mtpit
asked on
Phantom Connection-Specific DNS
One of our offices has a problem with a connection-specific dns suffix. Workstations are randomly pulling the wrong suffix. A ipconfig /release and /renew will correct the problem, but once the computer is restarted, it grabs the incorrect suffix. The suffix it should be using is 'marthaturner.cc' but it will grab 'plazahomemortgage.com' and we have no idea where it is coming from. We have removed the old DHCP server and put a new one in its place which didn't seem to fix the problem. Is there any way to find out where this phantom dns suffix is hiding. Any help would be appreciated.
ASKER
We are using Windows Server 2003 as our DHCP server. I did find a a registry entry on one of the worsktations. I turned off and on the DNS Domain Name option in the DHCP Server Options and now the registry entry says the correct domain suffix. I am going to see if we have any more problems with it and go from there.
The Group Policy is not pushing the settings out and it was a completely unkown suffix. There was also a DHCPNameServer entry in the registry with a few IP address that do not belong to use. Those have dissappeared, too.
Thank you for your quick response. I will return to this thread if we have any further problems.
The Group Policy is not pushing the settings out and it was a completely unkown suffix. There was also a DHCPNameServer entry in the registry with a few IP address that do not belong to use. Those have dissappeared, too.
Thank you for your quick response. I will return to this thread if we have any further problems.
No problem !
ASKER
Ok looks like the problem is back. We thought maybe it was an issue with the workstations themselves. They are the only place where the 'plazahomemortgage.com' suffix is showing up in the registry. I had a computer that I formatted and put a clean install of the OS on. I also reloaded network drivers and it grabbed the wrong suffix the first time it was placed on the network. So we have:
1. Windows Server 2003 throwing DHCP
2. The Group Policy is not setting DNS
3. The suffix is completely unknown
We have an AT&T MPLS connection to the internet, but the problem existed before we made the move to AT&T. None of the previous routers are in use.
1. Windows Server 2003 throwing DHCP
2. The Group Policy is not setting DNS
3. The suffix is completely unknown
We have an AT&T MPLS connection to the internet, but the problem existed before we made the move to AT&T. None of the previous routers are in use.
Just to confirm...You mentioned the problem came back the moment you had this machine on Network...Was it a part of the Domain at that time or only a workgroup machine?
If workgroup, then GPO is out of question. If Domain, I would still be a lil suspicious. Second reason can be a rouge DHCP server. A Rouge Server you are not aware of...Does not happen too often but still it's possible.. :)
Also, a trace would be interesting here..If the client machines are getting this information from some DHCP then it would show up in trace. Also, try using a static IP...Does the machine still pulls off a Unknown Suffix even with a static IP then it is definitely a GPO thing.
Makes sense?
If workgroup, then GPO is out of question. If Domain, I would still be a lil suspicious. Second reason can be a rouge DHCP server. A Rouge Server you are not aware of...Does not happen too often but still it's possible.. :)
Also, a trace would be interesting here..If the client machines are getting this information from some DHCP then it would show up in trace. Also, try using a static IP...Does the machine still pulls off a Unknown Suffix even with a static IP then it is definitely a GPO thing.
Makes sense?
ASKER
It was never a Workgroup machine. Only been on the domain. It is happeneing to multiple machines, too.
I used Wireshark and did a capture on the DNS port. I am not really familiar with how to read it.
I can see 2 instances where the 'plazahomemortgage.com' has appeared in the capture but I didnt see anything to do with it on a DHCP capture.
I used Wireshark and did a capture on the DNS port. I am not really familiar with how to read it.
I can see 2 instances where the 'plazahomemortgage.com' has appeared in the capture but I didnt see anything to do with it on a DHCP capture.
Hi,
We need to capture DHCP packets as well so that we can try and locate DHCP rouge servers, if any. Can you share the existing trace with me? Also, please do NOT filter out any other traffic..Run a normal trace..
We need to capture DHCP packets as well so that we can try and locate DHCP rouge servers, if any. Can you share the existing trace with me? Also, please do NOT filter out any other traffic..Run a normal trace..
ASKER
I'm sorry I am kind of new to this, could you help me out by walking me through what i need to do to get you exactly what you need?
ASKER
We noticed that we had WINS configured to hit 2 servers that were not running WINS. When we removed the configuration from the scope the problems seemed to stop. I am going to watch it the next few days and see if it stays away. Any idea why that could have caused this problem?
A DNS suffix has nothing to do with WINS even remotely...So not sure what the issue can be...I think It is more a coincidence...Anyways keep me posted..Let's see...Computer World is as mysterious as ours :)
Amit Bhatnagar.
Amit Bhatnagar.
ASKER
It's back. How do I need to do this trace for you?
If you are using Wireshark then you can type DHCP or Bootp (Not sure which one...Wrong filter will give an error anyways) and then renew an IP on a machine...
Also, U never answered...what happens if you use a static IP...Does it come back then too?...I just want to see if it is pulling it off some rouge DHCP Server..
The way you use a filter is...
DNS || DHCP Will give you DNS or DHCP...
ip.addr==192.168.1.5 && dns will give you packets that are coming from or going to 1.5 and contains DNS packets..
It is all a combination of filter and Operators that you use.
Also, U never answered...what happens if you use a static IP...Does it come back then too?...I just want to see if it is pulling it off some rouge DHCP Server..
The way you use a filter is...
DNS || DHCP Will give you DNS or DHCP...
ip.addr==192.168.1.5 && dns will give you packets that are coming from or going to 1.5 and contains DNS packets..
It is all a combination of filter and Operators that you use.
ASKER
Ok I will run the capture and post the results here. The problem is, once I renew the ip it grabs everything correctly. I just don't want to have to renew the ip everytime it pops up.
If I use a static IP, all is fine. We did that to fix the problem when we first noticed it happening. But now we need to use DHCP to throw out WPAD for our webfilter.
If I use a static IP, all is fine. We did that to fix the problem when we first noticed it happening. But now we need to use DHCP to throw out WPAD for our webfilter.
ASKER
Frame 12 is where the first hit for 'plazahomemortgage.com' pops up.
packet-capture.txt
packet-capture.txt
Can you please save the trace in the CAP format? Text ....as you can see is not easy to read..Anyways, this is only DNS traffic...The client is sending queries asking for certain name but with 'plazahomemortgage.com' added in the end...Normal reaction when it is added as a Suffix...but since you are NOT facing this issue with a static IP...I am 100% sure...This is a Rouge DHCP Server.
Do this...How much time does it take for a machine to get this false entry...If not too much...leave the machine with the trace running....Use DHCP as Capture Filter. Once the error has occured.. Stop the trace..Save only Displayed packets...and Compress it, attach it here...I know this is kinda difficult but it is better than searching each, machine device for a DHCP Server. If the trace is too big...uPload it to Rapidshare or something..but I need to see this thing happening...Don't use any filter in Wireshark if you are not sure how to do it...I will filter it myself :)
Again, make sure to check ur routers \Firewall etc. for DHCP Option.
Do this...How much time does it take for a machine to get this false entry...If not too much...leave the machine with the trace running....Use DHCP as Capture Filter. Once the error has occured.. Stop the trace..Save only Displayed packets...and Compress it, attach it here...I know this is kinda difficult but it is better than searching each, machine device for a DHCP Server. If the trace is too big...uPload it to Rapidshare or something..but I need to see this thing happening...Don't use any filter in Wireshark if you are not sure how to do it...I will filter it myself :)
Again, make sure to check ur routers \Firewall etc. for DHCP Option.
Ok....approx. 10 packets of DNS and even lesser DHCP...Could not find anything relevant. Did this machine take the incorrect suffix while you were taking this trace? I do see some packets containing the unknown domain but we saw that earlier too.
I am afraid, the trace is not at all helpful...:(...Not ur fault though....the error just did NOT happen when the trace was running.
Filtered.jpg
I am afraid, the trace is not at all helpful...:(...Not ur fault though....the error just did NOT happen when the trace was running.
Filtered.jpg
ASKER
I'm sorry I ran this trace on the DHCP server itself. I will run it again on one of the computers receiving DHCP.
Oh..No problem !. Waiting for the second trace ! :)
ASKER
This is a capture running from a machine that already had the incorrect suffix. I let it runn for a few minutes and then I renewed the IP address to get the correct suffix back. I hope this helps.
http://rapidshare.com/files/169925335/capture.pcap.html
http://rapidshare.com/files/169925335/capture.pcap.html
In this trace, only one Server is replying back with DHCP packets which is 'Memorial'. I do not see any other traffic. I do not even see the domain. There are too many DNS packets...Quite of them doing a Reverse Lookup. But that's about it.
I am sorry but I just don't see anything. What we are trying to see is...A machine going from Normal Suffix to the Unknown one...and not the other way around...
I am sorry but I just don't see anything. What we are trying to see is...A machine going from Normal Suffix to the Unknown one...and not the other way around...
ASKER
I did notice an IP of 12.127.16.67 that is popping up quite a bit. This IP is used as one of the DNS servers in the ipconfig /all command.
Yeah, this is quite normal. All the queries are send to it and hence the IP.
ASKER
but that IP address is not associate with our company. Our DNS server are all 10.10.10.XX . The only time we see that IP is when the suffix is incorrect. It lists it as one of the DNS servers. If the suffix is correct, the the 10.10.10.XX DNS servers are listed.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I looked through the results and it looks like our router is in fact throwing out DHCP. We have a MPLS network that is managed by AT&T, so I will get with them to get the DHCP turned off on the router. Let me know if you see anything else suspicious. Thanks for all your help.
http://rapidshare.com/files/170483960/dhcp.zip.html
http://rapidshare.com/files/170483960/dhcp.zip.html
Suspicious?! We just nailed it :) Look at the image and you will know why :)
Culprit.jpg
Culprit.jpg
ASKER
Thats what i thought. I appreciate your help with this.
Ur Welcome. Just remember, if you see anything suspicious on the system like a setting etc. that you did NOT put there...then first thing...Check Registry..>Second..Check GPO...and in DHCP...Now you know what to look for..:)
Tk care,
Amit Bhatnagar.
Tk care,
Amit Bhatnagar.
What are you using as your DHCP Server? Router or a Windows Server? Does your Router also has DHCP enabled?
Have you tried searching the registry for the same suffix?
Any Group Policy which might be fowarding this information?
Is this Suffix known i.e. old company name, domain etc or is it completely unknown?