Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Wrong DNS entry keeps appearing in Windows DNS.

Posted on 2015-01-23
17
Medium Priority
?
133 Views
Last Modified: 2016-10-14
Hello,

We have a bizarre issue whereby our WAN IP keeps being added to DNS pointing to our primary DC (DC01).

As you can imagine this is causing all kinds of issues. Is there anyway I can see where this record is coming from? I have checked the server itself (DC01) and it has two internal addresses; no WAN IP assigned to it at all.

Yet I deleted the WAN IP to DC01 record from our three Windows DNS servers and within 20/30 minutes it's back!

Any ideas?

DNS issuesdns-issue.png
0
Comment
Question by:SimonBrook
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
17 Comments
 
LVL 3

Expert Comment

by:Waddah Dahah
ID: 40566179
Hello Simon,

did you try to configure your DNS to secure dynamic updates only? this is recommended with Active directory.

To allow only secure dynamic updates using the Windows interface

Open DNS Manager.
In the console tree, right-click the applicable zone, and then click Properties.
On the General tab, verify that the zone type is Active Directory-integrated.
In Dynamic Updates, click secure only.

for more information please ready the following;
http://www.windowsnetworking.com/kbase/WindowsTips/WindowsServer2008/AdminTips/ActiveDirectory/SecuringDNSwithSecureDynamicUpdates.html 


if you have more than one DNS Server make sure you delete the record from servers.

also run ipconfig /all command in CMD.exe and check if the IP is listed there, if yes go to  Internet Protocol Version 4 (TCP/IPv4) Properties, and click on Advanced, sure you will find the IP listed there.

Regards,
Waddah
0
 
LVL 18

Expert Comment

by:Learnctx
ID: 40567922
You don't by an chance run DHCP on a domain controller do you?

It will almost certainly be dynamic updates as the poster above has said. 2 ways you can debug this.

1. Turn on DNS debugging on your DNS servers.
2. Run wireshark or other capture program and capture DNS requests.

Option 1:
In DNS management console, right click the server and select properties. Select the Debug Logging tab. Tick the following.

Log packets for debugging
Outgoing
Incoming
UDP
Updates
Request
Response

Output log to a location and set the max log size to say 50000000 bytes (500MB).

You will see a log such as the following (I've put 2 examples in, the first where the record never existed and the second where it already exists and is beinged updated).

24/01/2015 6:20:46 PM 04A8 PACKET  00000000015CE940 UDP Rcv 192.168.1.2     a40d   Q [0001   D   NOERROR] SOA    (4)dc01(7)contoso(3)com(0)
24/01/2015 6:20:46 PM 04A8 PACKET  00000000015CE940 UDP Snd 192.168.1.2     a40d R Q [8385 A DR NXDOMAIN] SOA    (4)dc01(7)contoso(3)com(0)
24/01/2015 6:20:46 PM 04A8 PACKET  00000000022F7A90 UDP Rcv 192.168.1.2     9ca2   U [0028       NOERROR] SOA    (7)contoso(3)com(0)
24/01/2015 6:20:46 PM 046C PACKET  00000000022F7A90 UDP Snd 192.168.1.2     9ca2 R U [00a8       NOERROR] SOA    (7)contoso(3)com(0)
24/01/2015 6:20:46 PM 04A8 PACKET  0000000001DA9210 UDP Snd 192.168.1.2     8dd7 R Q [8385 A DR NXDOMAIN] SOA    (1)2(1)1(3)168(3)192(7)in-addr(4)arpa(0)
24/01/2015 6:20:46 PM 04A8 PACKET  00000000015CE940 UDP Rcv 192.168.1.2     8c60   U [0028       NOERROR] SOA    (1)1(3)168(3)192(7)in-addr(4)arpa(0)
24/01/2015 6:20:46 PM 0470 PACKET  00000000015CE940 UDP Snd 192.168.1.2     8c60 R U [00a8       NOERROR] SOA    (1)1(3)168(3)192(7)in-addr(4)arpa(0)



24/01/2015 6:20:49 PM 04A8 PACKET  00000000022F7A90 UDP Rcv 192.168.1.2     6db3   Q [0001   D   NOERROR] SOA    (4)dc01(7)contoso(3)com(0)
24/01/2015 6:20:49 PM 04A8 PACKET  00000000022F7A90 UDP Snd 192.168.1.2     6db3 R Q [8085 A DR  NOERROR] SOA    (4)dc01(7)contoso(3)com(0)
24/01/2015 6:20:49 PM 04A8 PACKET  0000000001DA9210 UDP Rcv 192.168.1.2     d1f2   U [0028       NOERROR] SOA    (7)contoso(3)com(0)
24/01/2015 6:20:49 PM 046C PACKET  0000000001DA9210 UDP Snd 192.168.1.2     d1f2 R U [00a8       NOERROR] SOA    (7)contoso(3)com(0)
24/01/2015 6:20:49 PM 04A8 PACKET  00000000015CE940 UDP Rcv 192.168.1.2     60b7   Q [0001   D   NOERROR] SOA    (1)2(1)1(3)168(3)192(7)in-addr(4)arpa(0)
24/01/2015 6:20:49 PM 04A8 PACKET  00000000015CE940 UDP Snd 192.168.1.2     60b7 R Q [8085 A DR  NOERROR] SOA    (1)2(1)1(3)168(3)192(7)in-addr(4)arpa(0)
24/01/2015 6:20:49 PM 04A8 PACKET  00000000022F7A90 UDP Rcv 192.168.1.2     da1c   U [0028       NOERROR] SOA    (1)1(3)168(3)192(7)in-addr(4)arpa(0)
24/01/2015 6:20:49 PM 0470 PACKET  00000000022F7A90 UDP Snd 192.168.1.2     da1c R U [00a8       NOERROR] SOA    (1)1(3)168(3)192(7)in-addr(4)arpa(0)

Open in new window


The Q, RQ, U and RU are the DNS opcodes for the actions.

Q = query
R Q = query reply
U = update
R U = update reply

The process is described well here: https://technet.microsoft.com/en-us/library/cc771255.aspx.

For option 2:

Here is a wireshark log showing the dynamic update process.



For a wireshark filter you can filter out the host you want easily by using the following filter.

dns.qry.name == "dc01.contoso.com" || dns.resp.name == "dc01.contoso.com"

Or simply dns as the filter.

Obviously use your domain.
0
 
LVL 29

Expert Comment

by:Dan McFadden
ID: 40579878
Is your DC dual-homed?  With one NIC on your WAN and the other on your internal LAN?

If so, you can uncheck the "Register this connection's addresses in DNS" under the "Advanced > DNS" tab.

Dan
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 1

Author Comment

by:SimonBrook
ID: 40579978
You don't by an chance run DHCP on a domain controller do you?

It will almost certainly be dynamic updates as the poster above has said. 2 ways you can debug this.

1. Turn on DNS debugging on your DNS servers.
2. Run wireshark or other capture program and capture DNS requests.

Option 1:
In DNS management console, right click the server and select properties. Select the Debug Logging tab. Tick the following.

Log packets for debugging
Outgoing
Incoming
UDP
Updates
Request
Response

Output log to a location and set the max log size to say 50000000 bytes (500MB).

You will see a log such as the following (I've put 2 examples in, the first where the record never existed and the second where it already exists and is beinged updated).

24/01/2015 6:20:46 PM 04A8 PACKET  00000000015CE940 UDP Rcv 192.168.1.2     a40d   Q [0001   D   NOERROR] SOA    (4)dc01(7)contoso(3)com(0)
24/01/2015 6:20:46 PM 04A8 PACKET  00000000015CE940 UDP Snd 192.168.1.2     a40d R Q [8385 A DR NXDOMAIN] SOA    (4)dc01(7)contoso(3)com(0)
24/01/2015 6:20:46 PM 04A8 PACKET  00000000022F7A90 UDP Rcv 192.168.1.2     9ca2   U [0028       NOERROR] SOA    (7)contoso(3)com(0)
24/01/2015 6:20:46 PM 046C PACKET  00000000022F7A90 UDP Snd 192.168.1.2     9ca2 R U [00a8       NOERROR] SOA    (7)contoso(3)com(0)
24/01/2015 6:20:46 PM 04A8 PACKET  0000000001DA9210 UDP Snd 192.168.1.2     8dd7 R Q [8385 A DR NXDOMAIN] SOA    (1)2(1)1(3)168(3)192(7)in-addr(4)arpa(0)
24/01/2015 6:20:46 PM 04A8 PACKET  00000000015CE940 UDP Rcv 192.168.1.2     8c60   U [0028       NOERROR] SOA    (1)1(3)168(3)192(7)in-addr(4)arpa(0)
24/01/2015 6:20:46 PM 0470 PACKET  00000000015CE940 UDP Snd 192.168.1.2     8c60 R U [00a8       NOERROR] SOA    (1)1(3)168(3)192(7)in-addr(4)arpa(0)



24/01/2015 6:20:49 PM 04A8 PACKET  00000000022F7A90 UDP Rcv 192.168.1.2     6db3   Q [0001   D   NOERROR] SOA    (4)dc01(7)contoso(3)com(0)
24/01/2015 6:20:49 PM 04A8 PACKET  00000000022F7A90 UDP Snd 192.168.1.2     6db3 R Q [8085 A DR  NOERROR] SOA    (4)dc01(7)contoso(3)com(0)
24/01/2015 6:20:49 PM 04A8 PACKET  0000000001DA9210 UDP Rcv 192.168.1.2     d1f2   U [0028       NOERROR] SOA    (7)contoso(3)com(0)
24/01/2015 6:20:49 PM 046C PACKET  0000000001DA9210 UDP Snd 192.168.1.2     d1f2 R U [00a8       NOERROR] SOA    (7)contoso(3)com(0)
24/01/2015 6:20:49 PM 04A8 PACKET  00000000015CE940 UDP Rcv 192.168.1.2     60b7   Q [0001   D   NOERROR] SOA    (1)2(1)1(3)168(3)192(7)in-addr(4)arpa(0)
24/01/2015 6:20:49 PM 04A8 PACKET  00000000015CE940 UDP Snd 192.168.1.2     60b7 R Q [8085 A DR  NOERROR] SOA    (1)2(1)1(3)168(3)192(7)in-addr(4)arpa(0)
24/01/2015 6:20:49 PM 04A8 PACKET  00000000022F7A90 UDP Rcv 192.168.1.2     da1c   U [0028       NOERROR] SOA    (1)1(3)168(3)192(7)in-addr(4)arpa(0)
24/01/2015 6:20:49 PM 0470 PACKET  00000000022F7A90 UDP Snd 192.168.1.2     da1c R U [00a8       NOERROR] SOA    (1)1(3)168(3)192(7)in-addr(4)arpa(0)

                                         
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
Select all
Open in new window


The Q, RQ, U and RU are the DNS opcodes for the actions.

Q = query
R Q = query reply
U = update
R U = update reply

The process is described well here: https://technet.microsoft.com/en-us/library/cc771255.aspx.

For option 2:

Here is a wireshark log showing the dynamic update process.



For a wireshark filter you can filter out the host you want easily by using the following filter.

dns.qry.name == "dc01.contoso.com" || dns.resp.name == "dc01.contoso.com"

Or simply dns as the filter.

Obviously use your domain.

Hi yes we use DHCP on a DC. I will try your suggestions

Is your DC dual-homed?  With one NIC on your WAN and the other on your internal LAN?

If so, you can uncheck the "Register this connection's addresses in DNS" under the "Advanced > DNS" tab.

Dan
Hi, It has two NICs, one is disabled the other has private IP range.
0
 
LVL 1

Author Comment

by:SimonBrook
ID: 40619281
Hello

Apologies for the delay in response. This is still a big big issue for us.

Dynamic updates are set to secure only on the zone.

Thanks,
0
 
LVL 1

Author Comment

by:SimonBrook
ID: 40654370
No response; any ideas anyone?
0
 
LVL 29

Expert Comment

by:Dan McFadden
ID: 40655817
Excuse the pause... was on vacation, with intermittent Internet.

Can you post an ipconfig /all for the DC in question?
0
 
LVL 1

Author Comment

by:SimonBrook
ID: 40655821
C:\Windows\system32>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : U***01
   Primary Dns Suffix  . . . . . . . : ***.local
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : huddle.local

Ethernet adapter Local Area Connection 1:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom BCM5716C NetXtreme II GigE (NDIS
 VBD Client) #38
   Physical Address. . . . . . . . . : D4-AE-52-BD-46-0E
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.1.9(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.240.0
   Default Gateway . . . . . . . . . : 192.168.1.1
   DNS Servers . . . . . . . . . . . : 192.168.1.9
                                       10.50.0.10
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{7904698C-ECA7-4841-97EF-7EBC2F1D9687}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Open in new window

0
 
LVL 29

Expert Comment

by:Dan McFadden
ID: 40655857
Can you post the output of the following commands:

1. run nslookup from command prompt
2. at the nslookup prompt type:  set type=NS hit enter
3. at the nslookup prompt type:  huddle.local

how many NS records are listed and is the IP on the list?

Also, I would look into your DNS zones to determine if this rogue address has a record in 1 of the following locations:

1. _msdcs.huddle.local
2. _tcp.<YourDomainGuid>.domains._msdcs.huddle.local
3. gc._msdcs.huddle.local
4. huddle.local {here look specifically for an A record and/or an NS record}
5. check the SOA record of the domain.  Look on the Name Servers tab for an entry with the IP in question

Dan
0
 
LVL 1

Author Comment

by:SimonBrook
ID: 40655867
6 nameservers are listed for the domain. some of which are old DCs that have been decommissioned.

5 "internet addresses" are listed underneath. the WAN IP is there yes.
0
 
LVL 1

Author Comment

by:SimonBrook
ID: 40655887
The WAN IP record is present under the nameserver within _msdcs.huddle.local and huddle.local

dns2.png
It is as an A record within huddle.local alongside the PDC.

SOA points to PDC, which has the entry obviously.
0
 
LVL 29

Accepted Solution

by:
Dan McFadden earned 2000 total points
ID: 40655890
It appears that no one ever ran a metadata cleanup on the domain when deactivating/demoting DCs.

There should only be DNS entries for DCs that are live.

I would read thru the following article on cleaning up old entries in AD and AD integrated DNS:

link = https://technet.microsoft.com/en-us/library/cc816907(v=ws.10).aspx

I would also check to see if DNS scavenging is enabled.  If not, I would turn it on:

link = https://technet.microsoft.com/en-us/library/cc770850.aspx

Dan
0
 
LVL 29

Expert Comment

by:Dan McFadden
ID: 40655893
Remove the offending IP.
0
 
LVL 1

Author Comment

by:SimonBrook
ID: 40655895
It wont let me. Comes back after applying.
0
 
LVL 29

Expert Comment

by:Dan McFadden
ID: 40656070
Make sure when you are working on the issue that you are using an account that has Domain Admin permissions.

I would read thru the articles I posted and follow the processes therein.

Dan
0
 
LVL 1

Assisted Solution

by:SimonBrook
SimonBrook earned 0 total points
ID: 40656901
OK

I have managed to fix the issue with the incorrect static entry pointing to our PDC.

On the PDC there was a registry key
HKLM\System\ControlSet001\Services\DNS\Parameters\PublishAddress

Which had the offending 31.*.*.200 address listed within. I removed the 31 address from the registry key and rebooted the machine. It has since removed itself from DNS.

Thanks for your input.
0

Featured Post

Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is intended as an extension of a blog on Aging and Scavenging by the MS Enterprise Networking Team. In brief, Scavenging is used as follows: Each record in a zone which has been dynamically registered with an MS DNS Server will have…
Preface There are many applications where some computing systems need have their system clocks running synchronized within a small margin and eventually need to be in sync with the global time. There are different solutions for this, i.e. the W3…
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question