Solved

Hidden DNS Entry?

Posted on 2008-06-17
12
1,978 Views
Last Modified: 2008-07-10
I have a workstation on my domain that I can ping, remote desktop to and connect to over the network.

If I do an NSLOOKUP, I get the correct IP address back from the domain controller running DNS server.

But if I look in the forward lookup zone and reverse lookup zone of the server, there is no entry corresponding to this ip address or this workstation name!

How does the DNS server know the entry if the entry isn't listed?  Is it hidden?

The domain has two controllers, running server 2003, both are DNS servers (the records aren't on either one) and both are WINS servers (there are no corresponding entries in the Active Registrations).

How is this name resolution being done?

Thanks.
0
Comment
Question by:gateguard
  • 5
  • 4
  • 3
12 Comments
 
LVL 13

Expert Comment

by:dhoffman_98
ID: 21802385
The query is being forwarded by the domain controller to another source, either another DNS server, or the root servers, or the information is in the cache on the DNS server.

To see your cached lookups, enable the advanced view in DNS.

0
 

Author Comment

by:gateguard
ID: 21803343
Thanks.  I didn't know about cached lookups.

But when I enable it, I see a bunch of folders, each one obviously the last part of a FQDN (such as .com, .org, etc) and when I go into the com folder I don't see a subfolder for my domain.  The only domains in there are all outside domains.

When I do an NSLOOKUP and it tells me the name of the responding server, is that the actual server that provided the information or just the "nearby" DNS server, providing it after getting it from some other DNS or root server?
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 21804464

I agree that it must be forwarding the query. However, I suspected it would be forwarded to WINS for resolution.

But then... There are definitely no records for it in WINS?

Either way, can you check and see if the WINS options are enabled by opening the properties for your Forward Lookup Zone?

We can explain Ping resolving the name (if it's name only, not name.domain.com) because it will use NetBIOS broadcast for name resolution.

That shouldn't work with nslookup though.

Chris
0
 

Author Comment

by:gateguard
ID: 21805159
WINS is enabled.

And now the record is in DNS (it's appeared since I opened this question).  Strange.

And even now that the record has appeared in the DNS zone, it still isn't in the WINS Active Registrations.

This isn't a burning issue since it's about "how things work" not about fixing something that's broken.

0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 21805252

Odd, it should have only resolved that record if it had an entry either in the Forward Lookup Zone or on the WINS Server.

I've seen WINS Forwarding lead to something like this previously, I didn't post that originally because you'd said there were no active registrations in WINS for the system.

With that in mind it should have returned not found for the host.

It wouldn't be listed in the cache or anything like that because your server will be authoritative for the zone (domain). Only non-authoritative responses are cached.

Chris
0
 
LVL 13

Expert Comment

by:dhoffman_98
ID: 21812103
Is it possible that you have set up your DNS zone to allow for dynamic updates?

You wrote that you suddenly found the entry in your DNS system... something would have had to put it there. If you or one of your admins didn't, then the system itself must have. So if you have a system in your own domain that starts up, it will try to register itself with DNS.
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 

Author Comment

by:gateguard
ID: 21817454
I do have dynamic updates turned on, but the workstation was already on for a long time, and I could already get to it and the record wasn't in DNS and then later the record appeared.

I'm not wondering so much how the record appeared as I am how could I get to it in the first place if there was no A record in DNS and no Active Registration in WINS.
0
 
LVL 13

Expert Comment

by:dhoffman_98
ID: 21818761
Well, here's what's odd.

There is the issue of NETBIOS names... the short name of a computer without being fully qualified. On your local network, if you were to try to ping a computer that is not in DNS, then the master browser service could still maintain a cache of all computers on the subnet by their netbios names... just like WINS, but very dynamic.

HOWEVER... you said that you used NSLOOKUP. That's what confuses me. Ping will allow for netbios resolution, but unless I'm incorrect, NSLOOKUP only relies on DNS entries.

So unless your DNS server was also somehow pulling entries from WINS or the master browser, I'm not sure where NSLOOKUP would have gotten valid information.

Next time this happens, you could try this. Start nslookup. Then type "set debug" and hit enter. Then type the name of the node you are looking for. You'll see a bunch of stuff fill the screen as nslookup attempts to find a reliable source for the lookup. Information in the last entry should tell you where it got the valid response from.



0
 

Author Comment

by:gateguard
ID: 21916097
This is what I get from nslookup in debug:

> set debug
> nslookup ARCHER
------------
Got answer:
    HEADER:
        opcode = QUERY, id = 2, rcode = SERVFAIL
        header flags:  response, want recursion, recursion avail.
        questions = 1,  answers = 0,  authority records = 0,  additional = 0

    QUESTIONS:
        ARCHER, type = A, class = IN

------------
*** Can't find address for server ARCHER: Server failed


And yet, I can still ping the machine ARCHER.
0
 
LVL 70

Accepted Solution

by:
Chris Dent earned 125 total points
ID: 21916116

Ping will use NetBIOS resolution, including Broadcast, to resolve a name. It doesn't need DNS at all.

If you could nslookup ARCHER without a Host (A) Record I'd be much more surprised.

Chris
0
 
LVL 13

Assisted Solution

by:dhoffman_98
dhoffman_98 earned 125 total points
ID: 21916374
OK, now this makes sense then.

That's why I said I was confused earlier because you said you were using NSLOOKUP to resolve the name.

This makes more sense because, as I stated earlier, ping does not only rely on DNS, but will also call other sources. NSLOOKUP relies only on DNS.

Ping can look in your local hosts file as well as contacting a WINS server or using netbios resolution via the computer browser service.
0
 

Author Comment

by:gateguard
ID: 21972548
I did a bunch of clean-up in my DNS and I'm not sure how I fixed it but it seems to be fixed.

All I can advise to anyone having a similar problem, is make sure all your t's are dotted and your i's are crossed in DNS.

Thanks for all the help here.  Your suggestions pointed me in good directions.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

If you have a multi-homed DNS setup in windows, you can have issues with connectivity to the server that hosts the DNS services (or even member servers of your domain if this same DNS server is a DC). This is because windows registers all of its IPs…
There have been a lot of times when we have seen the need to enter a large number of DNS entries in a forward lookup zone. The standard procedure would be to launch the DNS Manager console, create the Zone and start adding new hosts using the New…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now