Solved

DNS server returns unknown IP address

Posted on 2009-05-05
6
1,117 Views
Last Modified: 2012-05-06
Starting this morning, our file server was giving very slow response time when the user tries to open a folder on the server. it takes anywhere from 45s to 65s to open the shared folder. But once the shared folder is opened, moving around within the shared folder is very fast (less than 2 sec).  

When we ping, the DNS replies with an unknow IP address as the server i.e. server IP should be 10.0.0.2 but ping <server name> says it is 10.0.0.7. We do not know where the IP of 10.0.0.7 comes from. We have tried shutting down all routers, switches, servers in case the 10.0.0.7 was cached somewhere but apparently it did not help.

Any suggestions anyone?

0
Comment
Question by:artradis
6 Comments
 
LVL 68

Assisted Solution

by:woolmilkporc
woolmilkporc earned 75 total points
ID: 24303808
Is it really the DNS which gives you that address? Did you check with 'nslookup'?
Could be an entry in the local 'hosts' file!  
 
0
 
LVL 11

Assisted Solution

by:manav08
manav08 earned 175 total points
ID: 24303892
Sounds like it is the case of a ROGUE DHCP SERVER on the network. An infected PC might be acting like a ROGUE DHCP and disguising itself to act as DNS Server and DHCP Server even when the actual IP you see is that of the server. I have seen this happen before. It is important to detect and isolate the infected machine.
Here is the procedure - http://www.experts-exchange.com/Microsoft/Server_Applications/Q_24163597.html?sfQueryTermInfo=1+10+63.243.173.162+64.86.133.51
0
 
LVL 11

Assisted Solution

by:manav08
manav08 earned 175 total points
ID: 24303903
Basically you will have to use the dhcploc tool to detect the ROGUE DHCP Server if any... If any problems using the tool, kindly ask..
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:artradis
ID: 24304860
Hi all, Thanks for the comment.

1. No it was not the local host file. However previously we ecnountered this before and the only way to resolve was to shutdown PC the pull the power plug (i.e. total no power to PC).

2. I ran "dhcploc 10.0.0.27 10.0.0.6" and pressed "d" (for discovery) several times. but nothing seems to happen at all.  We only have one DHCP server on our LAN, all out PCs are Static IP.

Any other suggestions welcomed. Thanks.
0
 

Assisted Solution

by:sj_saravanan
sj_saravanan earned 100 total points
ID: 24333333
is the IP address is static or DHPC provided IP. if it is static check the primary DNS and secondary dns entries in tcp/ip propertise. and use IPCONFIG\FLUSHDNS , ipconfig\registerdns commands.
If it is dhcp ip, try to renew the ip address ipconfig\renew.and check your dns server may be one or more records created in the same ip address.
0
 
LVL 1

Accepted Solution

by:
Icontech earned 150 total points
ID: 24333675
Hi,
1. Use NS Lookup and verify the DNS Server.
2. Connect to 10.0.0.7 IP via any Remote desktop tool which by mismatch showing as a DNS Server.
3. Check NS Record in the DNS Server, Whether the IP and the Server name correct or not.
4. Can you able to ping 10.0.0.2 (Your actual DNS Server). If yes means, Connect to the server remotely and check the DNS Management. (Primary Zone, NS Record and etc...)
5. Without authorizing, there cannot be a DHCP Server activated(Rogue DHCP Server). If there is any Authorized Additional DHCP Server in your network means check and verify using dhcploc.exe tool and remove the same from the network.

-Thanks
PREMKUMAR
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Suggested Solutions

This article explains how a domain name may be inadvertently appended to all DNS queries. This exhibits as described below. (CODE)And / Or: (CODE) Cause This issue can occur in either of these two scenarios. EITHER 1. A Primary DNS S…
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video discusses moving either the default database or any database to a new volume.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now