[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Wrong DNS entry keeps appearing in Windows DNS.

Posted on 2015-01-23
17
Medium Priority
?
143 Views
Last Modified: 2016-10-14
Hello,

We have a bizarre issue whereby our WAN IP keeps being added to DNS pointing to our primary DC (DC01).

As you can imagine this is causing all kinds of issues. Is there anyway I can see where this record is coming from? I have checked the server itself (DC01) and it has two internal addresses; no WAN IP assigned to it at all.

Yet I deleted the WAN IP to DC01 record from our three Windows DNS servers and within 20/30 minutes it's back!

Any ideas?

DNS issuesdns-issue.png
0
Comment
Question by:SimonBrook
16 Comments
 
LVL 3

Expert Comment

by:Waddah Dahah
ID: 40566179
Hello Simon,

did you try to configure your DNS to secure dynamic updates only? this is recommended with Active directory.

To allow only secure dynamic updates using the Windows interface

Open DNS Manager.
In the console tree, right-click the applicable zone, and then click Properties.
On the General tab, verify that the zone type is Active Directory-integrated.
In Dynamic Updates, click secure only.

for more information please ready the following;
http://www.windowsnetworking.com/kbase/WindowsTips/WindowsServer2008/AdminTips/ActiveDirectory/SecuringDNSwithSecureDynamicUpdates.html 


if you have more than one DNS Server make sure you delete the record from servers.

also run ipconfig /all command in CMD.exe and check if the IP is listed there, if yes go to  Internet Protocol Version 4 (TCP/IPv4) Properties, and click on Advanced, sure you will find the IP listed there.

Regards,
Waddah
0
 
LVL 18

Expert Comment

by:Learnctx
ID: 40567922
You don't by an chance run DHCP on a domain controller do you?

It will almost certainly be dynamic updates as the poster above has said. 2 ways you can debug this.

1. Turn on DNS debugging on your DNS servers.
2. Run wireshark or other capture program and capture DNS requests.

Option 1:
In DNS management console, right click the server and select properties. Select the Debug Logging tab. Tick the following.

Log packets for debugging
Outgoing
Incoming
UDP
Updates
Request
Response

Output log to a location and set the max log size to say 50000000 bytes (500MB).

You will see a log such as the following (I've put 2 examples in, the first where the record never existed and the second where it already exists and is beinged updated).

24/01/2015 6:20:46 PM 04A8 PACKET  00000000015CE940 UDP Rcv 192.168.1.2     a40d   Q [0001   D   NOERROR] SOA    (4)dc01(7)contoso(3)com(0)
24/01/2015 6:20:46 PM 04A8 PACKET  00000000015CE940 UDP Snd 192.168.1.2     a40d R Q [8385 A DR NXDOMAIN] SOA    (4)dc01(7)contoso(3)com(0)
24/01/2015 6:20:46 PM 04A8 PACKET  00000000022F7A90 UDP Rcv 192.168.1.2     9ca2   U [0028       NOERROR] SOA    (7)contoso(3)com(0)
24/01/2015 6:20:46 PM 046C PACKET  00000000022F7A90 UDP Snd 192.168.1.2     9ca2 R U [00a8       NOERROR] SOA    (7)contoso(3)com(0)
24/01/2015 6:20:46 PM 04A8 PACKET  0000000001DA9210 UDP Snd 192.168.1.2     8dd7 R Q [8385 A DR NXDOMAIN] SOA    (1)2(1)1(3)168(3)192(7)in-addr(4)arpa(0)
24/01/2015 6:20:46 PM 04A8 PACKET  00000000015CE940 UDP Rcv 192.168.1.2     8c60   U [0028       NOERROR] SOA    (1)1(3)168(3)192(7)in-addr(4)arpa(0)
24/01/2015 6:20:46 PM 0470 PACKET  00000000015CE940 UDP Snd 192.168.1.2     8c60 R U [00a8       NOERROR] SOA    (1)1(3)168(3)192(7)in-addr(4)arpa(0)



24/01/2015 6:20:49 PM 04A8 PACKET  00000000022F7A90 UDP Rcv 192.168.1.2     6db3   Q [0001   D   NOERROR] SOA    (4)dc01(7)contoso(3)com(0)
24/01/2015 6:20:49 PM 04A8 PACKET  00000000022F7A90 UDP Snd 192.168.1.2     6db3 R Q [8085 A DR  NOERROR] SOA    (4)dc01(7)contoso(3)com(0)
24/01/2015 6:20:49 PM 04A8 PACKET  0000000001DA9210 UDP Rcv 192.168.1.2     d1f2   U [0028       NOERROR] SOA    (7)contoso(3)com(0)
24/01/2015 6:20:49 PM 046C PACKET  0000000001DA9210 UDP Snd 192.168.1.2     d1f2 R U [00a8       NOERROR] SOA    (7)contoso(3)com(0)
24/01/2015 6:20:49 PM 04A8 PACKET  00000000015CE940 UDP Rcv 192.168.1.2     60b7   Q [0001   D   NOERROR] SOA    (1)2(1)1(3)168(3)192(7)in-addr(4)arpa(0)
24/01/2015 6:20:49 PM 04A8 PACKET  00000000015CE940 UDP Snd 192.168.1.2     60b7 R Q [8085 A DR  NOERROR] SOA    (1)2(1)1(3)168(3)192(7)in-addr(4)arpa(0)
24/01/2015 6:20:49 PM 04A8 PACKET  00000000022F7A90 UDP Rcv 192.168.1.2     da1c   U [0028       NOERROR] SOA    (1)1(3)168(3)192(7)in-addr(4)arpa(0)
24/01/2015 6:20:49 PM 0470 PACKET  00000000022F7A90 UDP Snd 192.168.1.2     da1c R U [00a8       NOERROR] SOA    (1)1(3)168(3)192(7)in-addr(4)arpa(0)

Open in new window


The Q, RQ, U and RU are the DNS opcodes for the actions.

Q = query
R Q = query reply
U = update
R U = update reply

The process is described well here: https://technet.microsoft.com/en-us/library/cc771255.aspx.

For option 2:

Here is a wireshark log showing the dynamic update process.



For a wireshark filter you can filter out the host you want easily by using the following filter.

dns.qry.name == "dc01.contoso.com" || dns.resp.name == "dc01.contoso.com"

Or simply dns as the filter.

Obviously use your domain.
0
 
LVL 29

Expert Comment

by:Dan McFadden
ID: 40579878
Is your DC dual-homed?  With one NIC on your WAN and the other on your internal LAN?

If so, you can uncheck the "Register this connection's addresses in DNS" under the "Advanced > DNS" tab.

Dan
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
LVL 1

Author Comment

by:SimonBrook
ID: 40579978
You don't by an chance run DHCP on a domain controller do you?

It will almost certainly be dynamic updates as the poster above has said. 2 ways you can debug this.

1. Turn on DNS debugging on your DNS servers.
2. Run wireshark or other capture program and capture DNS requests.

Option 1:
In DNS management console, right click the server and select properties. Select the Debug Logging tab. Tick the following.

Log packets for debugging
Outgoing
Incoming
UDP
Updates
Request
Response

Output log to a location and set the max log size to say 50000000 bytes (500MB).

You will see a log such as the following (I've put 2 examples in, the first where the record never existed and the second where it already exists and is beinged updated).

24/01/2015 6:20:46 PM 04A8 PACKET  00000000015CE940 UDP Rcv 192.168.1.2     a40d   Q [0001   D   NOERROR] SOA    (4)dc01(7)contoso(3)com(0)
24/01/2015 6:20:46 PM 04A8 PACKET  00000000015CE940 UDP Snd 192.168.1.2     a40d R Q [8385 A DR NXDOMAIN] SOA    (4)dc01(7)contoso(3)com(0)
24/01/2015 6:20:46 PM 04A8 PACKET  00000000022F7A90 UDP Rcv 192.168.1.2     9ca2   U [0028       NOERROR] SOA    (7)contoso(3)com(0)
24/01/2015 6:20:46 PM 046C PACKET  00000000022F7A90 UDP Snd 192.168.1.2     9ca2 R U [00a8       NOERROR] SOA    (7)contoso(3)com(0)
24/01/2015 6:20:46 PM 04A8 PACKET  0000000001DA9210 UDP Snd 192.168.1.2     8dd7 R Q [8385 A DR NXDOMAIN] SOA    (1)2(1)1(3)168(3)192(7)in-addr(4)arpa(0)
24/01/2015 6:20:46 PM 04A8 PACKET  00000000015CE940 UDP Rcv 192.168.1.2     8c60   U [0028       NOERROR] SOA    (1)1(3)168(3)192(7)in-addr(4)arpa(0)
24/01/2015 6:20:46 PM 0470 PACKET  00000000015CE940 UDP Snd 192.168.1.2     8c60 R U [00a8       NOERROR] SOA    (1)1(3)168(3)192(7)in-addr(4)arpa(0)



24/01/2015 6:20:49 PM 04A8 PACKET  00000000022F7A90 UDP Rcv 192.168.1.2     6db3   Q [0001   D   NOERROR] SOA    (4)dc01(7)contoso(3)com(0)
24/01/2015 6:20:49 PM 04A8 PACKET  00000000022F7A90 UDP Snd 192.168.1.2     6db3 R Q [8085 A DR  NOERROR] SOA    (4)dc01(7)contoso(3)com(0)
24/01/2015 6:20:49 PM 04A8 PACKET  0000000001DA9210 UDP Rcv 192.168.1.2     d1f2   U [0028       NOERROR] SOA    (7)contoso(3)com(0)
24/01/2015 6:20:49 PM 046C PACKET  0000000001DA9210 UDP Snd 192.168.1.2     d1f2 R U [00a8       NOERROR] SOA    (7)contoso(3)com(0)
24/01/2015 6:20:49 PM 04A8 PACKET  00000000015CE940 UDP Rcv 192.168.1.2     60b7   Q [0001   D   NOERROR] SOA    (1)2(1)1(3)168(3)192(7)in-addr(4)arpa(0)
24/01/2015 6:20:49 PM 04A8 PACKET  00000000015CE940 UDP Snd 192.168.1.2     60b7 R Q [8085 A DR  NOERROR] SOA    (1)2(1)1(3)168(3)192(7)in-addr(4)arpa(0)
24/01/2015 6:20:49 PM 04A8 PACKET  00000000022F7A90 UDP Rcv 192.168.1.2     da1c   U [0028       NOERROR] SOA    (1)1(3)168(3)192(7)in-addr(4)arpa(0)
24/01/2015 6:20:49 PM 0470 PACKET  00000000022F7A90 UDP Snd 192.168.1.2     da1c R U [00a8       NOERROR] SOA    (1)1(3)168(3)192(7)in-addr(4)arpa(0)

                                         
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
Select all
Open in new window


The Q, RQ, U and RU are the DNS opcodes for the actions.

Q = query
R Q = query reply
U = update
R U = update reply

The process is described well here: https://technet.microsoft.com/en-us/library/cc771255.aspx.

For option 2:

Here is a wireshark log showing the dynamic update process.



For a wireshark filter you can filter out the host you want easily by using the following filter.

dns.qry.name == "dc01.contoso.com" || dns.resp.name == "dc01.contoso.com"

Or simply dns as the filter.

Obviously use your domain.

Hi yes we use DHCP on a DC. I will try your suggestions

Is your DC dual-homed?  With one NIC on your WAN and the other on your internal LAN?

If so, you can uncheck the "Register this connection's addresses in DNS" under the "Advanced > DNS" tab.

Dan
Hi, It has two NICs, one is disabled the other has private IP range.
0
 
LVL 1

Author Comment

by:SimonBrook
ID: 40619281
Hello

Apologies for the delay in response. This is still a big big issue for us.

Dynamic updates are set to secure only on the zone.

Thanks,
0
 
LVL 1

Author Comment

by:SimonBrook
ID: 40654370
No response; any ideas anyone?
0
 
LVL 29

Expert Comment

by:Dan McFadden
ID: 40655817
Excuse the pause... was on vacation, with intermittent Internet.

Can you post an ipconfig /all for the DC in question?
0
 
LVL 1

Author Comment

by:SimonBrook
ID: 40655821
C:\Windows\system32>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : U***01
   Primary Dns Suffix  . . . . . . . : ***.local
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : huddle.local

Ethernet adapter Local Area Connection 1:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom BCM5716C NetXtreme II GigE (NDIS
 VBD Client) #38
   Physical Address. . . . . . . . . : D4-AE-52-BD-46-0E
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.1.9(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.240.0
   Default Gateway . . . . . . . . . : 192.168.1.1
   DNS Servers . . . . . . . . . . . : 192.168.1.9
                                       10.50.0.10
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{7904698C-ECA7-4841-97EF-7EBC2F1D9687}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Open in new window

0
 
LVL 29

Expert Comment

by:Dan McFadden
ID: 40655857
Can you post the output of the following commands:

1. run nslookup from command prompt
2. at the nslookup prompt type:  set type=NS hit enter
3. at the nslookup prompt type:  huddle.local

how many NS records are listed and is the IP on the list?

Also, I would look into your DNS zones to determine if this rogue address has a record in 1 of the following locations:

1. _msdcs.huddle.local
2. _tcp.<YourDomainGuid>.domains._msdcs.huddle.local
3. gc._msdcs.huddle.local
4. huddle.local {here look specifically for an A record and/or an NS record}
5. check the SOA record of the domain.  Look on the Name Servers tab for an entry with the IP in question

Dan
0
 
LVL 1

Author Comment

by:SimonBrook
ID: 40655867
6 nameservers are listed for the domain. some of which are old DCs that have been decommissioned.

5 "internet addresses" are listed underneath. the WAN IP is there yes.
0
 
LVL 1

Author Comment

by:SimonBrook
ID: 40655887
The WAN IP record is present under the nameserver within _msdcs.huddle.local and huddle.local

dns2.png
It is as an A record within huddle.local alongside the PDC.

SOA points to PDC, which has the entry obviously.
0
 
LVL 29

Accepted Solution

by:
Dan McFadden earned 2000 total points
ID: 40655890
It appears that no one ever ran a metadata cleanup on the domain when deactivating/demoting DCs.

There should only be DNS entries for DCs that are live.

I would read thru the following article on cleaning up old entries in AD and AD integrated DNS:

link = https://technet.microsoft.com/en-us/library/cc816907(v=ws.10).aspx

I would also check to see if DNS scavenging is enabled.  If not, I would turn it on:

link = https://technet.microsoft.com/en-us/library/cc770850.aspx

Dan
0
 
LVL 29

Expert Comment

by:Dan McFadden
ID: 40655893
Remove the offending IP.
0
 
LVL 1

Author Comment

by:SimonBrook
ID: 40655895
It wont let me. Comes back after applying.
0
 
LVL 29

Expert Comment

by:Dan McFadden
ID: 40656070
Make sure when you are working on the issue that you are using an account that has Domain Admin permissions.

I would read thru the articles I posted and follow the processes therein.

Dan
0
 
LVL 1

Assisted Solution

by:SimonBrook
SimonBrook earned 0 total points
ID: 40656901
OK

I have managed to fix the issue with the incorrect static entry pointing to our PDC.

On the PDC there was a registry key
HKLM\System\ControlSet001\Services\DNS\Parameters\PublishAddress

Which had the offending 31.*.*.200 address listed within. I removed the 31 address from the registry key and rebooted the machine. It has since removed itself from DNS.

Thanks for your input.
0

Featured Post

Get quick recovery of individual SharePoint items

Free tool – Veeam Explorer for Microsoft SharePoint, enables fast, easy restores of SharePoint sites, documents, libraries and lists — all with no agents to manage and no additional licenses to buy.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is intended as an extension of a blog on Aging and Scavenging by the MS Enterprise Networking Team. In brief, Scavenging is used as follows: Each record in a zone which has been dynamically registered with an MS DNS Server will have…
I wrote this article to explain some important DNS concepts that should be known to avoid some typical configuration errors I often see in forums. I assume that what is described here is the typical behavior of Microsoft DNS client. I don't know …
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…
As many of you are aware about Scanpst.exe utility which is owned by Microsoft itself to repair inaccessible or damaged PST files, but the question is do you really think Scanpst.exe is capable to repair all sorts of PST related corruption issues?
Suggested Courses

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question