Link to home
Start Free TrialLog in
Avatar of zeroexp
zeroexp

asked on

ping resolves all host names on internal lan to an external ip: 208.254.26.132

I have a network with 15 client workstations - there is
a mix of XP, 2000 and Vista clients and one Windows 2003 Server. The
server is acting as Domain Controller and running terminal server, but is not acting as DNS server or
WINS Server. Most of the clients use Remote Desktop to access their
shared inventory/accounting app. In fact the clients are configured  as joining the workgroup, but
not to join the domain, but everyone logs in as active users on the server. So really, the
server is not being completely used as a domain controller.

I have a linksys router and a static WAN ip address assigned by the cable internet
provider (68.xx.xx.xx). Almost all of the clients just use automatic dhcp addressing and get
their DNS server addresses from the router which is configured with the dns addresses
provided by Cox (cable/internet provider). A few of the machines have
statically assigned ip addresses (including the server).
All machines have ip addresses assigned in the range 192.168.1.xxx.
All of the machines simply use the DNS pulled from the router (the 68.xx.xx.xx number
(I can't remember it of the top of my head), that's why I'm not filling it in) OR in the
case of the statically assigned machines - I used those same DNS addresses.

Of the 15 clients; 3 of them are having this identical problem - ONE of
those 3 is the server:
no matter what hostname you ping, it resolves to this ip address:
208.254.26.132
ping warranty it returns 208.254.26.132
ping server it returns 208.254.26.132  - ON ALL host names.
(except itself)
you get the picture.

ALL of the machines (including the 3 with the problem above) can get
on the internet AND the clients can use Remote Desktop. The two problem
machines must access the server through the ip address directly (rather
than the host name) - still almost everything functions correctly
except intermittent printer issues going through the remote desktop.
All of the other machines access the server using the host name.

I have tried various tactics to clear the arp cache, run nbtstat - RR,
flush the dns, etc. on these machines. This problem cropped up
about a month ago - on all 3 machines at once.

I have run virus checks AND root kit revealers - I haven't found anything
yet on these machines - I have run the microsoft root kit revealer
and I am not quite sure what I am looking for here - exactly, but
nothing seems totally off AND other brand root kit revealers show up
clean. After a bit of checking around, it started seeming
like I have some kind of arp cache poisoning or Man in the Middle issue
i.e. all of the traffic is going to some machine at that above IP
address before it comes back. While trying to troubleshoot this, I have also
replaced the router (this morning) - the old router had been occassionally
assigning duplicate ip addresses - so I figured it wouldn't hurt to replace
it anyhow. This required me to take down the entire network.

It also required Cox to flush the arp cache on their end to provision
the new router.

When this happened; I made sure that the other problem machines were
turned off and disconnected every switch, modem, etc.

When I rebooted the server. I also brought back up one of the problem
machines (and then the other) - but not the internet connection. When I ran the ping
INTERNALLY without an internet connection. Everything pinged correctly
on all 3 machines - though the return on the ping was very slow.
It was only after I reinitiated the connection to the internet that
all 3 machines almost immediately started the same behavior (returning
208.254.26.132 as a response to a ping of any host name on the network.

On all 3 of these machines, I can go to Network Places and see
all of the host names of the computers on the network AND get into
the resources. The only real issues apparent to the end user
have to do with a printer that intermittently disconnects through
remote desktop and that I have to use the direct IP address to
access the server through remote desktop ONLY on the 2 problem machines.

This sounds like it has to be a trojan or something hacked into on
these computers, but I haven't found any virus program yet that has
identified any virus or malware.

Does this seem familiar to anyone. What else can I look for?
Thank you for your help!
Avatar of thenone
thenone
what is the servers ip address setup as dhcp? Is the linksys doing the dhcp releases?
Avatar of thenone
thenone
do an ipconfig/all from click start click run and type cmd and click ok. Type ipconfig/all and post the results here for the server etc.
Avatar of zeroexp
zeroexp

ASKER

the server is statically assigned - I believe I mentioned that in my original post above. I've tried the other two machines both ways - again - this problem only appears when I have a connection through the router to the internet. This problem happened yesterday on an old router and today with a brand new router. I put the new router on and routed only internal machines through it. All machines resolved the host names correctly (but slow). Then as soon as I plugged the cable modem back into the router - IMMEDIATELY the next time I did a ping - it resolved to the 208.254.26.132 with all host names (all 3 'problem' machines). I was able to
re-create this - i.e. unplug the modem, do a repair on the network connection to clear the caches,
then ping - and everything resolving correctly. Plug back in the modem and the problem immediately
shows back up.

here is the output from the ipconfig /all - on the server (which is NOT dhcp).though I have changed the domain name itself for the purpose of
privacy.

Windows IP Configuration



   Host Name . . . . . . . . . . . . : SERVER1

   Primary Dns Suffix  . . . . . . . : ourdomain.com

   Node Type . . . . . . . . . . . . : Hybrid

   IP Routing Enabled. . . . . . . . : No

   WINS Proxy Enabled. . . . . . . . : No

   DNS Suffix Search List. . . . . . : ourdomain.com



Ethernet adapter Local Area Connection:



   Connection-specific DNS Suffix  . :

   Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection

   Physical Address. . . . . . . . . : 00-12-3F-D2-D1-F8

   DHCP Enabled. . . . . . . . . . . : No

   IP Address. . . . . . . . . . . . : 192.168.1.3

   Subnet Mask . . . . . . . . . . . : 255.255.255.0

   Default Gateway . . . . . . . . . : 192.168.1.1

   DNS Servers . . . . . . . . . . . : 68.1.18.229

                                       68.10.16.20


Avatar of thenone
thenone
do you have dhcp service running on the server?
Avatar of amajidkh
amajidkh
If the ping routes only show when you have the internet connected ie the gateway, it seems to be doing some sort of resolution for you. as a test could you please enter the host names and ip address in the hosts and lmhosts file and try then.

Secondly remove the DNS server address and put in the address of the router only.

I would strongly suggest you implement a wins or better yet a dns server as it will simplfy and actually speed up your network internally if configured right.

majid
Avatar of Rob Williams
Rob Williams
Flag of Canada image
If it were me I would rebuild the server and possibly the domain
-"server is acting as Domain Controller and running terminal server"
  bad combination
-"is not acting as DNS server or WINS Server"
   Why not?
-"In fact the clients are configured  as joining the workgroup, but
not to join the domain"
    again why not
-"Almost all of the clients just use automatic dhcp addressing and get
their DNS server addresses from the router "
   You have no internal DNS server

Not to be rude, but it is a DNS nightmare. However...
208.254.26.132  appears as if it may be a web server for multiple domains.
http://www.whoistag.com/domain/turismopy.com/
I was trying to locate as I thought it my be a DNS server and responding due to some odd configuration. You might be on the right track with your malware suspicions. It could be pointing to one of those sites.
It is also listed as an IP to be added to an ad blocking list:
http://pgl.yoyo.org/adservers/iplist.php

Sorry, that really doesnt help you to resolve but may shed some light.
Try at a command line running
netstat -an
Look through the resulting list for any "Established" connections with that IP.
Avatar of Rob Williams
Rob Williams
Flag of Canada image
If any connections exist actually
netstat -anb
would be better as it will tell you what application is being used which may help to further isolate.
Avatar of tharstern
tharstern
Flag of United Kingdom of Great Britain and Northern Ireland image
There is no reason why you shouldnt use DNS on your domain controller. Install the DNS server and set up your router as a forwarder. It takes less than ten minutes and will resolve all your issues. Also add the DHCP server and remove it from your router.

Make sure you get proper DNS servers from your ISP and enter them as forwarders in your DNS server, and the routers address as the last one.

In a network your size, you really shouldnt be using a router to give out DHCP addresses, and to control internal DNS queries.
Avatar of kmotaweh
kmotaweh
from on emachine gives you that try to use this command ipconfig /flushdns and after that try to ping again
ASKER CERTIFIED SOLUTION
Avatar of Dirk75
Dirk75
Flag of Germany image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of zeroexp
zeroexp

ASKER

Thanks for all of these great suggestions! I won't work on this system again until Saturday and I
will try some of these. the domain does resolve on the internet to that ip - so that explains part of it -
but I'm going to configure the server for dns as you suggest. I sort of inherited the configuration only halfway set up incorrectly and so I am beginning to unravel the configuration now. I will post as I start to figure this out.
SOLUTION
Avatar of Rob Williams
Rob Williams
Flag of Canada image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of zeroexp
zeroexp

ASKER

this is GREAT...thank you very much - I will let you know. I haven't been there to run the netstat -anb
command since reading this but I will try it first and then proceed with your suggestions!

Avatar of Rob Williams
Rob Williams
Flag of Canada image
OK, Good luck.
Avatar of ChiefIT
ChiefIT
Flag of United States of America image
DNS and Forwarders:
As you know DNS resolves IP to names. Forwarders are used by DNS. If a name doesn't exist in your DNS, It will look for the forwarder. The forwarder will forward your DNS query to an outside DNS until a resolution has been resolved.  Hence, the 208.xxx.xxx.xxx address.

When you configure DNS on your domain controller, you will have to add forwarders. Otherwise, you may not be able to access the internet.

Adding DNS is wise, but you may run into a few unforseen complications we can help you with.
 
Avatar of zeroexp
zeroexp

ASKER

Thanks for these suggestions - at the moment - I have been resolving other issues on-site at that location; though I will be adding DNS server as a role and changing over the users to use the internal server for DNS sometime in the next few weeks. I hope I can still access this question after it has been closed if I need to refer to it again? Thanks again.

Margaret
Avatar of Keith Alabaster
Keith Alabaster
Flag of United Kingdom of Great Britain and Northern Ireland image
If the call is still open then I will leave it in place. Please place an update here within 21 days though else it will be closed as it will be assumed to be abandoned.

Thanks
Keith
Avatar of Rob Williams
Rob Williams
Flag of Canada image
Let us know how it goes Margaret, and perhaps we can help with any issues during the "switch over".
Cheers all!
--Rob