• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 259
  • Last Modified:

Very odd DNS issues

Hello Experts and thanks in advance!  I'm struggling to figure out what the problem is on our network.  We had a malware issue that we rooted out but have discovered since that DNS doesn't respond well to the first attempt but will immediately connect on the second.

For example:  Let's say I want to open SharePoint.  You go to the site and it will just sit and spin, but if you refresh right after your first attempt, it opens right up.  Same thing with RDS and DameWare for remotely connecting.  There are no bad entries in DNS that I saw and no errors in the log.  I have tried building new servers with DNS and I still encounter much the same.  I've scanned multiple times using several different AV and AM software and they are all saying my systems are clean.  I can't really put my finger on it but I'm pretty sure this has to be a DNS issue.
0
jhaneke
Asked:
jhaneke
  • 4
  • 3
  • 2
  • +3
1 Solution
 
zLevaCommented:
Have you checked with wireshark or other network monitoring tools? Just to see what's going on on network level.
That'd be helpful to identify the cause, as you would see where those machines are connecting for first and so on..
0
 
tolinromeCommented:
Are you sure this happened during the malware time? is it for all network services that this happens?

could th malware have affected dns entries on the client from dhcp scope? if this problem was from the malware I would think it would be a problem on the client as an os problem that the malware has damaged.
0
 
jhanekeAuthor Commented:
Hello and thanks both for responding.  It might not be malware as the problem and it could just be coincidental as to when this occurred and that.  However, from a computer that I know to have been clean the whole time; it still happens the same as the workstations in the office.  

zLeva- I'm looking into Wireshark right now.  I haven't run it for years and don't remember how to set the filters correctly so I'm digging around and trying to figure it out.

Of note:  I tried modifying the hosts file on a local machine with the same results.  This really is puzzling to me as DNS seems otherwise quite happy and responsive.  I try to connect to multiple machines and it doesn't matter; the problem is duplicated.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
Anthony JenningsCommented:
Answer:

I found the possible answer from the Firefox website. According to Firefox, the follwoind will cause a website to spin, β€œ The web page may be using an external JavaScript file which is in the wrong format. Try disabling JavaScript - see JavaScript settings and preferences for interactive web pages. If the page now finishes loading the bad Javascript file may be coming from:” (Firefox, n.d.).
 
β€œ A proxy filter that is incorrectly filtering that website's files. If you are running a proxy filter such as Privoxy, try disabling it” (Firefox, n.d.).
 
 
 
Reference
 
Firefox. (n.d.). Websites show a spinning wheel and never finish loading. Retrieved August 2, 2014, from https://support.mozilla.org/en-US/kb/websites-show-spinning-wheel-never-finish-load
0
 
jhanekeAuthor Commented:
Thanks for the tip Anthony.   Unfortunately this also affects more than just websites.  I use DameWare for remotely connecting to servers and workstations which isn't dependent on Java.  I did try uninstalling Java to see if that would help but to no avail.
0
 
tolinromeCommented:
If this happens with every computer in the office then most likely it's a network issue and not a computer desktop issue unless there has been some update with antivirus firewall software on the desktop. Are all the computers connected to the same switch? Let's try to narrow it down. Have there been any changes on the network at all?
0
 
tolinromeCommented:
Any group policies that are taking effect on the client's possibly even windows firewall issues on the client?
0
 
AkinsdNetwork AdministratorCommented:
On one work station, change the primary DNS server to 8.8.8.8 and access multiple servers

Run dcdiag /fix on your main (authoritative domain server)
Reboot the server when you can

Wireshark will also be a good resource. Run Wireshark on the computer and concentrate on UDP 53 packets
For capture filter, choose UDP
In the display filter, use udp.port == 53

See step by step instructions here
http://wiki.wireshark.org/CaptureSetup
http://openmaniak.com/wireshark_filters.php
0
 
skullnobrainsCommented:
this hardly looks like a dns issue. you can confirm by connecting to one of the sites using telnet, and possibly run a ping as well (both might print out useful debug information as well as helping rule out dns)

one thing that produces such a symptom is route redirections :

if you have 2 routers on the same network as the host, and the route is set to router A while router B is the one that is connected to your destination, A will forward the first packet it receives (SYN) and send a route redirection that will make your host send subsequent packets to router B. either your host or router B will reject one of the subsequent packets because it won't seem to belong to the same connection.

the result is the first tcp connection will fail, but the host will create a dynamic route for your destination using router B and subsequent connections to the same destination will work for a few minutes or more

such things can be due to malware attempting to do man in the middle attacks but this is highly speculative
0
 
jhanekeAuthor Commented:
It appears that this is Malware related for the most part.  I'm working with my vendors at clearing the infections from all of our systems.  Thanks much everyone for your help and sorry about the delayed response!  I've been busy battling it and haven't been holding up my end and keeping you guys informed.
0
 
jhanekeAuthor Commented:
Wireshark traffic analysis led me to trace back to test the PC's and discovered Malware.
0
 
skullnobrainsCommented:
if you appear to gain some knowlege regarding the name of the malware and/or the way it operates and/or it's goals i'm interested. thanks
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

  • 4
  • 3
  • 2
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now