TimMcGrath
asked on
nslookup Results
Greetings,
I have a weird issue when doing a Nslookup for some of our external DNS records. If I do a command line nslookup using 8.8.8.8 all my records come back showing the results as 195.22.26.248. I have tested this from several computers off our network. Even from home computers the results are the same. If I use a Nslookup tool online I get the correct results. Even using a DNS severs from local ISPs I get the 195.x results
I have a weird issue when doing a Nslookup for some of our external DNS records. If I do a command line nslookup using 8.8.8.8 all my records come back showing the results as 195.22.26.248. I have tested this from several computers off our network. Even from home computers the results are the same. If I use a Nslookup tool online I get the correct results. Even using a DNS severs from local ISPs I get the 195.x results
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If you look at the actual DNS records through your registrar (or whoever is hosting), what shows there?
That seems to be a malicious IP, perhaps an infection
https://ransomwaretracker.abuse.ch/ip/195.22.26.248/
https://ransomwaretracker.abuse.ch/ip/195.22.26.248/
ASKER
Our actual DNS records are all correct. Just checked with the external entity that hosts our records.
I did see that the Ip address is a malicious Ip.
I have tested this on machines that are not apart of our network and got the same results.
Is it possible that it's an issue with the organization hosting our DNS records?
I did see that the Ip address is a malicious Ip.
I have tested this on machines that are not apart of our network and got the same results.
Is it possible that it's an issue with the organization hosting our DNS records?
ASKER
Also to note... If I do an nslookup internally..... the results are as expected.
Sounds like DNS poisoning. Flush the DNS cache for all of your machines, and enable DNSSEC if feasible.
ASKER
Here are the results from an nslookup. 204.13.204.3 is the dns server of the orginzation that hosts our externla
records. Results are as expected. if I use google's dns..... the results are that Ip address
> server 204.13.204.3
Default Server: dns3.dciu.net
Address: 204.13.204.3
> ckr01.chichestersd.org
Server: dns3.dciu.net
Address: 204.13.204.3
*** dns3.dciu.net can't find ckr01.chichestersd.org: Non-existent domain
> mail.chichestersd.org
Server: dns3.dciu.net
Address: 204.13.204.3
Name: mail.chichestersd.org
Address: 204.13.204.98
> server 8.8.8.8
Default Server: [8.8.8.8]
Address: 8.8.8.8
> mail.chichestersd.org
Server: [8.8.8.8]
Address: 8.8.8.8
Non-authoritative answer:
Name: mail.chichestersd.org.chi- sd.com
Address: 195.22.26.248
records. Results are as expected. if I use google's dns..... the results are that Ip address
> server 204.13.204.3
Default Server: dns3.dciu.net
Address: 204.13.204.3
> ckr01.chichestersd.org
Server: dns3.dciu.net
Address: 204.13.204.3
*** dns3.dciu.net can't find ckr01.chichestersd.org: Non-existent domain
> mail.chichestersd.org
Server: dns3.dciu.net
Address: 204.13.204.3
Name: mail.chichestersd.org
Address: 204.13.204.98
> server 8.8.8.8
Default Server: [8.8.8.8]
Address: 8.8.8.8
> mail.chichestersd.org
Server: [8.8.8.8]
Address: 8.8.8.8
Non-authoritative answer:
Name: mail.chichestersd.org.chi-
Address: 195.22.26.248
Is it possible that it's an issue with the organization hosting our DNS records?Seems that way
In a word, yes.
ASKER
Thank you for your help. We actually found that our content filter had a proxy service enabled and was allowing people to use the device as a proxy. This was causing alot of issues as you can imagine. Once the service was disabled the issues was resolved.