ping resolves all host names on internal lan to an external ip:

Posted on 2007-08-01
Last Modified: 2013-11-25
I have a network with 15 client workstations - there is
a mix of XP, 2000 and Vista clients and one Windows 2003 Server. The
server is acting as Domain Controller and running terminal server, but is not acting as DNS server or
WINS Server. Most of the clients use Remote Desktop to access their
shared inventory/accounting app. In fact the clients are configured  as joining the workgroup, but
not to join the domain, but everyone logs in as active users on the server. So really, the
server is not being completely used as a domain controller.

I have a linksys router and a static WAN ip address assigned by the cable internet
provider (68.xx.xx.xx). Almost all of the clients just use automatic dhcp addressing and get
their DNS server addresses from the router which is configured with the dns addresses
provided by Cox (cable/internet provider). A few of the machines have
statically assigned ip addresses (including the server).
All machines have ip addresses assigned in the range
All of the machines simply use the DNS pulled from the router (the 68.xx.xx.xx number
(I can't remember it of the top of my head), that's why I'm not filling it in) OR in the
case of the statically assigned machines - I used those same DNS addresses.

Of the 15 clients; 3 of them are having this identical problem - ONE of
those 3 is the server:
no matter what hostname you ping, it resolves to this ip address:
ping warranty it returns
ping server it returns  - ON ALL host names.
(except itself)
you get the picture.

ALL of the machines (including the 3 with the problem above) can get
on the internet AND the clients can use Remote Desktop. The two problem
machines must access the server through the ip address directly (rather
than the host name) - still almost everything functions correctly
except intermittent printer issues going through the remote desktop.
All of the other machines access the server using the host name.

I have tried various tactics to clear the arp cache, run nbtstat - RR,
flush the dns, etc. on these machines. This problem cropped up
about a month ago - on all 3 machines at once.

I have run virus checks AND root kit revealers - I haven't found anything
yet on these machines - I have run the microsoft root kit revealer
and I am not quite sure what I am looking for here - exactly, but
nothing seems totally off AND other brand root kit revealers show up
clean. After a bit of checking around, it started seeming
like I have some kind of arp cache poisoning or Man in the Middle issue
i.e. all of the traffic is going to some machine at that above IP
address before it comes back. While trying to troubleshoot this, I have also
replaced the router (this morning) - the old router had been occassionally
assigning duplicate ip addresses - so I figured it wouldn't hurt to replace
it anyhow. This required me to take down the entire network.

It also required Cox to flush the arp cache on their end to provision
the new router.

When this happened; I made sure that the other problem machines were
turned off and disconnected every switch, modem, etc.

When I rebooted the server. I also brought back up one of the problem
machines (and then the other) - but not the internet connection. When I ran the ping
INTERNALLY without an internet connection. Everything pinged correctly
on all 3 machines - though the return on the ping was very slow.
It was only after I reinitiated the connection to the internet that
all 3 machines almost immediately started the same behavior (returning as a response to a ping of any host name on the network.

On all 3 of these machines, I can go to Network Places and see
all of the host names of the computers on the network AND get into
the resources. The only real issues apparent to the end user
have to do with a printer that intermittently disconnects through
remote desktop and that I have to use the direct IP address to
access the server through remote desktop ONLY on the 2 problem machines.

This sounds like it has to be a trojan or something hacked into on
these computers, but I haven't found any virus program yet that has
identified any virus or malware.

Does this seem familiar to anyone. What else can I look for?
Thank you for your help!
Question by:zeroexp
    LVL 8

    Expert Comment

    what is the servers ip address setup as dhcp? Is the linksys doing the dhcp releases?
    LVL 8

    Expert Comment

    do an ipconfig/all from click start click run and type cmd and click ok. Type ipconfig/all and post the results here for the server etc.

    Author Comment

    the server is statically assigned - I believe I mentioned that in my original post above. I've tried the other two machines both ways - again - this problem only appears when I have a connection through the router to the internet. This problem happened yesterday on an old router and today with a brand new router. I put the new router on and routed only internal machines through it. All machines resolved the host names correctly (but slow). Then as soon as I plugged the cable modem back into the router - IMMEDIATELY the next time I did a ping - it resolved to the with all host names (all 3 'problem' machines). I was able to
    re-create this - i.e. unplug the modem, do a repair on the network connection to clear the caches,
    then ping - and everything resolving correctly. Plug back in the modem and the problem immediately
    shows back up.

    here is the output from the ipconfig /all - on the server (which is NOT dhcp).though I have changed the domain name itself for the purpose of

    Windows IP Configuration

       Host Name . . . . . . . . . . . . : SERVER1

       Primary Dns Suffix  . . . . . . . :

       Node Type . . . . . . . . . . . . : Hybrid

       IP Routing Enabled. . . . . . . . : No

       WINS Proxy Enabled. . . . . . . . : No

       DNS Suffix Search List. . . . . . :

    Ethernet adapter Local Area Connection:

       Connection-specific DNS Suffix  . :

       Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection

       Physical Address. . . . . . . . . : 00-12-3F-D2-D1-F8

       DHCP Enabled. . . . . . . . . . . : No

       IP Address. . . . . . . . . . . . :

       Subnet Mask . . . . . . . . . . . :

       Default Gateway . . . . . . . . . :

       DNS Servers . . . . . . . . . . . :


    LVL 8

    Expert Comment

    do you have dhcp service running on the server?
    LVL 4

    Expert Comment

    If the ping routes only show when you have the internet connected ie the gateway, it seems to be doing some sort of resolution for you. as a test could you please enter the host names and ip address in the hosts and lmhosts file and try then.

    Secondly remove the DNS server address and put in the address of the router only.

    I would strongly suggest you implement a wins or better yet a dns server as it will simplfy and actually speed up your network internally if configured right.

    LVL 77

    Expert Comment

    by:Rob Williams
    If it were me I would rebuild the server and possibly the domain
    -"server is acting as Domain Controller and running terminal server"
      bad combination
    -"is not acting as DNS server or WINS Server"
       Why not?
    -"In fact the clients are configured  as joining the workgroup, but
    not to join the domain"
        again why not
    -"Almost all of the clients just use automatic dhcp addressing and get
    their DNS server addresses from the router "
       You have no internal DNS server

    Not to be rude, but it is a DNS nightmare. However...  appears as if it may be a web server for multiple domains.
    I was trying to locate as I thought it my be a DNS server and responding due to some odd configuration. You might be on the right track with your malware suspicions. It could be pointing to one of those sites.
    It is also listed as an IP to be added to an ad blocking list:

    Sorry, that really doesnt help you to resolve but may shed some light.
    Try at a command line running
    netstat -an
    Look through the resulting list for any "Established" connections with that IP.
    LVL 77

    Expert Comment

    by:Rob Williams
    If any connections exist actually
    netstat -anb
    would be better as it will tell you what application is being used which may help to further isolate.
    LVL 7

    Expert Comment

    There is no reason why you shouldnt use DNS on your domain controller. Install the DNS server and set up your router as a forwarder. It takes less than ten minutes and will resolve all your issues. Also add the DHCP server and remove it from your router.

    Make sure you get proper DNS servers from your ISP and enter them as forwarders in your DNS server, and the routers address as the last one.

    In a network your size, you really shouldnt be using a router to give out DHCP addresses, and to control internal DNS queries.
    LVL 5

    Expert Comment

    from on emachine gives you that try to use this command ipconfig /flushdns and after that try to ping again
    LVL 2

    Accepted Solution

    Did you choose a local top-level domain suffix for your domain like ourdomain.local ?
    Otherwise there might be a domain in the internet that uses your domain name. In that case your router will always resolve the IP Address configured for that domain.

    1. Configure your domain suffix to a .local suffix.
    2. Install a DNS Server on your Server and make it your primary Nameserver on the Server and on all Clients.
    3. Check that the dns domain name is configured in your DHCP Serveroptions.

    That should do the job


    Author Comment

    Thanks for all of these great suggestions! I won't work on this system again until Saturday and I
    will try some of these. the domain does resolve on the internet to that ip - so that explains part of it -
    but I'm going to configure the server for dns as you suggest. I sort of inherited the configuration only halfway set up incorrectly and so I am beginning to unravel the configuration now. I will post as I start to figure this out.
    LVL 77

    Assisted Solution

    by:Rob Williams
    Good choice to add DNS, I would recommend moving DHCP to the server as well.
    Did you get a chance to run netstat -anb  to see if anyone had an established connection with your machine?
    If it is any help, below is a DNS check list. Let us know how you make out.
    Cheers !

    Assuming you have completed the server installation, installed Active Directory, and joined the workstations to the Domain, make sure DNS is configured as follows, assuming a single network adapter:
    -The server's NIC should be configured with a static IP, the Internet router as the gateway, and only the server itself as the DNS server. Do not use an ISP DNS server here
    -Each workstation should be configured using DHCP (obtain and IP address and DNS automatically) or if configured with static addresses; a static IP in the same subnet as the server, same subnet mask as the server, the gateway pointing to your Internet router, and the DNS server pointing ONLY to the server/domain controller. Again do not put an ISP's DNS server here
    -In the DNS management console under Administrative tools, right click on the server name and choose properties. On the Forwarders tab add your ISP's DNS servers
    -If the workstations are using DHCP, open the DHCP management console on the server under Administrative tools and click on the server name to expand it, click on the scope to expand it, right click on scope options and choose configure options. On the general tab add the Internet router's IP in #003 router, the server's IP in #006 DNS Servers, and the domain name and suffix under #015 such as mydomain.local
    -If  DHCP is enabled on the router, rather than the server, it should really be disabled on the router and configured on the server. Enabling DHCP on the server assists with dynamic updates to DNS for older clients, allows for central management, and far more scope options.
    -The DHCP client service should be running on servers and workstations even where you are not using DHCP assignments. The DHCP client service controls the dynamic DNS updates
    If you have been having DNS problems, on the workstations that have been having problems you should clear the DNS cache by entering at a command line  
      ipconfig  /flushdns
    and then
      ipconfig  /registerdns

    Author Comment

    this is GREAT...thank you very much - I will let you know. I haven't been there to run the netstat -anb
    command since reading this but I will try it first and then proceed with your suggestions!

    LVL 77

    Expert Comment

    by:Rob Williams
    OK, Good luck.
    LVL 38

    Expert Comment

    DNS and Forwarders:
    As you know DNS resolves IP to names. Forwarders are used by DNS. If a name doesn't exist in your DNS, It will look for the forwarder. The forwarder will forward your DNS query to an outside DNS until a resolution has been resolved.  Hence, the address.

    When you configure DNS on your domain controller, you will have to add forwarders. Otherwise, you may not be able to access the internet.

    Adding DNS is wise, but you may run into a few unforseen complications we can help you with.

    Author Comment

    Thanks for these suggestions - at the moment - I have been resolving other issues on-site at that location; though I will be adding DNS server as a role and changing over the users to use the internal server for DNS sometime in the next few weeks. I hope I can still access this question after it has been closed if I need to refer to it again? Thanks again.

    LVL 51

    Expert Comment

    by:Keith Alabaster
    If the call is still open then I will leave it in place. Please place an update here within 21 days though else it will be closed as it will be assumed to be abandoned.

    LVL 77

    Expert Comment

    by:Rob Williams
    Let us know how it goes Margaret, and perhaps we can help with any issues during the "switch over".
    Cheers all!

    Featured Post

    Threat Intelligence Starter Resources

    Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

    Join & Write a Comment

    Ever wondered why you had to use DHCP options (dhcp opt 60, 66 or 67) in order to use PXE? Well, you don't!
    Configuring network clients can be a chore, especially if there are a large number of them or a lot of itinerant users.  DHCP dynamically manages this process, much to the relief of users and administrators alike!
    how to add IIS SMTP to handle application/Scanner relays into office 365.
    Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now