?
Solved

Wrong DNS entry keeps appearing in Windows DNS.

Posted on 2015-01-23
17
Medium Priority
?
178 Views
Last Modified: 2016-10-14
Hello,

We have a bizarre issue whereby our WAN IP keeps being added to DNS pointing to our primary DC (DC01).

As you can imagine this is causing all kinds of issues. Is there anyway I can see where this record is coming from? I have checked the server itself (DC01) and it has two internal addresses; no WAN IP assigned to it at all.

Yet I deleted the WAN IP to DC01 record from our three Windows DNS servers and within 20/30 minutes it's back!

Any ideas?

DNS issuesdns-issue.png
0
Comment
Question by:SimonBrook
16 Comments
 
LVL 3

Expert Comment

by:Waddah Dahah
ID: 40566179
Hello Simon,

did you try to configure your DNS to secure dynamic updates only? this is recommended with Active directory.

To allow only secure dynamic updates using the Windows interface

Open DNS Manager.
In the console tree, right-click the applicable zone, and then click Properties.
On the General tab, verify that the zone type is Active Directory-integrated.
In Dynamic Updates, click secure only.

for more information please ready the following;
http://www.windowsnetworking.com/kbase/WindowsTips/WindowsServer2008/AdminTips/ActiveDirectory/SecuringDNSwithSecureDynamicUpdates.html 


if you have more than one DNS Server make sure you delete the record from servers.

also run ipconfig /all command in CMD.exe and check if the IP is listed there, if yes go to  Internet Protocol Version 4 (TCP/IPv4) Properties, and click on Advanced, sure you will find the IP listed there.

Regards,
Waddah
0
 
LVL 19

Expert Comment

by:Learnctx
ID: 40567922
You don't by an chance run DHCP on a domain controller do you?

It will almost certainly be dynamic updates as the poster above has said. 2 ways you can debug this.

1. Turn on DNS debugging on your DNS servers.
2. Run wireshark or other capture program and capture DNS requests.

Option 1:
In DNS management console, right click the server and select properties. Select the Debug Logging tab. Tick the following.

Log packets for debugging
Outgoing
Incoming
UDP
Updates
Request
Response

Output log to a location and set the max log size to say 50000000 bytes (500MB).

You will see a log such as the following (I've put 2 examples in, the first where the record never existed and the second where it already exists and is beinged updated).

24/01/2015 6:20:46 PM 04A8 PACKET  00000000015CE940 UDP Rcv 192.168.1.2     a40d   Q [0001   D   NOERROR] SOA    (4)dc01(7)contoso(3)com(0)
24/01/2015 6:20:46 PM 04A8 PACKET  00000000015CE940 UDP Snd 192.168.1.2     a40d R Q [8385 A DR NXDOMAIN] SOA    (4)dc01(7)contoso(3)com(0)
24/01/2015 6:20:46 PM 04A8 PACKET  00000000022F7A90 UDP Rcv 192.168.1.2     9ca2   U [0028       NOERROR] SOA    (7)contoso(3)com(0)
24/01/2015 6:20:46 PM 046C PACKET  00000000022F7A90 UDP Snd 192.168.1.2     9ca2 R U [00a8       NOERROR] SOA    (7)contoso(3)com(0)
24/01/2015 6:20:46 PM 04A8 PACKET  0000000001DA9210 UDP Snd 192.168.1.2     8dd7 R Q [8385 A DR NXDOMAIN] SOA    (1)2(1)1(3)168(3)192(7)in-addr(4)arpa(0)
24/01/2015 6:20:46 PM 04A8 PACKET  00000000015CE940 UDP Rcv 192.168.1.2     8c60   U [0028       NOERROR] SOA    (1)1(3)168(3)192(7)in-addr(4)arpa(0)
24/01/2015 6:20:46 PM 0470 PACKET  00000000015CE940 UDP Snd 192.168.1.2     8c60 R U [00a8       NOERROR] SOA    (1)1(3)168(3)192(7)in-addr(4)arpa(0)



24/01/2015 6:20:49 PM 04A8 PACKET  00000000022F7A90 UDP Rcv 192.168.1.2     6db3   Q [0001   D   NOERROR] SOA    (4)dc01(7)contoso(3)com(0)
24/01/2015 6:20:49 PM 04A8 PACKET  00000000022F7A90 UDP Snd 192.168.1.2     6db3 R Q [8085 A DR  NOERROR] SOA    (4)dc01(7)contoso(3)com(0)
24/01/2015 6:20:49 PM 04A8 PACKET  0000000001DA9210 UDP Rcv 192.168.1.2     d1f2   U [0028       NOERROR] SOA    (7)contoso(3)com(0)
24/01/2015 6:20:49 PM 046C PACKET  0000000001DA9210 UDP Snd 192.168.1.2     d1f2 R U [00a8       NOERROR] SOA    (7)contoso(3)com(0)
24/01/2015 6:20:49 PM 04A8 PACKET  00000000015CE940 UDP Rcv 192.168.1.2     60b7   Q [0001   D   NOERROR] SOA    (1)2(1)1(3)168(3)192(7)in-addr(4)arpa(0)
24/01/2015 6:20:49 PM 04A8 PACKET  00000000015CE940 UDP Snd 192.168.1.2     60b7 R Q [8085 A DR  NOERROR] SOA    (1)2(1)1(3)168(3)192(7)in-addr(4)arpa(0)
24/01/2015 6:20:49 PM 04A8 PACKET  00000000022F7A90 UDP Rcv 192.168.1.2     da1c   U [0028       NOERROR] SOA    (1)1(3)168(3)192(7)in-addr(4)arpa(0)
24/01/2015 6:20:49 PM 0470 PACKET  00000000022F7A90 UDP Snd 192.168.1.2     da1c R U [00a8       NOERROR] SOA    (1)1(3)168(3)192(7)in-addr(4)arpa(0)

Open in new window


The Q, RQ, U and RU are the DNS opcodes for the actions.

Q = query
R Q = query reply
U = update
R U = update reply

The process is described well here: https://technet.microsoft.com/en-us/library/cc771255.aspx.

For option 2:

Here is a wireshark log showing the dynamic update process.



For a wireshark filter you can filter out the host you want easily by using the following filter.

dns.qry.name == "dc01.contoso.com" || dns.resp.name == "dc01.contoso.com"

Or simply dns as the filter.

Obviously use your domain.
0
 
LVL 29

Expert Comment

by:Dan McFadden
ID: 40579878
Is your DC dual-homed?  With one NIC on your WAN and the other on your internal LAN?

If so, you can uncheck the "Register this connection's addresses in DNS" under the "Advanced > DNS" tab.

Dan
0
Easily Design & Build Your Next Website

Squarespace’s all-in-one platform gives you everything you need to express yourself creatively online, whether it is with a domain, website, or online store. Get started with your free trial today, and when ready, take 10% off your first purchase with offer code 'EXPERTS'.

 
LVL 1

Author Comment

by:SimonBrook
ID: 40579978
You don't by an chance run DHCP on a domain controller do you?

It will almost certainly be dynamic updates as the poster above has said. 2 ways you can debug this.

1. Turn on DNS debugging on your DNS servers.
2. Run wireshark or other capture program and capture DNS requests.

Option 1:
In DNS management console, right click the server and select properties. Select the Debug Logging tab. Tick the following.

Log packets for debugging
Outgoing
Incoming
UDP
Updates
Request
Response

Output log to a location and set the max log size to say 50000000 bytes (500MB).

You will see a log such as the following (I've put 2 examples in, the first where the record never existed and the second where it already exists and is beinged updated).

24/01/2015 6:20:46 PM 04A8 PACKET  00000000015CE940 UDP Rcv 192.168.1.2     a40d   Q [0001   D   NOERROR] SOA    (4)dc01(7)contoso(3)com(0)
24/01/2015 6:20:46 PM 04A8 PACKET  00000000015CE940 UDP Snd 192.168.1.2     a40d R Q [8385 A DR NXDOMAIN] SOA    (4)dc01(7)contoso(3)com(0)
24/01/2015 6:20:46 PM 04A8 PACKET  00000000022F7A90 UDP Rcv 192.168.1.2     9ca2   U [0028       NOERROR] SOA    (7)contoso(3)com(0)
24/01/2015 6:20:46 PM 046C PACKET  00000000022F7A90 UDP Snd 192.168.1.2     9ca2 R U [00a8       NOERROR] SOA    (7)contoso(3)com(0)
24/01/2015 6:20:46 PM 04A8 PACKET  0000000001DA9210 UDP Snd 192.168.1.2     8dd7 R Q [8385 A DR NXDOMAIN] SOA    (1)2(1)1(3)168(3)192(7)in-addr(4)arpa(0)
24/01/2015 6:20:46 PM 04A8 PACKET  00000000015CE940 UDP Rcv 192.168.1.2     8c60   U [0028       NOERROR] SOA    (1)1(3)168(3)192(7)in-addr(4)arpa(0)
24/01/2015 6:20:46 PM 0470 PACKET  00000000015CE940 UDP Snd 192.168.1.2     8c60 R U [00a8       NOERROR] SOA    (1)1(3)168(3)192(7)in-addr(4)arpa(0)



24/01/2015 6:20:49 PM 04A8 PACKET  00000000022F7A90 UDP Rcv 192.168.1.2     6db3   Q [0001   D   NOERROR] SOA    (4)dc01(7)contoso(3)com(0)
24/01/2015 6:20:49 PM 04A8 PACKET  00000000022F7A90 UDP Snd 192.168.1.2     6db3 R Q [8085 A DR  NOERROR] SOA    (4)dc01(7)contoso(3)com(0)
24/01/2015 6:20:49 PM 04A8 PACKET  0000000001DA9210 UDP Rcv 192.168.1.2     d1f2   U [0028       NOERROR] SOA    (7)contoso(3)com(0)
24/01/2015 6:20:49 PM 046C PACKET  0000000001DA9210 UDP Snd 192.168.1.2     d1f2 R U [00a8       NOERROR] SOA    (7)contoso(3)com(0)
24/01/2015 6:20:49 PM 04A8 PACKET  00000000015CE940 UDP Rcv 192.168.1.2     60b7   Q [0001   D   NOERROR] SOA    (1)2(1)1(3)168(3)192(7)in-addr(4)arpa(0)
24/01/2015 6:20:49 PM 04A8 PACKET  00000000015CE940 UDP Snd 192.168.1.2     60b7 R Q [8085 A DR  NOERROR] SOA    (1)2(1)1(3)168(3)192(7)in-addr(4)arpa(0)
24/01/2015 6:20:49 PM 04A8 PACKET  00000000022F7A90 UDP Rcv 192.168.1.2     da1c   U [0028       NOERROR] SOA    (1)1(3)168(3)192(7)in-addr(4)arpa(0)
24/01/2015 6:20:49 PM 0470 PACKET  00000000022F7A90 UDP Snd 192.168.1.2     da1c R U [00a8       NOERROR] SOA    (1)1(3)168(3)192(7)in-addr(4)arpa(0)

                                         
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
Select all
Open in new window


The Q, RQ, U and RU are the DNS opcodes for the actions.

Q = query
R Q = query reply
U = update
R U = update reply

The process is described well here: https://technet.microsoft.com/en-us/library/cc771255.aspx.

For option 2:

Here is a wireshark log showing the dynamic update process.



For a wireshark filter you can filter out the host you want easily by using the following filter.

dns.qry.name == "dc01.contoso.com" || dns.resp.name == "dc01.contoso.com"

Or simply dns as the filter.

Obviously use your domain.

Hi yes we use DHCP on a DC. I will try your suggestions

Is your DC dual-homed?  With one NIC on your WAN and the other on your internal LAN?

If so, you can uncheck the "Register this connection's addresses in DNS" under the "Advanced > DNS" tab.

Dan
Hi, It has two NICs, one is disabled the other has private IP range.
0
 
LVL 1

Author Comment

by:SimonBrook
ID: 40619281
Hello

Apologies for the delay in response. This is still a big big issue for us.

Dynamic updates are set to secure only on the zone.

Thanks,
0
 
LVL 1

Author Comment

by:SimonBrook
ID: 40654370
No response; any ideas anyone?
0
 
LVL 29

Expert Comment

by:Dan McFadden
ID: 40655817
Excuse the pause... was on vacation, with intermittent Internet.

Can you post an ipconfig /all for the DC in question?
0
 
LVL 1

Author Comment

by:SimonBrook
ID: 40655821
C:\Windows\system32>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : U***01
   Primary Dns Suffix  . . . . . . . : ***.local
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : huddle.local

Ethernet adapter Local Area Connection 1:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom BCM5716C NetXtreme II GigE (NDIS
 VBD Client) #38
   Physical Address. . . . . . . . . : D4-AE-52-BD-46-0E
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.1.9(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.240.0
   Default Gateway . . . . . . . . . : 192.168.1.1
   DNS Servers . . . . . . . . . . . : 192.168.1.9
                                       10.50.0.10
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{7904698C-ECA7-4841-97EF-7EBC2F1D9687}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Open in new window

0
 
LVL 29

Expert Comment

by:Dan McFadden
ID: 40655857
Can you post the output of the following commands:

1. run nslookup from command prompt
2. at the nslookup prompt type:  set type=NS hit enter
3. at the nslookup prompt type:  huddle.local

how many NS records are listed and is the IP on the list?

Also, I would look into your DNS zones to determine if this rogue address has a record in 1 of the following locations:

1. _msdcs.huddle.local
2. _tcp.<YourDomainGuid>.domains._msdcs.huddle.local
3. gc._msdcs.huddle.local
4. huddle.local {here look specifically for an A record and/or an NS record}
5. check the SOA record of the domain.  Look on the Name Servers tab for an entry with the IP in question

Dan
0
 
LVL 1

Author Comment

by:SimonBrook
ID: 40655867
6 nameservers are listed for the domain. some of which are old DCs that have been decommissioned.

5 "internet addresses" are listed underneath. the WAN IP is there yes.
0
 
LVL 1

Author Comment

by:SimonBrook
ID: 40655887
The WAN IP record is present under the nameserver within _msdcs.huddle.local and huddle.local

dns2.png
It is as an A record within huddle.local alongside the PDC.

SOA points to PDC, which has the entry obviously.
0
 
LVL 29

Accepted Solution

by:
Dan McFadden earned 2000 total points
ID: 40655890
It appears that no one ever ran a metadata cleanup on the domain when deactivating/demoting DCs.

There should only be DNS entries for DCs that are live.

I would read thru the following article on cleaning up old entries in AD and AD integrated DNS:

link = https://technet.microsoft.com/en-us/library/cc816907(v=ws.10).aspx

I would also check to see if DNS scavenging is enabled.  If not, I would turn it on:

link = https://technet.microsoft.com/en-us/library/cc770850.aspx

Dan
0
 
LVL 29

Expert Comment

by:Dan McFadden
ID: 40655893
Remove the offending IP.
0
 
LVL 1

Author Comment

by:SimonBrook
ID: 40655895
It wont let me. Comes back after applying.
0
 
LVL 29

Expert Comment

by:Dan McFadden
ID: 40656070
Make sure when you are working on the issue that you are using an account that has Domain Admin permissions.

I would read thru the articles I posted and follow the processes therein.

Dan
0
 
LVL 1

Assisted Solution

by:SimonBrook
SimonBrook earned 0 total points
ID: 40656901
OK

I have managed to fix the issue with the incorrect static entry pointing to our PDC.

On the PDC there was a registry key
HKLM\System\ControlSet001\Services\DNS\Parameters\PublishAddress

Which had the offending 31.*.*.200 address listed within. I removed the 31 address from the registry key and rebooted the machine. It has since removed itself from DNS.

Thanks for your input.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

There have been a lot of times when we have seen the need to enter a large number of DNS entries in a forward lookup zone. The standard procedure would be to launch the DNS Manager console, create the Zone and start adding new hosts using the New…
Preface There are many applications where some computing systems need have their system clocks running synchronized within a small margin and eventually need to be in sync with the global time. There are different solutions for this, i.e. the W3…
In response to a need for security and privacy, and to continue fostering an environment members can turn to for support, solutions, and education, Experts Exchange has created anonymous question capabilities. This new feature is available to our Pr…
Free Data Recovery software is an advanced solution from Kernel Tools to recover data and files such as documents, emails, database, media and pictures, etc. It supports recovery from physical & logical drive after a hard disk crash, accidental/inte…

569 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question