DNS Issue - incorrect IP shown for host

Posted on 2016-08-28
Last Modified: 2016-09-03
We have a situation where one of our Windows 2012 servers (SERVER_A) had the wrong address for another Windows 2012 server (SERVER_B).  It was wildly wrong with the leading octet being wrong.  The DNS server was reporting the correct address for SERVER_B and, after flushing DNS SERVER_A is now fine.

My question is how could this happen?  I've checked the hosts file on SERVER_A and nothing relevant there.

DNS Issue
Question by:canuckconsulting
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 2
  • 2
  • +2
LVL 37

Expert Comment

ID: 41773664
when it reports incorrectly again, run IPCONFIG /DISPLAYDNS to how the incorrect IP was resolved and cached.

BTW, did you try a reverse check against the incorrect IP ever reported? was its domain name related to your business?

Author Comment

ID: 41773679
Following your advice, that ip address is the DNS server for the hosting company our virtual server is located on.  Now below I logged back on to SERVER_A and tested the connection to it's DC, verifying it is set correctly to BBCDC07.  The IP address shows correctly via DNS but when I ping it I get the same ip address i was getting in my first post.  Something very screwy is going on but I'm unsure how to dig deeper.

Here's the results of the DisplayDNS you mentioned:

LVL 23

Expert Comment

ID: 41773691
Have you tried to flush the DNS cache on the server that is not resolving the correct ip

[code]ipaddress /flushdns[/code]
Creating Instructional Tutorials  

For Any Use & On Any Platform

Contextual Guidance at the moment of need helps your employees/users adopt software o& achieve even the most complex tasks instantly. Boost knowledge retention, software adoption & employee engagement with easy solution.


Author Comment

ID: 41773698
Yes, that was the third command shown in my first post.  As noted, it resolved the first issue but not the issue shown in my previous post.
LVL 23

Expert Comment

ID: 41773733
You mentions a VM in your question. How many NIC adapters are on that server? And are all of the reporting back to your DNS server.

Also is the ip you are see one from your ISP?
LVL 37

Assisted Solution

bbao earned 250 total points
ID: 41773890
it is interesting. it seems caused by inconsistent internal and external DNS records.

I speculate the IP does NOT belong to any servicing host of your environment. it is a just a spare IP for ANY unknown host under or ANY host NOT resolved by the domain's name servers and feel free to try any random characters before "", you will see the exact SAME IP from the PING results.

I reckon the above two name servers (of your client?) are NOT properly configured to reflect internal changes hence some external IPs of working hosts are missing on the external name servers, though their internal IPs can be correctly resolved by internal DNS servers (such as BBCDC07). some things outside of your NAT are not complete.

according to my DNS health check, the two name servers even don't have correct PTR records for themselves and SOA records for the DNS zone. better have a check against the two servers and fix the issues.

FYI - you didn't properly mask all domain names in your previous screenshot and it did help me to test the given names from my side. :)

Author Comment

ID: 41774576
yo_bee - On both the DC and the client machine I only see a single network adapter as below:


Bing CISM / CISSP - Thanks for the info and I'm very embarrassed to have botched my masking!

Pinging an unknown host results in "could not find host" as shown below.  I think this behaviour is correct.

Ping unknown host
How did you perform the DNS health check?  Unfortunately I have limited experience with DNS so am struggling with the basics.  If i could reproduce your health check perhaps I could interpret and highlight the issues with management to justify getting some external help.
LVL 26

Assisted Solution

DrDave242 earned 250 total points
ID: 41776672
I'm jumping in a little late here, but I can confirm a few things. I queried both of the listed name servers ( and for the domain shown in your output above to see if either of them had a record for bbcdc07.<domain>.com. Both of them returned the 12.x.x.161 address. I then queried both of them for blahblah.<domain>.com and got the same address in the response. There is apparently a wildcard record on those name servers for *

Is your internal (AD) domain also named bb***** If so, that's why your ping test above returned "Could not find host," as the internal DNS servers don't have that record.

It appears that something in the domain (most likely SERVER_A) is not configured to use the internal DNS servers exclusively. As a result, it queried a public DNS server for bbcdc07.<domain>.com, got the 12.x.x.161 address of the wildcard record in the response, and cached it.
LVL 17

Expert Comment

ID: 41779107
Do you use WINS? Ping will use the result returned from local cache if cached or from your WINS/DNS servers. Whichever service replies quicker wins. Is the server multi homed (has multiple NIC's)? If it is, make sure only the IP you want registering an address is set to register its record in DNS.

Author Comment

ID: 41779423
DrDave242 - Yes, our internal AD domain is named  bb*****  Your conclusion re an external DNS being unsuccessfully queried for an internal address makes sense to me but I don't see how it happened.  Below shows the four DNS servers configured on SERVER_A.  The last two DNS servers are unaware of local addresses but time out instead of return the 12.x.x.161.  
DNS Servers
Learnctx - No, WINS is not configured and we only have one nic on SERVER_A.

LVL 26

Accepted Solution

DrDave242 earned 250 total points
ID: 41781816
The last two DNS servers are unaware of local addresses but time out instead of return the 12.x.x.161.

Those timeouts aren't normal behavior. If a DNS server isn't able to answer a query authoritatively, provide a referral, or forward the query somewhere else, it's supposed to return an NXDOMAIN response ("No such domain," or in other words, "I don't have an answer myself and can't tell you where you might find one") rather than timing out. A timeout typically occurs when the server is blocked by a firewall, its DNS service is stopped, or it isn't a DNS server at all. This is an important distinction, because timeouts will cause a DNS client to query the next DNS server in its list, while NXDOMAIN responses won't. (Nslookup won't query another server, though; it's not designed to do that.)

The upshot of all of this is that those two DNS servers that aren't aware of internal addresses shouldn't be used by SERVER_A at all. It, and all of the other machines in your domain, should only use your internal DNS servers. Those DNS servers can be configured to forward unresolved queries elsewhere, though.

Author Closing Comment

ID: 41783226
Thanks for the help guys; I hope the point distribution is fair.

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
free print management solution 5 43
Help with IIS intermittent hangs on Windows 2012 5 62
What is a standalone domain controller? 8 52
dpm 2012 r2 3 24
The following article is comprised of the pearls we have garnered deploying virtualization solutions since Virtual Server 2005 and subsequent 2008 RTM+ Hyper-V in standalone and clustered environments.
Resolve DNS query failed errors for Exchange
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question