Nslookup problem

[Guest]

I have two win 2000 DNS servers one primary and a secondry server. When I do
a nslookup to one of our internal servers with its FQDN it returns an address
of domainname.co.uk.co.uk and an ip address and a DNS name of a domain that
has nothing to do with our domain. I'm worried our DNS servers have been
spoofed and what can I do about it. I have two forwarders to our ISP's
recommened DNS servers and they have checked from there primary DNS server we
point too and it returns the correct address when they perform an nslookup.
If I perform a nslookup from our secondry server it returns the correct
address. Can anyone please help me on this??

 

[Kevin D. Goodknecht Sr. [MVP]]

I have two win 2000 DNS servers one primary and a secondry server.
When I do a nslookup to one of our internal servers with its FQDN it
returns an address of domainname.co.uk.co.uk and an ip address and a
DNS name of a domain that has nothing to do with our domain. I'm
worried our DNS servers have been spoofed and what can I do about it.
I have two forwarders to our ISP's recommened DNS servers and they
have checked from there primary DNS server we point too and it
returns the correct address when they perform an nslookup. If I
perform a nslookup from our secondry server it returns the correct
address. Can anyone please help me on this??

Without seeing your ipconfig /all I'm going to bet this is a wildcard record
issue showing up due to the Primary DNS suffix devolution.

In TCP/IP properties, on the DNS tab, clear the check box for "Append parent
suffixes of the Primary DNS suffix" will likely clear this up. If it does
you can make this setting to XP clients in the Default domain group policy.
You will need to edit this policy from an XP client so as to upgrade the
group policies that come on Windows 2000 servers.
Upgrading Windows 2000 Group Policy for Windows XP:
http://support.microsoft.com/default.aspx?scid=kb;en-us;307900


Once you edit the policies from an XP client you will likely have to apply a
hotfix to the Windows 2000 server before you can edit the policies from the
server again. I don't think this update is included in any Service Pack for
Windows 2000.
http://support.microsoft.com/default.aspx?kbid=842933

 

[Guest]

Unfortuntly it did not work I cleared the check box but it still resolves the
wrong address from the primary domian controller.

 

[Kevin D. Goodknecht Sr. [MVP]]

Unfortuntly it did not work I cleared the check box but it still
resolves the wrong address from the primary domian controller.

Can you post an unedited ipconfig /all from this machine?

 

[Guest]

I would rather not put an unedited ipconfig /all because it would advertise
our server info. Is there any information I can give you that would help you
diagnose the problem.

 

[Guest]

if its any help when I clear the cache and do an nslookup it comes back with
the right address but it takes a while and it show DNS timeout was 2 seconds
then it resolves the correct address. when I try it again I get the mystery
address ??

 

[Kevin D. Goodknecht Sr. [MVP]]

I would rather not put an unedited ipconfig /all because it would
advertise our server info. Is there any information I can give you
that would help you diagnose the problem.
"Kevin D. Goodknecht Sr. [MVP]" wrote:

There should be no info of any use in your ipconfig /all if it is using only
private addresses as it should. The info I need is in the ipconfig /all,
items such as DNS server addresses, Primary and connection DNS suffixes, and
DNS suffix search lists do not give any information that should be of any
use externally. I'm looking at DNS suffix combinations that would be
forwarded by your DNS server.

This is common if your internal domain is something like domain.co.uk
because nslookup will devolve the domain name and search co.uk in DNS, which
would be forwarded to an extrernal DNS server. You have to make sure that
co.uk is not in the DNS suffix search list, because co.uk could have a
matching record, even though it is not part of your domain.

 

[Guest]

the .co.uk is in the DNS suffix search list how do I get rid of this ?

 

[Kevin D. Goodknecht Sr. [MVP]]

the .co.uk is in the DNS suffix search list how do I get rid of this ?

That is on my original reply, clear the check box, "Append parent suffixes
of the Primary DNS suffix"
Doing this causes only the primary DNS suffix and connection DNS suffix to
be appended to non-FQDN queries (no trailing dot), and not the parent
suffixes.