Solved

DNS Issue - incorrect IP shown for host

Posted on 2016-08-28
12
59 Views
Last Modified: 2016-09-03
We have a situation where one of our Windows 2012 servers (SERVER_A) had the wrong address for another Windows 2012 server (SERVER_B).  It was wildly wrong with the leading octet being wrong.  The DNS server was reporting the correct address for SERVER_B and, after flushing DNS SERVER_A is now fine.

My question is how could this happen?  I've checked the hosts file on SERVER_A and nothing relevant there.



DNS Issue
0
Comment
Question by:canuckconsulting
  • 5
  • 2
  • 2
  • +2
12 Comments
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 41773664
when it reports incorrectly again, run IPCONFIG /DISPLAYDNS to how the incorrect IP was resolved and cached.

BTW, did you try a reverse check against the incorrect IP ever reported? was its domain name related to your business?
0
 

Author Comment

by:canuckconsulting
ID: 41773679
Following your advice, that ip address is the DNS server for the hosting company our virtual server is located on.  Now below I logged back on to SERVER_A and tested the connection to it's DC, verifying it is set correctly to BBCDC07.  The IP address shows correctly via DNS but when I ping it I get the same ip address i was getting in my first post.  Something very screwy is going on but I'm unsure how to dig deeper.

bbcdc07.png
Here's the results of the DisplayDNS you mentioned:

DisplayDNS
0
 
LVL 21

Expert Comment

by:yo_bee
ID: 41773691
Have you tried to flush the DNS cache on the server that is not resolving the correct ip

[code]ipaddress /flushdns[/code]
0
 

Author Comment

by:canuckconsulting
ID: 41773698
Yes, that was the third command shown in my first post.  As noted, it resolved the first issue but not the issue shown in my previous post.
0
 
LVL 21

Expert Comment

by:yo_bee
ID: 41773733
You mentions a VM in your question. How many NIC adapters are on that server? And are all of the reporting back to your DNS server.

Also is the ip you are see one from your ISP?
0
 
LVL 37

Assisted Solution

by:Bing CISM / CISSP
Bing CISM / CISSP earned 250 total points
ID: 41773890
it is interesting. it seems caused by inconsistent internal and external DNS records.

I speculate the IP 12.xxx.xx.16 does NOT belong to any servicing host of your environment. it is a just a spare IP for ANY unknown host under  bbxxxxxtd.com or ANY host NOT resolved by the domain's name servers ns21.woxxxxic.com and ns22.woxxxxic.com. feel free to try any random characters before ".bbxxxxxtd.com", you will see the exact SAME IP from the PING results.

I reckon the above two name servers (of your client?) are NOT properly configured to reflect internal changes hence some external IPs of working hosts are missing on the external name servers, though their internal IPs can be correctly resolved by internal DNS servers (such as BBCDC07). some things outside of your NAT are not complete.

according to my DNS health check, the two name servers even don't have correct PTR records for themselves and SOA records for the DNS zone. better have a check against the two servers and fix the issues.

FYI - you didn't properly mask all domain names in your previous screenshot and it did help me to test the given names from my side. :)
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 

Author Comment

by:canuckconsulting
ID: 41774576
yo_bee - On both the DC and the client machine I only see a single network adapter as below:

Adapter

Bing CISM / CISSP - Thanks for the info and I'm very embarrassed to have botched my masking!

Pinging an unknown host results in "could not find host" as shown below.  I think this behaviour is correct.

Ping unknown host
How did you perform the DNS health check?  Unfortunately I have limited experience with DNS so am struggling with the basics.  If i could reproduce your health check perhaps I could interpret and highlight the issues with management to justify getting some external help.
0
 
LVL 25

Assisted Solution

by:DrDave242
DrDave242 earned 250 total points
ID: 41776672
I'm jumping in a little late here, but I can confirm a few things. I queried both of the listed name servers (ns21.worldnic.com and ns22.worldnic.com) for the domain shown in your output above to see if either of them had a record for bbcdc07.<domain>.com. Both of them returned the 12.x.x.161 address. I then queried both of them for blahblah.<domain>.com and got the same address in the response. There is apparently a wildcard record on those name servers for *.domain.com.

Is your internal (AD) domain also named bb*****td.com? If so, that's why your ping test above returned "Could not find host," as the internal DNS servers don't have that record.

It appears that something in the domain (most likely SERVER_A) is not configured to use the internal DNS servers exclusively. As a result, it queried a public DNS server for bbcdc07.<domain>.com, got the 12.x.x.161 address of the wildcard record in the response, and cached it.
1
 
LVL 16

Expert Comment

by:Learnctx
ID: 41779107
Do you use WINS? Ping will use the result returned from local cache if cached or from your WINS/DNS servers. Whichever service replies quicker wins. Is the server multi homed (has multiple NIC's)? If it is, make sure only the IP you want registering an address is set to register its record in DNS.
0
 

Author Comment

by:canuckconsulting
ID: 41779423
DrDave242 - Yes, our internal AD domain is named  bb*****td.com.  Your conclusion re an external DNS being unsuccessfully queried for an internal address makes sense to me but I don't see how it happened.  Below shows the four DNS servers configured on SERVER_A.  The last two DNS servers are unaware of local addresses but time out instead of return the 12.x.x.161.  
DNS Servers
Learnctx - No, WINS is not configured and we only have one nic on SERVER_A.

WINS
0
 
LVL 25

Accepted Solution

by:
DrDave242 earned 250 total points
ID: 41781816
The last two DNS servers are unaware of local addresses but time out instead of return the 12.x.x.161.

Those timeouts aren't normal behavior. If a DNS server isn't able to answer a query authoritatively, provide a referral, or forward the query somewhere else, it's supposed to return an NXDOMAIN response ("No such domain," or in other words, "I don't have an answer myself and can't tell you where you might find one") rather than timing out. A timeout typically occurs when the server is blocked by a firewall, its DNS service is stopped, or it isn't a DNS server at all. This is an important distinction, because timeouts will cause a DNS client to query the next DNS server in its list, while NXDOMAIN responses won't. (Nslookup won't query another server, though; it's not designed to do that.)

The upshot of all of this is that those two DNS servers that aren't aware of internal addresses shouldn't be used by SERVER_A at all. It, and all of the other machines in your domain, should only use your internal DNS servers. Those DNS servers can be configured to forward unresolved queries elsewhere, though.
0
 

Author Closing Comment

by:canuckconsulting
ID: 41783226
Thanks for the help guys; I hope the point distribution is fair.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
I'm a big fan of Windows' offline folder caching and have used it on my laptops for over a decade.  One thing I don't like about it, however, is how difficult Microsoft has made it for the cache to be moved out of the Windows folder.  Here's how to …
This tutorial will walk an individual through the process of configuring basic necessities in order to use the 2010 version of Data Protection Manager. These include storage, agents, and protection jobs. Launch Data Protection Manager from the deskt…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now