Solved

Wrong DNS entry keeps appearing in Windows DNS.

Posted on 2015-01-23
17
78 Views
Last Modified: 2016-10-14
Hello,

We have a bizarre issue whereby our WAN IP keeps being added to DNS pointing to our primary DC (DC01).

As you can imagine this is causing all kinds of issues. Is there anyway I can see where this record is coming from? I have checked the server itself (DC01) and it has two internal addresses; no WAN IP assigned to it at all.

Yet I deleted the WAN IP to DC01 record from our three Windows DNS servers and within 20/30 minutes it's back!

Any ideas?

DNS issuesdns-issue.png
0
Comment
Question by:SimonBrook
17 Comments
 
LVL 3

Expert Comment

by:Waddah Dahah
ID: 40566179
Hello Simon,

did you try to configure your DNS to secure dynamic updates only? this is recommended with Active directory.

To allow only secure dynamic updates using the Windows interface

Open DNS Manager.
In the console tree, right-click the applicable zone, and then click Properties.
On the General tab, verify that the zone type is Active Directory-integrated.
In Dynamic Updates, click secure only.

for more information please ready the following;
http://www.windowsnetworking.com/kbase/WindowsTips/WindowsServer2008/AdminTips/ActiveDirectory/SecuringDNSwithSecureDynamicUpdates.html 


if you have more than one DNS Server make sure you delete the record from servers.

also run ipconfig /all command in CMD.exe and check if the IP is listed there, if yes go to  Internet Protocol Version 4 (TCP/IPv4) Properties, and click on Advanced, sure you will find the IP listed there.

Regards,
Waddah
0
 
LVL 17

Expert Comment

by:Learnctx
ID: 40567922
You don't by an chance run DHCP on a domain controller do you?

It will almost certainly be dynamic updates as the poster above has said. 2 ways you can debug this.

1. Turn on DNS debugging on your DNS servers.
2. Run wireshark or other capture program and capture DNS requests.

Option 1:
In DNS management console, right click the server and select properties. Select the Debug Logging tab. Tick the following.

Log packets for debugging
Outgoing
Incoming
UDP
Updates
Request
Response

Output log to a location and set the max log size to say 50000000 bytes (500MB).

You will see a log such as the following (I've put 2 examples in, the first where the record never existed and the second where it already exists and is beinged updated).

24/01/2015 6:20:46 PM 04A8 PACKET  00000000015CE940 UDP Rcv 192.168.1.2     a40d   Q [0001   D   NOERROR] SOA    (4)dc01(7)contoso(3)com(0)
24/01/2015 6:20:46 PM 04A8 PACKET  00000000015CE940 UDP Snd 192.168.1.2     a40d R Q [8385 A DR NXDOMAIN] SOA    (4)dc01(7)contoso(3)com(0)
24/01/2015 6:20:46 PM 04A8 PACKET  00000000022F7A90 UDP Rcv 192.168.1.2     9ca2   U [0028       NOERROR] SOA    (7)contoso(3)com(0)
24/01/2015 6:20:46 PM 046C PACKET  00000000022F7A90 UDP Snd 192.168.1.2     9ca2 R U [00a8       NOERROR] SOA    (7)contoso(3)com(0)
24/01/2015 6:20:46 PM 04A8 PACKET  0000000001DA9210 UDP Snd 192.168.1.2     8dd7 R Q [8385 A DR NXDOMAIN] SOA    (1)2(1)1(3)168(3)192(7)in-addr(4)arpa(0)
24/01/2015 6:20:46 PM 04A8 PACKET  00000000015CE940 UDP Rcv 192.168.1.2     8c60   U [0028       NOERROR] SOA    (1)1(3)168(3)192(7)in-addr(4)arpa(0)
24/01/2015 6:20:46 PM 0470 PACKET  00000000015CE940 UDP Snd 192.168.1.2     8c60 R U [00a8       NOERROR] SOA    (1)1(3)168(3)192(7)in-addr(4)arpa(0)



24/01/2015 6:20:49 PM 04A8 PACKET  00000000022F7A90 UDP Rcv 192.168.1.2     6db3   Q [0001   D   NOERROR] SOA    (4)dc01(7)contoso(3)com(0)
24/01/2015 6:20:49 PM 04A8 PACKET  00000000022F7A90 UDP Snd 192.168.1.2     6db3 R Q [8085 A DR  NOERROR] SOA    (4)dc01(7)contoso(3)com(0)
24/01/2015 6:20:49 PM 04A8 PACKET  0000000001DA9210 UDP Rcv 192.168.1.2     d1f2   U [0028       NOERROR] SOA    (7)contoso(3)com(0)
24/01/2015 6:20:49 PM 046C PACKET  0000000001DA9210 UDP Snd 192.168.1.2     d1f2 R U [00a8       NOERROR] SOA    (7)contoso(3)com(0)
24/01/2015 6:20:49 PM 04A8 PACKET  00000000015CE940 UDP Rcv 192.168.1.2     60b7   Q [0001   D   NOERROR] SOA    (1)2(1)1(3)168(3)192(7)in-addr(4)arpa(0)
24/01/2015 6:20:49 PM 04A8 PACKET  00000000015CE940 UDP Snd 192.168.1.2     60b7 R Q [8085 A DR  NOERROR] SOA    (1)2(1)1(3)168(3)192(7)in-addr(4)arpa(0)
24/01/2015 6:20:49 PM 04A8 PACKET  00000000022F7A90 UDP Rcv 192.168.1.2     da1c   U [0028       NOERROR] SOA    (1)1(3)168(3)192(7)in-addr(4)arpa(0)
24/01/2015 6:20:49 PM 0470 PACKET  00000000022F7A90 UDP Snd 192.168.1.2     da1c R U [00a8       NOERROR] SOA    (1)1(3)168(3)192(7)in-addr(4)arpa(0)

Open in new window


The Q, RQ, U and RU are the DNS opcodes for the actions.

Q = query
R Q = query reply
U = update
R U = update reply

The process is described well here: https://technet.microsoft.com/en-us/library/cc771255.aspx.

For option 2:

Here is a wireshark log showing the dynamic update process.



For a wireshark filter you can filter out the host you want easily by using the following filter.

dns.qry.name == "dc01.contoso.com" || dns.resp.name == "dc01.contoso.com"

Or simply dns as the filter.

Obviously use your domain.
0
 
LVL 26

Expert Comment

by:Dan McFadden
ID: 40579878
Is your DC dual-homed?  With one NIC on your WAN and the other on your internal LAN?

If so, you can uncheck the "Register this connection's addresses in DNS" under the "Advanced > DNS" tab.

Dan
0
 
LVL 1

Author Comment

by:SimonBrook
ID: 40579978
You don't by an chance run DHCP on a domain controller do you?

It will almost certainly be dynamic updates as the poster above has said. 2 ways you can debug this.

1. Turn on DNS debugging on your DNS servers.
2. Run wireshark or other capture program and capture DNS requests.

Option 1:
In DNS management console, right click the server and select properties. Select the Debug Logging tab. Tick the following.

Log packets for debugging
Outgoing
Incoming
UDP
Updates
Request
Response

Output log to a location and set the max log size to say 50000000 bytes (500MB).

You will see a log such as the following (I've put 2 examples in, the first where the record never existed and the second where it already exists and is beinged updated).

24/01/2015 6:20:46 PM 04A8 PACKET  00000000015CE940 UDP Rcv 192.168.1.2     a40d   Q [0001   D   NOERROR] SOA    (4)dc01(7)contoso(3)com(0)
24/01/2015 6:20:46 PM 04A8 PACKET  00000000015CE940 UDP Snd 192.168.1.2     a40d R Q [8385 A DR NXDOMAIN] SOA    (4)dc01(7)contoso(3)com(0)
24/01/2015 6:20:46 PM 04A8 PACKET  00000000022F7A90 UDP Rcv 192.168.1.2     9ca2   U [0028       NOERROR] SOA    (7)contoso(3)com(0)
24/01/2015 6:20:46 PM 046C PACKET  00000000022F7A90 UDP Snd 192.168.1.2     9ca2 R U [00a8       NOERROR] SOA    (7)contoso(3)com(0)
24/01/2015 6:20:46 PM 04A8 PACKET  0000000001DA9210 UDP Snd 192.168.1.2     8dd7 R Q [8385 A DR NXDOMAIN] SOA    (1)2(1)1(3)168(3)192(7)in-addr(4)arpa(0)
24/01/2015 6:20:46 PM 04A8 PACKET  00000000015CE940 UDP Rcv 192.168.1.2     8c60   U [0028       NOERROR] SOA    (1)1(3)168(3)192(7)in-addr(4)arpa(0)
24/01/2015 6:20:46 PM 0470 PACKET  00000000015CE940 UDP Snd 192.168.1.2     8c60 R U [00a8       NOERROR] SOA    (1)1(3)168(3)192(7)in-addr(4)arpa(0)



24/01/2015 6:20:49 PM 04A8 PACKET  00000000022F7A90 UDP Rcv 192.168.1.2     6db3   Q [0001   D   NOERROR] SOA    (4)dc01(7)contoso(3)com(0)
24/01/2015 6:20:49 PM 04A8 PACKET  00000000022F7A90 UDP Snd 192.168.1.2     6db3 R Q [8085 A DR  NOERROR] SOA    (4)dc01(7)contoso(3)com(0)
24/01/2015 6:20:49 PM 04A8 PACKET  0000000001DA9210 UDP Rcv 192.168.1.2     d1f2   U [0028       NOERROR] SOA    (7)contoso(3)com(0)
24/01/2015 6:20:49 PM 046C PACKET  0000000001DA9210 UDP Snd 192.168.1.2     d1f2 R U [00a8       NOERROR] SOA    (7)contoso(3)com(0)
24/01/2015 6:20:49 PM 04A8 PACKET  00000000015CE940 UDP Rcv 192.168.1.2     60b7   Q [0001   D   NOERROR] SOA    (1)2(1)1(3)168(3)192(7)in-addr(4)arpa(0)
24/01/2015 6:20:49 PM 04A8 PACKET  00000000015CE940 UDP Snd 192.168.1.2     60b7 R Q [8085 A DR  NOERROR] SOA    (1)2(1)1(3)168(3)192(7)in-addr(4)arpa(0)
24/01/2015 6:20:49 PM 04A8 PACKET  00000000022F7A90 UDP Rcv 192.168.1.2     da1c   U [0028       NOERROR] SOA    (1)1(3)168(3)192(7)in-addr(4)arpa(0)
24/01/2015 6:20:49 PM 0470 PACKET  00000000022F7A90 UDP Snd 192.168.1.2     da1c R U [00a8       NOERROR] SOA    (1)1(3)168(3)192(7)in-addr(4)arpa(0)

                                         
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
Select all
Open in new window


The Q, RQ, U and RU are the DNS opcodes for the actions.

Q = query
R Q = query reply
U = update
R U = update reply

The process is described well here: https://technet.microsoft.com/en-us/library/cc771255.aspx.

For option 2:

Here is a wireshark log showing the dynamic update process.



For a wireshark filter you can filter out the host you want easily by using the following filter.

dns.qry.name == "dc01.contoso.com" || dns.resp.name == "dc01.contoso.com"

Or simply dns as the filter.

Obviously use your domain.

Hi yes we use DHCP on a DC. I will try your suggestions

Is your DC dual-homed?  With one NIC on your WAN and the other on your internal LAN?

If so, you can uncheck the "Register this connection's addresses in DNS" under the "Advanced > DNS" tab.

Dan
Hi, It has two NICs, one is disabled the other has private IP range.
0
 
LVL 1

Author Comment

by:SimonBrook
ID: 40619281
Hello

Apologies for the delay in response. This is still a big big issue for us.

Dynamic updates are set to secure only on the zone.

Thanks,
0
 
LVL 1

Author Comment

by:SimonBrook
ID: 40654370
No response; any ideas anyone?
0
 
LVL 26

Expert Comment

by:Dan McFadden
ID: 40655817
Excuse the pause... was on vacation, with intermittent Internet.

Can you post an ipconfig /all for the DC in question?
0
 
LVL 1

Author Comment

by:SimonBrook
ID: 40655821
C:\Windows\system32>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : U***01
   Primary Dns Suffix  . . . . . . . : ***.local
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : huddle.local

Ethernet adapter Local Area Connection 1:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom BCM5716C NetXtreme II GigE (NDIS
 VBD Client) #38
   Physical Address. . . . . . . . . : D4-AE-52-BD-46-0E
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.1.9(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.240.0
   Default Gateway . . . . . . . . . : 192.168.1.1
   DNS Servers . . . . . . . . . . . : 192.168.1.9
                                       10.50.0.10
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{7904698C-ECA7-4841-97EF-7EBC2F1D9687}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Open in new window

0
3 Use Cases for Connected Systems

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, testing some more, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us.

 
LVL 26

Expert Comment

by:Dan McFadden
ID: 40655857
Can you post the output of the following commands:

1. run nslookup from command prompt
2. at the nslookup prompt type:  set type=NS hit enter
3. at the nslookup prompt type:  huddle.local

how many NS records are listed and is the IP on the list?

Also, I would look into your DNS zones to determine if this rogue address has a record in 1 of the following locations:

1. _msdcs.huddle.local
2. _tcp.<YourDomainGuid>.domains._msdcs.huddle.local
3. gc._msdcs.huddle.local
4. huddle.local {here look specifically for an A record and/or an NS record}
5. check the SOA record of the domain.  Look on the Name Servers tab for an entry with the IP in question

Dan
0
 
LVL 1

Author Comment

by:SimonBrook
ID: 40655867
6 nameservers are listed for the domain. some of which are old DCs that have been decommissioned.

5 "internet addresses" are listed underneath. the WAN IP is there yes.
0
 
LVL 1

Author Comment

by:SimonBrook
ID: 40655887
The WAN IP record is present under the nameserver within _msdcs.huddle.local and huddle.local

dns2.png
It is as an A record within huddle.local alongside the PDC.

SOA points to PDC, which has the entry obviously.
0
 
LVL 26

Accepted Solution

by:
Dan McFadden earned 500 total points
ID: 40655890
It appears that no one ever ran a metadata cleanup on the domain when deactivating/demoting DCs.

There should only be DNS entries for DCs that are live.

I would read thru the following article on cleaning up old entries in AD and AD integrated DNS:

link = https://technet.microsoft.com/en-us/library/cc816907(v=ws.10).aspx

I would also check to see if DNS scavenging is enabled.  If not, I would turn it on:

link = https://technet.microsoft.com/en-us/library/cc770850.aspx

Dan
0
 
LVL 26

Expert Comment

by:Dan McFadden
ID: 40655893
Remove the offending IP.
0
 
LVL 1

Author Comment

by:SimonBrook
ID: 40655895
It wont let me. Comes back after applying.
0
 
LVL 26

Expert Comment

by:Dan McFadden
ID: 40656070
Make sure when you are working on the issue that you are using an account that has Domain Admin permissions.

I would read thru the articles I posted and follow the processes therein.

Dan
0
 
LVL 1

Assisted Solution

by:SimonBrook
SimonBrook earned 0 total points
ID: 40656901
OK

I have managed to fix the issue with the incorrect static entry pointing to our PDC.

On the PDC there was a registry key
HKLM\System\ControlSet001\Services\DNS\Parameters\PublishAddress

Which had the offending 31.*.*.200 address listed within. I removed the 31 address from the registry key and rebooted the machine. It has since removed itself from DNS.

Thanks for your input.
0

Featured Post

3 Use Cases for Connected Systems

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, testing some more, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article is intended as an extension of a blog on Aging and Scavenging by the MS Enterprise Networking Team. In brief, Scavenging is used as follows: Each record in a zone which has been dynamically registered with an MS DNS Server will have…
This article explains how a domain name may be inadvertently appended to all DNS queries. This exhibits as described below. (CODE)And / Or: (CODE) Cause This issue can occur in either of these two scenarios. EITHER 1. A Primary DNS S…
This Micro Tutorial will teach you how to censor certain areas of your screen. The example in this video will show a little boy's face being blurred. This will be demonstrated using Adobe Premiere Pro CS6.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now