?
Solved

Phantom Connection-Specific DNS

Posted on 2008-11-19
29
Medium Priority
?
491 Views
Last Modified: 2012-05-05
One of our offices has a problem with a connection-specific dns suffix. Workstations are randomly pulling the wrong suffix. A ipconfig /release and /renew will correct the problem, but once the computer is restarted, it grabs the incorrect suffix. The suffix it should be using is 'marthaturner.cc' but it will grab 'plazahomemortgage.com' and we have no idea where it is coming from. We have removed the old DHCP server and put a new one in its place which didn't seem to fix the problem. Is there any way to find out where this phantom dns suffix is hiding. Any help would be appreciated.
0
Comment
Question by:mtpit
  • 15
  • 14
29 Comments
 
LVL 12

Expert Comment

by:Amit Bhatnagar
ID: 22998181
Can you take a trace? Keep a trace running overtime. Capture only DHCP packets. We can check it frm there.
What are you using as your DHCP Server? Router or a Windows Server? Does your Router also has DHCP enabled?
Have you tried searching the registry for the same suffix?
Any Group Policy which might be fowarding this information?
Is this Suffix known i.e. old company name, domain etc or is it completely unknown?
0
 

Author Comment

by:mtpit
ID: 22998348
We are using Windows Server 2003 as our DHCP server. I did find a a registry entry on one of the worsktations. I turned off and on the DNS Domain Name option in the DHCP Server Options and now the registry entry says the correct domain suffix. I am going to see if we have any more problems with it and go from there.

The Group Policy is not pushing the settings out and it was a completely unkown suffix. There was also a DHCPNameServer entry in the registry with a few IP address that do not belong to use. Those have dissappeared, too.

Thank you for your quick response. I will return to this thread if we have any further problems.
0
 
LVL 12

Expert Comment

by:Amit Bhatnagar
ID: 22998379
No problem !
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 

Author Comment

by:mtpit
ID: 23003554
Ok looks like the problem is back. We thought maybe it was an issue with the workstations themselves. They are the only place where the 'plazahomemortgage.com' suffix is showing up in the registry. I had a computer that I formatted and put a clean install of the OS on. I also reloaded network drivers and it grabbed the wrong suffix the first time it was placed on the network. So we have:

1. Windows Server 2003 throwing DHCP
2. The Group Policy is not setting DNS
3. The suffix is completely unknown


We have an AT&T MPLS connection to the internet, but the problem existed before we made the move to AT&T. None of the previous routers are in use.
0
 
LVL 12

Expert Comment

by:Amit Bhatnagar
ID: 23006975
Just to confirm...You mentioned the problem came back the moment you had this machine on Network...Was it a part of the Domain at that time or only a workgroup machine?

If workgroup, then GPO is out of question. If Domain, I would still be a lil suspicious. Second reason can be a rouge DHCP server. A Rouge Server you are not aware of...Does not happen too often but still it's possible.. :)

Also, a trace would be interesting here..If the client machines are getting this information from some DHCP then it would show up in trace. Also, try using a static IP...Does the machine still pulls off a Unknown Suffix even with a static IP then it is definitely a GPO thing.

Makes sense?
0
 

Author Comment

by:mtpit
ID: 23007901
It was never a Workgroup machine. Only been on the domain. It is happeneing to multiple machines, too.

I used Wireshark and did a capture on the DNS port. I am not really familiar with how to read it.
I can see 2 instances where the 'plazahomemortgage.com' has appeared in the capture but I didnt see anything to do with it on a DHCP capture.
0
 
LVL 12

Expert Comment

by:Amit Bhatnagar
ID: 23009367
Hi,
We need to capture DHCP packets as well so that we can try and locate DHCP rouge servers, if any. Can you share the existing trace with me? Also, please do NOT filter out any other traffic..Run a normal trace..
0
 

Author Comment

by:mtpit
ID: 23014401
I'm sorry I am kind of new to this, could you help me out by walking me through what i need to do to get you exactly what you need?
0
 

Author Comment

by:mtpit
ID: 23015585
We noticed that we had WINS configured to hit 2 servers that were not running WINS. When we removed the configuration from the scope the problems seemed to stop. I am going to watch it the next few days and see if it stays away. Any idea why that could have caused this problem?
0
 
LVL 12

Expert Comment

by:Amit Bhatnagar
ID: 23021722
A DNS suffix has nothing to do with WINS even remotely...So not sure what the issue can be...I think It is more a coincidence...Anyways keep me posted..Let's see...Computer World is as mysterious as ours :)
Amit Bhatnagar.
0
 

Author Comment

by:mtpit
ID: 23027892
It's back. How do I need to do this trace for you?
0
 
LVL 12

Expert Comment

by:Amit Bhatnagar
ID: 23033726
If you are using Wireshark then you can type DHCP or Bootp (Not sure which one...Wrong filter will give an error anyways) and then renew an IP on a machine...

Also, U never answered...what happens if you use a static IP...Does it come back then too?...I just want to see if it is pulling it off some rouge DHCP Server..
The way you use a filter is...

DNS || DHCP Will give you DNS or DHCP...

ip.addr==192.168.1.5 && dns will give you packets that are coming from or going to 1.5 and contains DNS packets..
It is all a combination of filter and Operators that you use.
0
 

Author Comment

by:mtpit
ID: 23034169
Ok I will run the capture and post the results here. The problem is, once I renew the ip it grabs everything correctly. I just don't want to have to renew the ip everytime it pops up.

If I use a static IP, all is fine. We did that to fix the problem when we first noticed it happening. But now we need to use DHCP to throw out WPAD for our webfilter.
0
 

Author Comment

by:mtpit
ID: 23035164
Frame 12 is where the first hit for 'plazahomemortgage.com' pops up.
packet-capture.txt
0
 
LVL 12

Expert Comment

by:Amit Bhatnagar
ID: 23045728
Can you please save the trace in the CAP format? Text ....as you can see is not easy to read..Anyways, this is only DNS traffic...The client is sending queries asking for certain name but with 'plazahomemortgage.com' added in the end...Normal reaction when it is added as a Suffix...but since you are NOT facing this issue with a static IP...I am 100% sure...This is a Rouge DHCP Server.

Do this...How much time does it take for a machine to get this false entry...If not too much...leave the machine with the trace running....Use DHCP as Capture Filter. Once the error has occured.. Stop the trace..Save only Displayed packets...and Compress it, attach it here...I know this is kinda difficult but it is better than searching each, machine device for a DHCP Server. If the trace is too big...uPload it to Rapidshare or something..but I need to see this thing happening...Don't use any filter in Wireshark if you are not sure how to do it...I will filter it myself :)

Again, make sure to check ur routers \Firewall etc. for DHCP Option.
0
 
LVL 12

Expert Comment

by:Amit Bhatnagar
ID: 23085957
Ok....approx. 10 packets of DNS and even lesser DHCP...Could not find anything relevant. Did this machine take the incorrect suffix while you were taking this trace? I do see some packets containing the unknown domain but we saw that earlier too.

I am afraid, the trace is not at all helpful...:(...Not ur fault though....the error just did NOT happen when the trace was running.
Filtered.jpg
0
 

Author Comment

by:mtpit
ID: 23088365
I'm sorry I ran this trace on the DHCP server itself. I will run it again on one of the computers receiving DHCP.
0
 
LVL 12

Expert Comment

by:Amit Bhatnagar
ID: 23088683
Oh..No problem !. Waiting for the second trace ! :)
0
 

Author Comment

by:mtpit
ID: 23088832
This is a capture running from a machine that already had the incorrect suffix. I let it runn for a few minutes and then I renewed the IP address to get the correct suffix back. I hope this helps.

http://rapidshare.com/files/169925335/capture.pcap.html
0
 
LVL 12

Expert Comment

by:Amit Bhatnagar
ID: 23089872
In this trace, only one Server is replying back with DHCP packets which is 'Memorial'. I do not see any other traffic. I do not even see the domain. There are too many DNS packets...Quite of them doing a Reverse Lookup. But that's about it.
I am sorry but I just don't see anything. What we are trying to see is...A machine going from Normal Suffix to the Unknown one...and not the other way around...
0
 

Author Comment

by:mtpit
ID: 23090840
I did notice an IP of 12.127.16.67 that is popping up quite a bit. This IP is used as one of the DNS servers in the ipconfig /all command.
0
 
LVL 12

Expert Comment

by:Amit Bhatnagar
ID: 23093139
Yeah, this is quite normal. All the queries are send to it and hence the IP.
0
 

Author Comment

by:mtpit
ID: 23094911
but that IP address is not associate with our company. Our DNS server are all 10.10.10.XX . The only time we see that IP is when the suffix is incorrect. It lists it as one of the DNS servers. If the suffix is correct, the the 10.10.10.XX DNS servers are listed.
0
 
LVL 12

Accepted Solution

by:
Amit Bhatnagar earned 2000 total points
ID: 23097054
Which means you are DEFINITELY getting this information from a rouge DHCP Server. Now, we are down the issue where we just need to locate the same. You already know how to run a trace. Keep a trcae running on machine for a complete day. Make sure it goes from Good to Bad. Use DHCP as a Filter. Once done, zip the file and send it to me.
0
 

Author Comment

by:mtpit
ID: 23104508
I looked through the results and it looks like our router is in fact throwing out DHCP. We have a MPLS network that is managed by AT&T, so I will get with them to get the DHCP turned off on the router. Let me know if you see anything else suspicious. Thanks for all your help.

http://rapidshare.com/files/170483960/dhcp.zip.html

0
 
LVL 12

Expert Comment

by:Amit Bhatnagar
ID: 23105642
Suspicious?! We just nailed it :) Look at the image and you will know why :)
Culprit.jpg
0
 

Author Comment

by:mtpit
ID: 23105708
Thats what i thought. I appreciate your help with this.
0
 
LVL 12

Expert Comment

by:Amit Bhatnagar
ID: 23106966
Ur Welcome. Just remember, if you see anything suspicious on the system like a setting etc. that you did NOT put there...then first thing...Check Registry..>Second..Check GPO...and in DHCP...Now you know what to look for..:)

Tk care,
Amit Bhatnagar.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I wrote this article to explain some important DNS concepts that should be known to avoid some typical configuration errors I often see in forums. I assume that what is described here is the typical behavior of Microsoft DNS client. I don't know …
This article will help to fix the below errors for MS Exchange Server 2016 I. Certificate error "name on the security certificate is invalid or does not match the name of the site" II. Out of Office not working III. Make Internal URLs and Externa…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month14 days, 21 hours left to enroll

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question