• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2356
  • Last Modified:

Hidden DNS Entry?

I have a workstation on my domain that I can ping, remote desktop to and connect to over the network.

If I do an NSLOOKUP, I get the correct IP address back from the domain controller running DNS server.

But if I look in the forward lookup zone and reverse lookup zone of the server, there is no entry corresponding to this ip address or this workstation name!

How does the DNS server know the entry if the entry isn't listed?  Is it hidden?

The domain has two controllers, running server 2003, both are DNS servers (the records aren't on either one) and both are WINS servers (there are no corresponding entries in the Active Registrations).

How is this name resolution being done?

Thanks.
0
gateguard
Asked:
gateguard
  • 5
  • 4
  • 3
2 Solutions
 
dhoffman_98Commented:
The query is being forwarded by the domain controller to another source, either another DNS server, or the root servers, or the information is in the cache on the DNS server.

To see your cached lookups, enable the advanced view in DNS.

0
 
gateguardAuthor Commented:
Thanks.  I didn't know about cached lookups.

But when I enable it, I see a bunch of folders, each one obviously the last part of a FQDN (such as .com, .org, etc) and when I go into the com folder I don't see a subfolder for my domain.  The only domains in there are all outside domains.

When I do an NSLOOKUP and it tells me the name of the responding server, is that the actual server that provided the information or just the "nearby" DNS server, providing it after getting it from some other DNS or root server?
0
 
Chris DentPowerShell DeveloperCommented:

I agree that it must be forwarding the query. However, I suspected it would be forwarded to WINS for resolution.

But then... There are definitely no records for it in WINS?

Either way, can you check and see if the WINS options are enabled by opening the properties for your Forward Lookup Zone?

We can explain Ping resolving the name (if it's name only, not name.domain.com) because it will use NetBIOS broadcast for name resolution.

That shouldn't work with nslookup though.

Chris
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
gateguardAuthor Commented:
WINS is enabled.

And now the record is in DNS (it's appeared since I opened this question).  Strange.

And even now that the record has appeared in the DNS zone, it still isn't in the WINS Active Registrations.

This isn't a burning issue since it's about "how things work" not about fixing something that's broken.

0
 
Chris DentPowerShell DeveloperCommented:

Odd, it should have only resolved that record if it had an entry either in the Forward Lookup Zone or on the WINS Server.

I've seen WINS Forwarding lead to something like this previously, I didn't post that originally because you'd said there were no active registrations in WINS for the system.

With that in mind it should have returned not found for the host.

It wouldn't be listed in the cache or anything like that because your server will be authoritative for the zone (domain). Only non-authoritative responses are cached.

Chris
0
 
dhoffman_98Commented:
Is it possible that you have set up your DNS zone to allow for dynamic updates?

You wrote that you suddenly found the entry in your DNS system... something would have had to put it there. If you or one of your admins didn't, then the system itself must have. So if you have a system in your own domain that starts up, it will try to register itself with DNS.
0
 
gateguardAuthor Commented:
I do have dynamic updates turned on, but the workstation was already on for a long time, and I could already get to it and the record wasn't in DNS and then later the record appeared.

I'm not wondering so much how the record appeared as I am how could I get to it in the first place if there was no A record in DNS and no Active Registration in WINS.
0
 
dhoffman_98Commented:
Well, here's what's odd.

There is the issue of NETBIOS names... the short name of a computer without being fully qualified. On your local network, if you were to try to ping a computer that is not in DNS, then the master browser service could still maintain a cache of all computers on the subnet by their netbios names... just like WINS, but very dynamic.

HOWEVER... you said that you used NSLOOKUP. That's what confuses me. Ping will allow for netbios resolution, but unless I'm incorrect, NSLOOKUP only relies on DNS entries.

So unless your DNS server was also somehow pulling entries from WINS or the master browser, I'm not sure where NSLOOKUP would have gotten valid information.

Next time this happens, you could try this. Start nslookup. Then type "set debug" and hit enter. Then type the name of the node you are looking for. You'll see a bunch of stuff fill the screen as nslookup attempts to find a reliable source for the lookup. Information in the last entry should tell you where it got the valid response from.



0
 
gateguardAuthor Commented:
This is what I get from nslookup in debug:

> set debug
> nslookup ARCHER
------------
Got answer:
    HEADER:
        opcode = QUERY, id = 2, rcode = SERVFAIL
        header flags:  response, want recursion, recursion avail.
        questions = 1,  answers = 0,  authority records = 0,  additional = 0

    QUESTIONS:
        ARCHER, type = A, class = IN

------------
*** Can't find address for server ARCHER: Server failed


And yet, I can still ping the machine ARCHER.
0
 
Chris DentPowerShell DeveloperCommented:

Ping will use NetBIOS resolution, including Broadcast, to resolve a name. It doesn't need DNS at all.

If you could nslookup ARCHER without a Host (A) Record I'd be much more surprised.

Chris
0
 
dhoffman_98Commented:
OK, now this makes sense then.

That's why I said I was confused earlier because you said you were using NSLOOKUP to resolve the name.

This makes more sense because, as I stated earlier, ping does not only rely on DNS, but will also call other sources. NSLOOKUP relies only on DNS.

Ping can look in your local hosts file as well as contacting a WINS server or using netbios resolution via the computer browser service.
0
 
gateguardAuthor Commented:
I did a bunch of clean-up in my DNS and I'm not sure how I fixed it but it seems to be fixed.

All I can advise to anyone having a similar problem, is make sure all your t's are dotted and your i's are crossed in DNS.

Thanks for all the help here.  Your suggestions pointed me in good directions.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 5
  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now