entries.  Some of the entries are not adult related and some are no longer valid.

If this is what this person is using and he "cleans up" his host file, his PC can now get to sites that they may beleive are blocked.  Which could cause problems if this is a computer that kids use.  

Of couse if it is not getting updates there are many (10's, 100's, 1,000's, who knows) sites created daily that are not being blocked.

You could issue the following command:

    find /V "127.0.0.1" hosts > newhosts

This will put all lines that do NOT contain the string 127.0.0.1 in the file hosts into the file called newhosts.  If new hosts contains ANY lines, you need to evalutate them to see if they are still valid.  If they are, then I would suggest that you rename hosts to oldhosts.  Edit newhosts and add:

   127.0.0.1 localhost

as the first line and save it.  Then rename newhosts to hosts.

If newhosts was empty then copy hosts to oldhosts.  Edit hosts and delete EVERYTHING after the line:

    127.0.0.1 localhost

and save.  Then do ipconfig /flushdsn and ipconfig /displaydns and the entries should be gone.


However, I guess it is time for the author to respond back.  

Do you, did you have anytype of parental control software, pop-up blocker or advertisment blockers on this computer?

Do you know who or what SNM is/was?
0
 
LVL 13

Expert Comment

by:prashsax
ID: 16952947
I was talking about these entries.

>127.0.0.1     1sexparty.com     # Added by SNM
>127.0.0.1     1stpagehere.com     # Added by SNM
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Join & Write a Comment

Resolve DNS query failed errors for Exchange
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now