Link to home
Start Free TrialLog in
Avatar of mtpit
mtpit

asked on

Phantom Connection-Specific DNS

One of our offices has a problem with a connection-specific dns suffix. Workstations are randomly pulling the wrong suffix. A ipconfig /release and /renew will correct the problem, but once the computer is restarted, it grabs the incorrect suffix. The suffix it should be using is 'marthaturner.cc' but it will grab 'plazahomemortgage.com' and we have no idea where it is coming from. We have removed the old DHCP server and put a new one in its place which didn't seem to fix the problem. Is there any way to find out where this phantom dns suffix is hiding. Any help would be appreciated.
Avatar of Amit Bhatnagar
Amit Bhatnagar
Flag of India image

Can you take a trace? Keep a trace running overtime. Capture only DHCP packets. We can check it frm there.
What are you using as your DHCP Server? Router or a Windows Server? Does your Router also has DHCP enabled?
Have you tried searching the registry for the same suffix?
Any Group Policy which might be fowarding this information?
Is this Suffix known i.e. old company name, domain etc or is it completely unknown?
Avatar of mtpit
mtpit

ASKER

We are using Windows Server 2003 as our DHCP server. I did find a a registry entry on one of the worsktations. I turned off and on the DNS Domain Name option in the DHCP Server Options and now the registry entry says the correct domain suffix. I am going to see if we have any more problems with it and go from there.

The Group Policy is not pushing the settings out and it was a completely unkown suffix. There was also a DHCPNameServer entry in the registry with a few IP address that do not belong to use. Those have dissappeared, too.

Thank you for your quick response. I will return to this thread if we have any further problems.
No problem !
Avatar of mtpit

ASKER

Ok looks like the problem is back. We thought maybe it was an issue with the workstations themselves. They are the only place where the 'plazahomemortgage.com' suffix is showing up in the registry. I had a computer that I formatted and put a clean install of the OS on. I also reloaded network drivers and it grabbed the wrong suffix the first time it was placed on the network. So we have:

1. Windows Server 2003 throwing DHCP
2. The Group Policy is not setting DNS
3. The suffix is completely unknown


We have an AT&T MPLS connection to the internet, but the problem existed before we made the move to AT&T. None of the previous routers are in use.
Just to confirm...You mentioned the problem came back the moment you had this machine on Network...Was it a part of the Domain at that time or only a workgroup machine?

If workgroup, then GPO is out of question. If Domain, I would still be a lil suspicious. Second reason can be a rouge DHCP server. A Rouge Server you are not aware of...Does not happen too often but still it's possible.. :)

Also, a trace would be interesting here..If the client machines are getting this information from some DHCP then it would show up in trace. Also, try using a static IP...Does the machine still pulls off a Unknown Suffix even with a static IP then it is definitely a GPO thing.

Makes sense?
Avatar of mtpit

ASKER

It was never a Workgroup machine. Only been on the domain. It is happeneing to multiple machines, too.

I used Wireshark and did a capture on the DNS port. I am not really familiar with how to read it.
I can see 2 instances where the 'plazahomemortgage.com' has appeared in the capture but I didnt see anything to do with it on a DHCP capture.
Hi,
We need to capture DHCP packets as well so that we can try and locate DHCP rouge servers, if any. Can you share the existing trace with me? Also, please do NOT filter out any other traffic..Run a normal trace..
Avatar of mtpit

ASKER

I'm sorry I am kind of new to this, could you help me out by walking me through what i need to do to get you exactly what you need?
Avatar of mtpit

ASKER

We noticed that we had WINS configured to hit 2 servers that were not running WINS. When we removed the configuration from the scope the problems seemed to stop. I am going to watch it the next few days and see if it stays away. Any idea why that could have caused this problem?
A DNS suffix has nothing to do with WINS even remotely...So not sure what the issue can be...I think It is more a coincidence...Anyways keep me posted..Let's see...Computer World is as mysterious as ours :)
Amit Bhatnagar.
Avatar of mtpit

ASKER

It's back. How do I need to do this trace for you?
If you are using Wireshark then you can type DHCP or Bootp (Not sure which one...Wrong filter will give an error anyways) and then renew an IP on a machine...

Also, U never answered...what happens if you use a static IP...Does it come back then too?...I just want to see if it is pulling it off some rouge DHCP Server..
The way you use a filter is...

DNS || DHCP Will give you DNS or DHCP...

ip.addr==192.168.1.5 && dns will give you packets that are coming from or going to 1.5 and contains DNS packets..
It is all a combination of filter and Operators that you use.
Avatar of mtpit

ASKER

Ok I will run the capture and post the results here. The problem is, once I renew the ip it grabs everything correctly. I just don't want to have to renew the ip everytime it pops up.

If I use a static IP, all is fine. We did that to fix the problem when we first noticed it happening. But now we need to use DHCP to throw out WPAD for our webfilter.
Avatar of mtpit

ASKER

Frame 12 is where the first hit for 'plazahomemortgage.com' pops up.
packet-capture.txt
Can you please save the trace in the CAP format? Text ....as you can see is not easy to read..Anyways, this is only DNS traffic...The client is sending queries asking for certain name but with 'plazahomemortgage.com' added in the end...Normal reaction when it is added as a Suffix...but since you are NOT facing this issue with a static IP...I am 100% sure...This is a Rouge DHCP Server.

Do this...How much time does it take for a machine to get this false entry...If not too much...leave the machine with the trace running....Use DHCP as Capture Filter. Once the error has occured.. Stop the trace..Save only Displayed packets...and Compress it, attach it here...I know this is kinda difficult but it is better than searching each, machine device for a DHCP Server. If the trace is too big...uPload it to Rapidshare or something..but I need to see this thing happening...Don't use any filter in Wireshark if you are not sure how to do it...I will filter it myself :)

Again, make sure to check ur routers \Firewall etc. for DHCP Option.
Ok....approx. 10 packets of DNS and even lesser DHCP...Could not find anything relevant. Did this machine take the incorrect suffix while you were taking this trace? I do see some packets containing the unknown domain but we saw that earlier too.

I am afraid, the trace is not at all helpful...:(...Not ur fault though....the error just did NOT happen when the trace was running.
Filtered.jpg
Avatar of mtpit

ASKER

I'm sorry I ran this trace on the DHCP server itself. I will run it again on one of the computers receiving DHCP.
Oh..No problem !. Waiting for the second trace ! :)
Avatar of mtpit

ASKER

This is a capture running from a machine that already had the incorrect suffix. I let it runn for a few minutes and then I renewed the IP address to get the correct suffix back. I hope this helps.

http://rapidshare.com/files/169925335/capture.pcap.html
In this trace, only one Server is replying back with DHCP packets which is 'Memorial'. I do not see any other traffic. I do not even see the domain. There are too many DNS packets...Quite of them doing a Reverse Lookup. But that's about it.
I am sorry but I just don't see anything. What we are trying to see is...A machine going from Normal Suffix to the Unknown one...and not the other way around...
Avatar of mtpit

ASKER

I did notice an IP of 12.127.16.67 that is popping up quite a bit. This IP is used as one of the DNS servers in the ipconfig /all command.
Yeah, this is quite normal. All the queries are send to it and hence the IP.
Avatar of mtpit

ASKER

but that IP address is not associate with our company. Our DNS server are all 10.10.10.XX . The only time we see that IP is when the suffix is incorrect. It lists it as one of the DNS servers. If the suffix is correct, the the 10.10.10.XX DNS servers are listed.
ASKER CERTIFIED SOLUTION
Avatar of Amit Bhatnagar
Amit Bhatnagar
Flag of India image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of mtpit

ASKER

I looked through the results and it looks like our router is in fact throwing out DHCP. We have a MPLS network that is managed by AT&T, so I will get with them to get the DHCP turned off on the router. Let me know if you see anything else suspicious. Thanks for all your help.

http://rapidshare.com/files/170483960/dhcp.zip.html

Suspicious?! We just nailed it :) Look at the image and you will know why :)
Culprit.jpg
Avatar of mtpit

ASKER

Thats what i thought. I appreciate your help with this.
Ur Welcome. Just remember, if you see anything suspicious on the system like a setting etc. that you did NOT put there...then first thing...Check Registry..>Second..Check GPO...and in DHCP...Now you know what to look for..:)

Tk care,
Amit Bhatnagar.