Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1264
  • Last Modified:

DNS server returns unknown IP address

Starting this morning, our file server was giving very slow response time when the user tries to open a folder on the server. it takes anywhere from 45s to 65s to open the shared folder. But once the shared folder is opened, moving around within the shared folder is very fast (less than 2 sec).  

When we ping, the DNS replies with an unknow IP address as the server i.e. server IP should be 10.0.0.2 but ping <server name> says it is 10.0.0.7. We do not know where the IP of 10.0.0.7 comes from. We have tried shutting down all routers, switches, servers in case the 10.0.0.7 was cached somewhere but apparently it did not help.

Any suggestions anyone?

0
artradis
Asked:
artradis
5 Solutions
 
woolmilkporcCommented:
Is it really the DNS which gives you that address? Did you check with 'nslookup'?
Could be an entry in the local 'hosts' file!  
 
0
 
manav08Commented:
Sounds like it is the case of a ROGUE DHCP SERVER on the network. An infected PC might be acting like a ROGUE DHCP and disguising itself to act as DNS Server and DHCP Server even when the actual IP you see is that of the server. I have seen this happen before. It is important to detect and isolate the infected machine.
Here is the procedure - http://www.experts-exchange.com/Microsoft/Server_Applications/Q_24163597.html?sfQueryTermInfo=1+10+63.243.173.162+64.86.133.51
0
 
manav08Commented:
Basically you will have to use the dhcploc tool to detect the ROGUE DHCP Server if any... If any problems using the tool, kindly ask..
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
artradisAuthor Commented:
Hi all, Thanks for the comment.

1. No it was not the local host file. However previously we ecnountered this before and the only way to resolve was to shutdown PC the pull the power plug (i.e. total no power to PC).

2. I ran "dhcploc 10.0.0.27 10.0.0.6" and pressed "d" (for discovery) several times. but nothing seems to happen at all.  We only have one DHCP server on our LAN, all out PCs are Static IP.

Any other suggestions welcomed. Thanks.
0
 
sj_saravananCommented:
is the IP address is static or DHPC provided IP. if it is static check the primary DNS and secondary dns entries in tcp/ip propertise. and use IPCONFIG\FLUSHDNS , ipconfig\registerdns commands.
If it is dhcp ip, try to renew the ip address ipconfig\renew.and check your dns server may be one or more records created in the same ip address.
0
 
IcontechCommented:
Hi,
1. Use NS Lookup and verify the DNS Server.
2. Connect to 10.0.0.7 IP via any Remote desktop tool which by mismatch showing as a DNS Server.
3. Check NS Record in the DNS Server, Whether the IP and the Server name correct or not.
4. Can you able to ping 10.0.0.2 (Your actual DNS Server). If yes means, Connect to the server remotely and check the DNS Management. (Primary Zone, NS Record and etc...)
5. Without authorizing, there cannot be a DHCP Server activated(Rogue DHCP Server). If there is any Authorized Additional DHCP Server in your network means check and verify using dhcploc.exe tool and remove the same from the network.

-Thanks
PREMKUMAR
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now