Solved

Wrong DNS entry keeps appearing in Windows DNS.

Posted on 2015-01-23
17
67 Views
Last Modified: 2016-10-14
Hello,

We have a bizarre issue whereby our WAN IP keeps being added to DNS pointing to our primary DC (DC01).

As you can imagine this is causing all kinds of issues. Is there anyway I can see where this record is coming from? I have checked the server itself (DC01) and it has two internal addresses; no WAN IP assigned to it at all.

Yet I deleted the WAN IP to DC01 record from our three Windows DNS servers and within 20/30 minutes it's back!

Any ideas?

DNS issuesdns-issue.png
0
Comment
Question by:SimonBrook
17 Comments
 
LVL 3

Expert Comment

by:Waddah Dahah
ID: 40566179
Hello Simon,

did you try to configure your DNS to secure dynamic updates only? this is recommended with Active directory.

To allow only secure dynamic updates using the Windows interface

Open DNS Manager.
In the console tree, right-click the applicable zone, and then click Properties.
On the General tab, verify that the zone type is Active Directory-integrated.
In Dynamic Updates, click secure only.

for more information please ready the following;
http://www.windowsnetworking.com/kbase/WindowsTips/WindowsServer2008/AdminTips/ActiveDirectory/SecuringDNSwithSecureDynamicUpdates.html


if you have more than one DNS Server make sure you delete the record from servers.

also run ipconfig /all command in CMD.exe and check if the IP is listed there, if yes go to  Internet Protocol Version 4 (TCP/IPv4) Properties, and click on Advanced, sure you will find the IP listed there.

Regards,
Waddah
0
 
LVL 16

Expert Comment

by:Learnctx
ID: 40567922
You don't by an chance run DHCP on a domain controller do you?

It will almost certainly be dynamic updates as the poster above has said. 2 ways you can debug this.

1. Turn on DNS debugging on your DNS servers.
2. Run wireshark or other capture program and capture DNS requests.

Option 1:
In DNS management console, right click the server and select properties. Select the Debug Logging tab. Tick the following.

Log packets for debugging
Outgoing
Incoming
UDP
Updates
Request
Response

Output log to a location and set the max log size to say 50000000 bytes (500MB).

You will see a log such as the following (I've put 2 examples in, the first where the record never existed and the second where it already exists and is beinged updated).

24/01/2015 6:20:46 PM 04A8 PACKET  00000000015CE940 UDP Rcv 192.168.1.2     a40d   Q [0001   D   NOERROR] SOA    (4)dc01(7)contoso(3)com(0)
24/01/2015 6:20:46 PM 04A8 PACKET  00000000015CE940 UDP Snd 192.168.1.2     a40d R Q [8385 A DR NXDOMAIN] SOA    (4)dc01(7)contoso(3)com(0)
24/01/2015 6:20:46 PM 04A8 PACKET  00000000022F7A90 UDP Rcv 192.168.1.2     9ca2   U [0028       NOERROR] SOA    (7)contoso(3)com(0)
24/01/2015 6:20:46 PM 046C PACKET  00000000022F7A90 UDP Snd 192.168.1.2     9ca2 R U [00a8       NOERROR] SOA    (7)contoso(3)com(0)
24/01/2015 6:20:46 PM 04A8 PACKET  0000000001DA9210 UDP Snd 192.168.1.2     8dd7 R Q [8385 A DR NXDOMAIN] SOA    (1)2(1)1(3)168(3)192(7)in-addr(4)arpa(0)
24/01/2015 6:20:46 PM 04A8 PACKET  00000000015CE940 UDP Rcv 192.168.1.2     8c60   U [0028       NOERROR] SOA    (1)1(3)168(3)192(7)in-addr(4)arpa(0)
24/01/2015 6:20:46 PM 0470 PACKET  00000000015CE940 UDP Snd 192.168.1.2     8c60 R U [00a8       NOERROR] SOA    (1)1(3)168(3)192(7)in-addr(4)arpa(0)



24/01/2015 6:20:49 PM 04A8 PACKET  00000000022F7A90 UDP Rcv 192.168.1.2     6db3   Q [0001   D   NOERROR] SOA    (4)dc01(7)contoso(3)com(0)
24/01/2015 6:20:49 PM 04A8 PACKET  00000000022F7A90 UDP Snd 192.168.1.2     6db3 R Q [8085 A DR  NOERROR] SOA    (4)dc01(7)contoso(3)com(0)
24/01/2015 6:20:49 PM 04A8 PACKET  0000000001DA9210 UDP Rcv 192.168.1.2     d1f2   U [0028       NOERROR] SOA    (7)contoso(3)com(0)
24/01/2015 6:20:49 PM 046C PACKET  0000000001DA9210 UDP Snd 192.168.1.2     d1f2 R U [00a8       NOERROR] SOA    (7)contoso(3)com(0)
24/01/2015 6:20:49 PM 04A8 PACKET  00000000015CE940 UDP Rcv 192.168.1.2     60b7   Q [0001   D   NOERROR] SOA    (1)2(1)1(3)168(3)192(7)in-addr(4)arpa(0)
24/01/2015 6:20:49 PM 04A8 PACKET  00000000015CE940 UDP Snd 192.168.1.2     60b7 R Q [8085 A DR  NOERROR] SOA    (1)2(1)1(3)168(3)192(7)in-addr(4)arpa(0)
24/01/2015 6:20:49 PM 04A8 PACKET  00000000022F7A90 UDP Rcv 192.168.1.2     da1c   U [0028       NOERROR] SOA    (1)1(3)168(3)192(7)in-addr(4)arpa(0)
24/01/2015 6:20:49 PM 0470 PACKET  00000000022F7A90 UDP Snd 192.168.1.2     da1c R U [00a8       NOERROR] SOA    (1)1(3)168(3)192(7)in-addr(4)arpa(0)

Open in new window


The Q, RQ, U and RU are the DNS opcodes for the actions.

Q = query
R Q = query reply
U = update
R U = update reply

The process is described well here: https://technet.microsoft.com/en-us/library/cc771255.aspx.

For option 2:

Here is a wireshark log showing the dynamic update process.



For a wireshark filter you can filter out the host you want easily by using the following filter.

dns.qry.name == "dc01.contoso.com" || dns.resp.name == "dc01.contoso.com"

Or simply dns as the filter.

Obviously use your domain.
0
 
LVL 26

Expert Comment

by:Dan McFadden
ID: 40579878
Is your DC dual-homed?  With one NIC on your WAN and the other on your internal LAN?

If so, you can uncheck the "Register this connection's addresses in DNS" under the "Advanced > DNS" tab.

Dan
0
 
LVL 1

Author Comment

by:SimonBrook
ID: 40579978
You don't by an chance run DHCP on a domain controller do you?

It will almost certainly be dynamic updates as the poster above has said. 2 ways you can debug this.

1. Turn on DNS debugging on your DNS servers.
2. Run wireshark or other capture program and capture DNS requests.

Option 1:
In DNS management console, right click the server and select properties. Select the Debug Logging tab. Tick the following.

Log packets for debugging
Outgoing
Incoming
UDP
Updates
Request
Response

Output log to a location and set the max log size to say 50000000 bytes (500MB).

You will see a log such as the following (I've put 2 examples in, the first where the record never existed and the second where it already exists and is beinged updated).

24/01/2015 6:20:46 PM 04A8 PACKET  00000000015CE940 UDP Rcv 192.168.1.2     a40d   Q [0001   D   NOERROR] SOA    (4)dc01(7)contoso(3)com(0)
24/01/2015 6:20:46 PM 04A8 PACKET  00000000015CE940 UDP Snd 192.168.1.2     a40d R Q [8385 A DR NXDOMAIN] SOA    (4)dc01(7)contoso(3)com(0)
24/01/2015 6:20:46 PM 04A8 PACKET  00000000022F7A90 UDP Rcv 192.168.1.2     9ca2   U [0028       NOERROR] SOA    (7)contoso(3)com(0)
24/01/2015 6:20:46 PM 046C PACKET  00000000022F7A90 UDP Snd 192.168.1.2     9ca2 R U [00a8       NOERROR] SOA    (7)contoso(3)com(0)
24/01/2015 6:20:46 PM 04A8 PACKET  0000000001DA9210 UDP Snd 192.168.1.2     8dd7 R Q [8385 A DR NXDOMAIN] SOA    (1)2(1)1(3)168(3)192(7)in-addr(4)arpa(0)
24/01/2015 6:20:46 PM 04A8 PACKET  00000000015CE940 UDP Rcv 192.168.1.2     8c60   U [0028       NOERROR] SOA    (1)1(3)168(3)192(7)in-addr(4)arpa(0)
24/01/2015 6:20:46 PM 0470 PACKET  00000000015CE940 UDP Snd 192.168.1.2     8c60 R U [00a8       NOERROR] SOA    (1)1(3)168(3)192(7)in-addr(4)arpa(0)



24/01/2015 6:20:49 PM 04A8 PACKET  00000000022F7A90 UDP Rcv 192.168.1.2     6db3   Q [0001   D   NOERROR] SOA    (4)dc01(7)contoso(3)com(0)
24/01/2015 6:20:49 PM 04A8 PACKET  00000000022F7A90 UDP Snd 192.168.1.2     6db3 R Q [8085 A DR  NOERROR] SOA    (4)dc01(7)contoso(3)com(0)
24/01/2015 6:20:49 PM 04A8 PACKET  0000000001DA9210 UDP Rcv 192.168.1.2     d1f2   U [0028       NOERROR] SOA    (7)contoso(3)com(0)
24/01/2015 6:20:49 PM 046C PACKET  0000000001DA9210 UDP Snd 192.168.1.2     d1f2 R U [00a8       NOERROR] SOA    (7)contoso(3)com(0)
24/01/2015 6:20:49 PM 04A8 PACKET  00000000015CE940 UDP Rcv 192.168.1.2     60b7   Q [0001   D   NOERROR] SOA    (1)2(1)1(3)168(3)192(7)in-addr(4)arpa(0)
24/01/2015 6:20:49 PM 04A8 PACKET  00000000015CE940 UDP Snd 192.168.1.2     60b7 R Q [8085 A DR  NOERROR] SOA    (1)2(1)1(3)168(3)192(7)in-addr(4)arpa(0)
24/01/2015 6:20:49 PM 04A8 PACKET  00000000022F7A90 UDP Rcv 192.168.1.2     da1c   U [0028       NOERROR] SOA    (1)1(3)168(3)192(7)in-addr(4)arpa(0)
24/01/2015 6:20:49 PM 0470 PACKET  00000000022F7A90 UDP Snd 192.168.1.2     da1c R U [00a8       NOERROR] SOA    (1)1(3)168(3)192(7)in-addr(4)arpa(0)

                                         
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
Select all
Open in new window


The Q, RQ, U and RU are the DNS opcodes for the actions.

Q = query
R Q = query reply
U = update
R U = update reply

The process is described well here: https://technet.microsoft.com/en-us/library/cc771255.aspx.

For option 2:

Here is a wireshark log showing the dynamic update process.



For a wireshark filter you can filter out the host you want easily by using the following filter.

dns.qry.name == "dc01.contoso.com" || dns.resp.name == "dc01.contoso.com"

Or simply dns as the filter.

Obviously use your domain.

Hi yes we use DHCP on a DC. I will try your suggestions

Is your DC dual-homed?  With one NIC on your WAN and the other on your internal LAN?

If so, you can uncheck the "Register this connection's addresses in DNS" under the "Advanced > DNS" tab.

Dan
Hi, It has two NICs, one is disabled the other has private IP range.
0
 
LVL 1

Author Comment

by:SimonBrook
ID: 40619281
Hello

Apologies for the delay in response. This is still a big big issue for us.

Dynamic updates are set to secure only on the zone.

Thanks,
0
 
LVL 1

Author Comment

by:SimonBrook
ID: 40654370
No response; any ideas anyone?
0
 
LVL 26

Expert Comment

by:Dan McFadden
ID: 40655817
Excuse the pause... was on vacation, with intermittent Internet.

Can you post an ipconfig /all for the DC in question?
0
 
LVL 1

Author Comment

by:SimonBrook
ID: 40655821
C:\Windows\system32>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : U***01
   Primary Dns Suffix  . . . . . . . : ***.local
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : huddle.local

Ethernet adapter Local Area Connection 1:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom BCM5716C NetXtreme II GigE (NDIS
 VBD Client) #38
   Physical Address. . . . . . . . . : D4-AE-52-BD-46-0E
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.1.9(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.240.0
   Default Gateway . . . . . . . . . : 192.168.1.1
   DNS Servers . . . . . . . . . . . : 192.168.1.9
                                       10.50.0.10
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{7904698C-ECA7-4841-97EF-7EBC2F1D9687}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Open in new window

0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 26

Expert Comment

by:Dan McFadden
ID: 40655857
Can you post the output of the following commands:

1. run nslookup from command prompt
2. at the nslookup prompt type:  set type=NS hit enter
3. at the nslookup prompt type:  huddle.local

how many NS records are listed and is the IP on the list?

Also, I would look into your DNS zones to determine if this rogue address has a record in 1 of the following locations:

1. _msdcs.huddle.local
2. _tcp.<YourDomainGuid>.domains._msdcs.huddle.local
3. gc._msdcs.huddle.local
4. huddle.local {here look specifically for an A record and/or an NS record}
5. check the SOA record of the domain.  Look on the Name Servers tab for an entry with the IP in question

Dan
0
 
LVL 1

Author Comment

by:SimonBrook
ID: 40655867
6 nameservers are listed for the domain. some of which are old DCs that have been decommissioned.

5 "internet addresses" are listed underneath. the WAN IP is there yes.
0
 
LVL 1

Author Comment

by:SimonBrook
ID: 40655887
The WAN IP record is present under the nameserver within _msdcs.huddle.local and huddle.local

dns2.png
It is as an A record within huddle.local alongside the PDC.

SOA points to PDC, which has the entry obviously.
0
 
LVL 26

Accepted Solution

by:
Dan McFadden earned 500 total points
ID: 40655890
It appears that no one ever ran a metadata cleanup on the domain when deactivating/demoting DCs.

There should only be DNS entries for DCs that are live.

I would read thru the following article on cleaning up old entries in AD and AD integrated DNS:

link = https://technet.microsoft.com/en-us/library/cc816907(v=ws.10).aspx

I would also check to see if DNS scavenging is enabled.  If not, I would turn it on:

link = https://technet.microsoft.com/en-us/library/cc770850.aspx

Dan
0
 
LVL 26

Expert Comment

by:Dan McFadden
ID: 40655893
Remove the offending IP.
0
 
LVL 1

Author Comment

by:SimonBrook
ID: 40655895
It wont let me. Comes back after applying.
0
 
LVL 26

Expert Comment

by:Dan McFadden
ID: 40656070
Make sure when you are working on the issue that you are using an account that has Domain Admin permissions.

I would read thru the articles I posted and follow the processes therein.

Dan
0
 
LVL 1

Assisted Solution

by:SimonBrook
SimonBrook earned 0 total points
ID: 40656901
OK

I have managed to fix the issue with the incorrect static entry pointing to our PDC.

On the PDC there was a registry key
HKLM\System\ControlSet001\Services\DNS\Parameters\PublishAddress

Which had the offending 31.*.*.200 address listed within. I removed the 31 address from the registry key and rebooted the machine. It has since removed itself from DNS.

Thanks for your input.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Join & Write a Comment

Article by: rfc1180
The Maximum Segment size (MSS) is an important consideration when troubleshooting connectivity via the Internet/Intranet. As the packets are routed via the Internet/Intranet, the packets must traverse through multiple routers in the path between two…
One of the most often confused topics in the area DNS is the idea of GLUE records. Specifically, what they are, when they are needed, when they are provided, and how they are created. First, WHAT IS GLUE? To understand GLUE, you must first under…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now