Very odd DNS issues

Hello Experts and thanks in advance!  I'm struggling to figure out what the problem is on our network.  We had a malware issue that we rooted out but have discovered since that DNS doesn't respond well to the first attempt but will immediately connect on the second.

For example:  Let's say I want to open SharePoint.  You go to the site and it will just sit and spin, but if you refresh right after your first attempt, it opens right up.  Same thing with RDS and DameWare for remotely connecting.  There are no bad entries in DNS that I saw and no errors in the log.  I have tried building new servers with DNS and I still encounter much the same.  I've scanned multiple times using several different AV and AM software and they are all saying my systems are clean.  I can't really put my finger on it but I'm pretty sure this has to be a DNS issue.
jhanekeAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

zLevaCommented:
Have you checked with wireshark or other network monitoring tools? Just to see what's going on on network level.
That'd be helpful to identify the cause, as you would see where those machines are connecting for first and so on..
0
tolinromeCommented:
Are you sure this happened during the malware time? is it for all network services that this happens?

could th malware have affected dns entries on the client from dhcp scope? if this problem was from the malware I would think it would be a problem on the client as an os problem that the malware has damaged.
0
jhanekeAuthor Commented:
Hello and thanks both for responding.  It might not be malware as the problem and it could just be coincidental as to when this occurred and that.  However, from a computer that I know to have been clean the whole time; it still happens the same as the workstations in the office.  

zLeva- I'm looking into Wireshark right now.  I haven't run it for years and don't remember how to set the filters correctly so I'm digging around and trying to figure it out.

Of note:  I tried modifying the hosts file on a local machine with the same results.  This really is puzzling to me as DNS seems otherwise quite happy and responsive.  I try to connect to multiple machines and it doesn't matter; the problem is duplicated.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Anthony JenningsSignal SupportCommented:
Answer:

I found the possible answer from the Firefox website. According to Firefox, the follwoind will cause a website to spin, “ The web page may be using an external JavaScript file which is in the wrong format. Try disabling JavaScript - see JavaScript settings and preferences for interactive web pages. If the page now finishes loading the bad Javascript file may be coming from:” (Firefox, n.d.).
 
“ A proxy filter that is incorrectly filtering that website's files. If you are running a proxy filter such as Privoxy, try disabling it” (Firefox, n.d.).
 
 
 
Reference
 
Firefox. (n.d.). Websites show a spinning wheel and never finish loading. Retrieved August 2, 2014, from https://support.mozilla.org/en-US/kb/websites-show-spinning-wheel-never-finish-load
0
jhanekeAuthor Commented:
Thanks for the tip Anthony.   Unfortunately this also affects more than just websites.  I use DameWare for remotely connecting to servers and workstations which isn't dependent on Java.  I did try uninstalling Java to see if that would help but to no avail.
0
tolinromeCommented:
If this happens with every computer in the office then most likely it's a network issue and not a computer desktop issue unless there has been some update with antivirus firewall software on the desktop. Are all the computers connected to the same switch? Let's try to narrow it down. Have there been any changes on the network at all?
0
tolinromeCommented:
Any group policies that are taking effect on the client's possibly even windows firewall issues on the client?
0
AkinsdNetwork AdministratorCommented:
On one work station, change the primary DNS server to 8.8.8.8 and access multiple servers

Run dcdiag /fix on your main (authoritative domain server)
Reboot the server when you can

Wireshark will also be a good resource. Run Wireshark on the computer and concentrate on UDP 53 packets
For capture filter, choose UDP
In the display filter, use udp.port == 53

See step by step instructions here
http://wiki.wireshark.org/CaptureSetup
http://openmaniak.com/wireshark_filters.php
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
skullnobrainsCommented:
this hardly looks like a dns issue. you can confirm by connecting to one of the sites using telnet, and possibly run a ping as well (both might print out useful debug information as well as helping rule out dns)

one thing that produces such a symptom is route redirections :

if you have 2 routers on the same network as the host, and the route is set to router A while router B is the one that is connected to your destination, A will forward the first packet it receives (SYN) and send a route redirection that will make your host send subsequent packets to router B. either your host or router B will reject one of the subsequent packets because it won't seem to belong to the same connection.

the result is the first tcp connection will fail, but the host will create a dynamic route for your destination using router B and subsequent connections to the same destination will work for a few minutes or more

such things can be due to malware attempting to do man in the middle attacks but this is highly speculative
0
jhanekeAuthor Commented:
It appears that this is Malware related for the most part.  I'm working with my vendors at clearing the infections from all of our systems.  Thanks much everyone for your help and sorry about the delayed response!  I've been busy battling it and haven't been holding up my end and keeping you guys informed.
0
jhanekeAuthor Commented:
Wireshark traffic analysis led me to trace back to test the PC's and discovered Malware.
0
skullnobrainsCommented:
if you appear to gain some knowlege regarding the name of the malware and/or the way it operates and/or it's goals i'm interested. thanks
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking Hardware-Other

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.