?
Solved

ping resolves all host names on internal lan to an external ip: 208.254.26.132

Posted on 2007-08-01
23
Medium Priority
?
4,655 Views
Last Modified: 2013-11-25
I have a network with 15 client workstations - there is
a mix of XP, 2000 and Vista clients and one Windows 2003 Server. The
server is acting as Domain Controller and running terminal server, but is not acting as DNS server or
WINS Server. Most of the clients use Remote Desktop to access their
shared inventory/accounting app. In fact the clients are configured  as joining the workgroup, but
not to join the domain, but everyone logs in as active users on the server. So really, the
server is not being completely used as a domain controller.

I have a linksys router and a static WAN ip address assigned by the cable internet
provider (68.xx.xx.xx). Almost all of the clients just use automatic dhcp addressing and get
their DNS server addresses from the router which is configured with the dns addresses
provided by Cox (cable/internet provider). A few of the machines have
statically assigned ip addresses (including the server).
All machines have ip addresses assigned in the range 192.168.1.xxx.
All of the machines simply use the DNS pulled from the router (the 68.xx.xx.xx number
(I can't remember it of the top of my head), that's why I'm not filling it in) OR in the
case of the statically assigned machines - I used those same DNS addresses.

Of the 15 clients; 3 of them are having this identical problem - ONE of
those 3 is the server:
no matter what hostname you ping, it resolves to this ip address:
208.254.26.132
ping warranty it returns 208.254.26.132
ping server it returns 208.254.26.132  - ON ALL host names.
(except itself)
you get the picture.

ALL of the machines (including the 3 with the problem above) can get
on the internet AND the clients can use Remote Desktop. The two problem
machines must access the server through the ip address directly (rather
than the host name) - still almost everything functions correctly
except intermittent printer issues going through the remote desktop.
All of the other machines access the server using the host name.

I have tried various tactics to clear the arp cache, run nbtstat - RR,
flush the dns, etc. on these machines. This problem cropped up
about a month ago - on all 3 machines at once.

I have run virus checks AND root kit revealers - I haven't found anything
yet on these machines - I have run the microsoft root kit revealer
and I am not quite sure what I am looking for here - exactly, but
nothing seems totally off AND other brand root kit revealers show up
clean. After a bit of checking around, it started seeming
like I have some kind of arp cache poisoning or Man in the Middle issue
i.e. all of the traffic is going to some machine at that above IP
address before it comes back. While trying to troubleshoot this, I have also
replaced the router (this morning) - the old router had been occassionally
assigning duplicate ip addresses - so I figured it wouldn't hurt to replace
it anyhow. This required me to take down the entire network.

It also required Cox to flush the arp cache on their end to provision
the new router.

When this happened; I made sure that the other problem machines were
turned off and disconnected every switch, modem, etc.

When I rebooted the server. I also brought back up one of the problem
machines (and then the other) - but not the internet connection. When I ran the ping
INTERNALLY without an internet connection. Everything pinged correctly
on all 3 machines - though the return on the ping was very slow.
It was only after I reinitiated the connection to the internet that
all 3 machines almost immediately started the same behavior (returning
208.254.26.132 as a response to a ping of any host name on the network.

On all 3 of these machines, I can go to Network Places and see
all of the host names of the computers on the network AND get into
the resources. The only real issues apparent to the end user
have to do with a printer that intermittently disconnects through
remote desktop and that I have to use the direct IP address to
access the server through remote desktop ONLY on the 2 problem machines.

This sounds like it has to be a trojan or something hacked into on
these computers, but I haven't found any virus program yet that has
identified any virus or malware.

Does this seem familiar to anyone. What else can I look for?
Thank you for your help!
0
Comment
Question by:zeroexp
  • 5
  • 4
  • 3
  • +6
18 Comments
 
LVL 8

Expert Comment

by:thenone
ID: 19612675
what is the servers ip address setup as dhcp? Is the linksys doing the dhcp releases?
0
 
LVL 8

Expert Comment

by:thenone
ID: 19612684
do an ipconfig/all from click start click run and type cmd and click ok. Type ipconfig/all and post the results here for the server etc.
0
 

Author Comment

by:zeroexp
ID: 19612942
the server is statically assigned - I believe I mentioned that in my original post above. I've tried the other two machines both ways - again - this problem only appears when I have a connection through the router to the internet. This problem happened yesterday on an old router and today with a brand new router. I put the new router on and routed only internal machines through it. All machines resolved the host names correctly (but slow). Then as soon as I plugged the cable modem back into the router - IMMEDIATELY the next time I did a ping - it resolved to the 208.254.26.132 with all host names (all 3 'problem' machines). I was able to
re-create this - i.e. unplug the modem, do a repair on the network connection to clear the caches,
then ping - and everything resolving correctly. Plug back in the modem and the problem immediately
shows back up.

here is the output from the ipconfig /all - on the server (which is NOT dhcp).though I have changed the domain name itself for the purpose of
privacy.

Windows IP Configuration



   Host Name . . . . . . . . . . . . : SERVER1

   Primary Dns Suffix  . . . . . . . : ourdomain.com

   Node Type . . . . . . . . . . . . : Hybrid

   IP Routing Enabled. . . . . . . . : No

   WINS Proxy Enabled. . . . . . . . : No

   DNS Suffix Search List. . . . . . : ourdomain.com



Ethernet adapter Local Area Connection:



   Connection-specific DNS Suffix  . :

   Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection

   Physical Address. . . . . . . . . : 00-12-3F-D2-D1-F8

   DHCP Enabled. . . . . . . . . . . : No

   IP Address. . . . . . . . . . . . : 192.168.1.3

   Subnet Mask . . . . . . . . . . . : 255.255.255.0

   Default Gateway . . . . . . . . . : 192.168.1.1

   DNS Servers . . . . . . . . . . . : 68.1.18.229

                                       68.10.16.20


0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 8

Expert Comment

by:thenone
ID: 19612970
do you have dhcp service running on the server?
0
 
LVL 4

Expert Comment

by:amajidkh
ID: 19613055
If the ping routes only show when you have the internet connected ie the gateway, it seems to be doing some sort of resolution for you. as a test could you please enter the host names and ip address in the hosts and lmhosts file and try then.

Secondly remove the DNS server address and put in the address of the router only.

I would strongly suggest you implement a wins or better yet a dns server as it will simplfy and actually speed up your network internally if configured right.

majid
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 19613102
If it were me I would rebuild the server and possibly the domain
-"server is acting as Domain Controller and running terminal server"
  bad combination
-"is not acting as DNS server or WINS Server"
   Why not?
-"In fact the clients are configured  as joining the workgroup, but
not to join the domain"
    again why not
-"Almost all of the clients just use automatic dhcp addressing and get
their DNS server addresses from the router "
   You have no internal DNS server

Not to be rude, but it is a DNS nightmare. However...
208.254.26.132  appears as if it may be a web server for multiple domains.
http://www.whoistag.com/domain/turismopy.com/
I was trying to locate as I thought it my be a DNS server and responding due to some odd configuration. You might be on the right track with your malware suspicions. It could be pointing to one of those sites.
It is also listed as an IP to be added to an ad blocking list:
http://pgl.yoyo.org/adservers/iplist.php

Sorry, that really doesnt help you to resolve but may shed some light.
Try at a command line running
netstat -an
Look through the resulting list for any "Established" connections with that IP.
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 19613140
If any connections exist actually
netstat -anb
would be better as it will tell you what application is being used which may help to further isolate.
0
 
LVL 7

Expert Comment

by:tharstern
ID: 19613286
There is no reason why you shouldnt use DNS on your domain controller. Install the DNS server and set up your router as a forwarder. It takes less than ten minutes and will resolve all your issues. Also add the DHCP server and remove it from your router.

Make sure you get proper DNS servers from your ISP and enter them as forwarders in your DNS server, and the routers address as the last one.

In a network your size, you really shouldnt be using a router to give out DHCP addresses, and to control internal DNS queries.
0
 
LVL 5

Expert Comment

by:kmotaweh
ID: 19615386
from on emachine gives you that try to use this command ipconfig /flushdns and after that try to ping again
0
 
LVL 2

Accepted Solution

by:
Dirk75 earned 1000 total points
ID: 19615561
Did you choose a local top-level domain suffix for your domain like ourdomain.local ?
Otherwise there might be a domain in the internet that uses your domain name. In that case your router will always resolve the IP Address configured for that domain.

Solution:
1. Configure your domain suffix to a .local suffix.
2. Install a DNS Server on your Server and make it your primary Nameserver on the Server and on all Clients.
3. Check that the dns domain name is configured in your DHCP Serveroptions.

That should do the job


0
 

Author Comment

by:zeroexp
ID: 19622345
Thanks for all of these great suggestions! I won't work on this system again until Saturday and I
will try some of these. the domain does resolve on the internet to that ip - so that explains part of it -
but I'm going to configure the server for dns as you suggest. I sort of inherited the configuration only halfway set up incorrectly and so I am beginning to unravel the configuration now. I will post as I start to figure this out.
0
 
LVL 78

Assisted Solution

by:Rob Williams
Rob Williams earned 1000 total points
ID: 19622356
Good choice to add DNS, I would recommend moving DHCP to the server as well.
Did you get a chance to run netstat -anb  to see if anyone had an established connection with your machine?
If it is any help, below is a DNS check list. Let us know how you make out.
Cheers !

Assuming you have completed the server installation, installed Active Directory, and joined the workstations to the Domain, make sure DNS is configured as follows, assuming a single network adapter:
-The server's NIC should be configured with a static IP, the Internet router as the gateway, and only the server itself as the DNS server. Do not use an ISP DNS server here
-Each workstation should be configured using DHCP (obtain and IP address and DNS automatically) or if configured with static addresses; a static IP in the same subnet as the server, same subnet mask as the server, the gateway pointing to your Internet router, and the DNS server pointing ONLY to the server/domain controller. Again do not put an ISP's DNS server here
-In the DNS management console under Administrative tools, right click on the server name and choose properties. On the Forwarders tab add your ISP's DNS servers
-If the workstations are using DHCP, open the DHCP management console on the server under Administrative tools and click on the server name to expand it, click on the scope to expand it, right click on scope options and choose configure options. On the general tab add the Internet router's IP in #003 router, the server's IP in #006 DNS Servers, and the domain name and suffix under #015 such as mydomain.local
-If  DHCP is enabled on the router, rather than the server, it should really be disabled on the router and configured on the server. Enabling DHCP on the server assists with dynamic updates to DNS for older clients, allows for central management, and far more scope options.
-The DHCP client service should be running on servers and workstations even where you are not using DHCP assignments. The DHCP client service controls the dynamic DNS updates
 
If you have been having DNS problems, on the workstations that have been having problems you should clear the DNS cache by entering at a command line  
  ipconfig  /flushdns
and then
  ipconfig  /registerdns
0
 

Author Comment

by:zeroexp
ID: 19622384
this is GREAT...thank you very much - I will let you know. I haven't been there to run the netstat -anb
command since reading this but I will try it first and then proceed with your suggestions!

0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 19622393
OK, Good luck.
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 19629292
DNS and Forwarders:
As you know DNS resolves IP to names. Forwarders are used by DNS. If a name doesn't exist in your DNS, It will look for the forwarder. The forwarder will forward your DNS query to an outside DNS until a resolution has been resolved.  Hence, the 208.xxx.xxx.xxx address.

When you configure DNS on your domain controller, you will have to add forwarders. Otherwise, you may not be able to access the internet.

Adding DNS is wise, but you may run into a few unforseen complications we can help you with.
 
0
 

Author Comment

by:zeroexp
ID: 20119272
Thanks for these suggestions - at the moment - I have been resolving other issues on-site at that location; though I will be adding DNS server as a role and changing over the users to use the internal server for DNS sometime in the next few weeks. I hope I can still access this question after it has been closed if I need to refer to it again? Thanks again.

Margaret
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20119293
If the call is still open then I will leave it in place. Please place an update here within 21 days though else it will be closed as it will be assumed to be abandoned.

Thanks
Keith
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 20119410
Let us know how it goes Margaret, and perhaps we can help with any issues during the "switch over".
Cheers all!
--Rob
0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A Cisco router can be configured as a DHCP Server. There are advantages and disadvantages in making your Cisco router work as DHCP Server. Almost all the features for windows DHCP can be configured on Cisco-based DHCP server. Some of the features me…
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
With just a little bit of  SQL and VBA, many doors open to cool things like synchronize a list box to display data relevant to other information on a form.  If you have never written code or looked at an SQL statement before, no problem! ...  give i…
Suggested Courses
Course of the Month14 days, 5 hours left to enroll

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question