Phantom Connection-Specific DNS

One of our offices has a problem with a connection-specific dns suffix. Workstations are randomly pulling the wrong suffix. A ipconfig /release and /renew will correct the problem, but once the computer is restarted, it grabs the incorrect suffix. The suffix it should be using is 'marthaturner.cc' but it will grab 'plazahomemortgage.com' and we have no idea where it is coming from. We have removed the old DHCP server and put a new one in its place which didn't seem to fix the problem. Is there any way to find out where this phantom dns suffix is hiding. Any help would be appreciated.
mtpitAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Amit BhatnagarTechnology Consultant - SecurityCommented:
Can you take a trace? Keep a trace running overtime. Capture only DHCP packets. We can check it frm there.
What are you using as your DHCP Server? Router or a Windows Server? Does your Router also has DHCP enabled?
Have you tried searching the registry for the same suffix?
Any Group Policy which might be fowarding this information?
Is this Suffix known i.e. old company name, domain etc or is it completely unknown?
0
mtpitAuthor Commented:
We are using Windows Server 2003 as our DHCP server. I did find a a registry entry on one of the worsktations. I turned off and on the DNS Domain Name option in the DHCP Server Options and now the registry entry says the correct domain suffix. I am going to see if we have any more problems with it and go from there.

The Group Policy is not pushing the settings out and it was a completely unkown suffix. There was also a DHCPNameServer entry in the registry with a few IP address that do not belong to use. Those have dissappeared, too.

Thank you for your quick response. I will return to this thread if we have any further problems.
0
Amit BhatnagarTechnology Consultant - SecurityCommented:
No problem !
0
What were the top attacks of Q1 2018?

The Threat Lab team analyzes data from WatchGuard’s Firebox Feed, internal and partner threat intelligence, and a research honeynet, to provide insightful analysis about the top threats on the Internet. Check out our Q1 2018 report for smart, practical security advice today!

mtpitAuthor Commented:
Ok looks like the problem is back. We thought maybe it was an issue with the workstations themselves. They are the only place where the 'plazahomemortgage.com' suffix is showing up in the registry. I had a computer that I formatted and put a clean install of the OS on. I also reloaded network drivers and it grabbed the wrong suffix the first time it was placed on the network. So we have:

1. Windows Server 2003 throwing DHCP
2. The Group Policy is not setting DNS
3. The suffix is completely unknown


We have an AT&T MPLS connection to the internet, but the problem existed before we made the move to AT&T. None of the previous routers are in use.
0
Amit BhatnagarTechnology Consultant - SecurityCommented:
Just to confirm...You mentioned the problem came back the moment you had this machine on Network...Was it a part of the Domain at that time or only a workgroup machine?

If workgroup, then GPO is out of question. If Domain, I would still be a lil suspicious. Second reason can be a rouge DHCP server. A Rouge Server you are not aware of...Does not happen too often but still it's possible.. :)

Also, a trace would be interesting here..If the client machines are getting this information from some DHCP then it would show up in trace. Also, try using a static IP...Does the machine still pulls off a Unknown Suffix even with a static IP then it is definitely a GPO thing.

Makes sense?
0
mtpitAuthor Commented:
It was never a Workgroup machine. Only been on the domain. It is happeneing to multiple machines, too.

I used Wireshark and did a capture on the DNS port. I am not really familiar with how to read it.
I can see 2 instances where the 'plazahomemortgage.com' has appeared in the capture but I didnt see anything to do with it on a DHCP capture.
0
Amit BhatnagarTechnology Consultant - SecurityCommented:
Hi,
We need to capture DHCP packets as well so that we can try and locate DHCP rouge servers, if any. Can you share the existing trace with me? Also, please do NOT filter out any other traffic..Run a normal trace..
0
mtpitAuthor Commented:
I'm sorry I am kind of new to this, could you help me out by walking me through what i need to do to get you exactly what you need?
0
mtpitAuthor Commented:
We noticed that we had WINS configured to hit 2 servers that were not running WINS. When we removed the configuration from the scope the problems seemed to stop. I am going to watch it the next few days and see if it stays away. Any idea why that could have caused this problem?
0
Amit BhatnagarTechnology Consultant - SecurityCommented:
A DNS suffix has nothing to do with WINS even remotely...So not sure what the issue can be...I think It is more a coincidence...Anyways keep me posted..Let's see...Computer World is as mysterious as ours :)
Amit Bhatnagar.
0
mtpitAuthor Commented:
It's back. How do I need to do this trace for you?
0
Amit BhatnagarTechnology Consultant - SecurityCommented:
If you are using Wireshark then you can type DHCP or Bootp (Not sure which one...Wrong filter will give an error anyways) and then renew an IP on a machine...

Also, U never answered...what happens if you use a static IP...Does it come back then too?...I just want to see if it is pulling it off some rouge DHCP Server..
The way you use a filter is...

DNS || DHCP Will give you DNS or DHCP...

ip.addr==192.168.1.5 && dns will give you packets that are coming from or going to 1.5 and contains DNS packets..
It is all a combination of filter and Operators that you use.
0
mtpitAuthor Commented:
Ok I will run the capture and post the results here. The problem is, once I renew the ip it grabs everything correctly. I just don't want to have to renew the ip everytime it pops up.

If I use a static IP, all is fine. We did that to fix the problem when we first noticed it happening. But now we need to use DHCP to throw out WPAD for our webfilter.
0
mtpitAuthor Commented:
Frame 12 is where the first hit for 'plazahomemortgage.com' pops up.
packet-capture.txt
0
Amit BhatnagarTechnology Consultant - SecurityCommented:
Can you please save the trace in the CAP format? Text ....as you can see is not easy to read..Anyways, this is only DNS traffic...The client is sending queries asking for certain name but with 'plazahomemortgage.com' added in the end...Normal reaction when it is added as a Suffix...but since you are NOT facing this issue with a static IP...I am 100% sure...This is a Rouge DHCP Server.

Do this...How much time does it take for a machine to get this false entry...If not too much...leave the machine with the trace running....Use DHCP as Capture Filter. Once the error has occured.. Stop the trace..Save only Displayed packets...and Compress it, attach it here...I know this is kinda difficult but it is better than searching each, machine device for a DHCP Server. If the trace is too big...uPload it to Rapidshare or something..but I need to see this thing happening...Don't use any filter in Wireshark if you are not sure how to do it...I will filter it myself :)

Again, make sure to check ur routers \Firewall etc. for DHCP Option.
0
Amit BhatnagarTechnology Consultant - SecurityCommented:
Ok....approx. 10 packets of DNS and even lesser DHCP...Could not find anything relevant. Did this machine take the incorrect suffix while you were taking this trace? I do see some packets containing the unknown domain but we saw that earlier too.

I am afraid, the trace is not at all helpful...:(...Not ur fault though....the error just did NOT happen when the trace was running.
Filtered.jpg
0
mtpitAuthor Commented:
I'm sorry I ran this trace on the DHCP server itself. I will run it again on one of the computers receiving DHCP.
0
Amit BhatnagarTechnology Consultant - SecurityCommented:
Oh..No problem !. Waiting for the second trace ! :)
0
mtpitAuthor Commented:
This is a capture running from a machine that already had the incorrect suffix. I let it runn for a few minutes and then I renewed the IP address to get the correct suffix back. I hope this helps.

http://rapidshare.com/files/169925335/capture.pcap.html
0
Amit BhatnagarTechnology Consultant - SecurityCommented:
In this trace, only one Server is replying back with DHCP packets which is 'Memorial'. I do not see any other traffic. I do not even see the domain. There are too many DNS packets...Quite of them doing a Reverse Lookup. But that's about it.
I am sorry but I just don't see anything. What we are trying to see is...A machine going from Normal Suffix to the Unknown one...and not the other way around...
0
mtpitAuthor Commented:
I did notice an IP of 12.127.16.67 that is popping up quite a bit. This IP is used as one of the DNS servers in the ipconfig /all command.
0
Amit BhatnagarTechnology Consultant - SecurityCommented:
Yeah, this is quite normal. All the queries are send to it and hence the IP.
0
mtpitAuthor Commented:
but that IP address is not associate with our company. Our DNS server are all 10.10.10.XX . The only time we see that IP is when the suffix is incorrect. It lists it as one of the DNS servers. If the suffix is correct, the the 10.10.10.XX DNS servers are listed.
0
Amit BhatnagarTechnology Consultant - SecurityCommented:
Which means you are DEFINITELY getting this information from a rouge DHCP Server. Now, we are down the issue where we just need to locate the same. You already know how to run a trace. Keep a trcae running on machine for a complete day. Make sure it goes from Good to Bad. Use DHCP as a Filter. Once done, zip the file and send it to me.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mtpitAuthor Commented:
I looked through the results and it looks like our router is in fact throwing out DHCP. We have a MPLS network that is managed by AT&T, so I will get with them to get the DHCP turned off on the router. Let me know if you see anything else suspicious. Thanks for all your help.

http://rapidshare.com/files/170483960/dhcp.zip.html

0
Amit BhatnagarTechnology Consultant - SecurityCommented:
Suspicious?! We just nailed it :) Look at the image and you will know why :)
Culprit.jpg
0
mtpitAuthor Commented:
Thats what i thought. I appreciate your help with this.
0
Amit BhatnagarTechnology Consultant - SecurityCommented:
Ur Welcome. Just remember, if you see anything suspicious on the system like a setting etc. that you did NOT put there...then first thing...Check Registry..>Second..Check GPO...and in DHCP...Now you know what to look for..:)

Tk care,
Amit Bhatnagar.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
DNS

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.