Phantom DNS server

  • Thread starter Thread starter Dilan Weerasinghe
  • Start date Start date
D

Dilan Weerasinghe

Hi NG,

We have noticed that several of our PC's suddenly seem to lose their
ability to browse the net, connect to our Exchange server etc. Basic
troubleshooting showed that although the actual connectivity was
there, name resolution seemed to be causing the problem, i.e. we could
ping internally/externally by IP address but not by name.

Checking the IPCONFIG showed that these machines, which are all set to
DHCP, seemed to be picking up a phantom DNS server as opposed to the
correct one, e.g. 192.168.1.12 as opposed to 192.168.1.1

Rebooting the machines resolves the problem.

When we try to ping the phantom DNS server, we do not get a reply.
That address itself is excluded from our DHCP range and is not
currently being used, so i have no idea why these workstations are
picking this same address all the time.

Has anyone experienced this before, or have any pointers?? All other
settings in IPCONFIG are correct, and we have not made any changes to
our infrastructure/architecture recently.

Many TIA.

Regards
Dilan
 
In
Dilan Weerasinghe said:
Hi NG,

We have noticed that several of our PC's suddenly seem to
lose their ability to browse the net, connect to our
Exchange server etc. Basic troubleshooting showed that
although the actual connectivity was there, name
resolution seemed to be causing the problem, i.e. we
could ping internally/externally by IP address but not by
name.

Checking the IPCONFIG showed that these machines, which
are all set to DHCP, seemed to be picking up a phantom
DNS server as opposed to the correct one, e.g.
192.168.1.12 as opposed to 192.168.1.1

Rebooting the machines resolves the problem.

When we try to ping the phantom DNS server, we do not get
a reply. That address itself is excluded from our DHCP
range and is not currently being used, so i have no idea
why these workstations are picking this same address all
the time.

Has anyone experienced this before, or have any
pointers?? All other settings in IPCONFIG are correct,
and we have not made any changes to our
infrastructure/architecture recently.
Click to expand...

It is possible for your clients to get the DNS address from a Group policy,
it would not show in the ipconfig /all but when running nslookup you will
get it.
You're saying that there is no machine at 192.168.1.12?
And that the DHCP server is publishing the address of the local DNS server
192.168.1.1 and not the IP of the router?
Are you using DHCP on the server or the router? (if you have a router)
 
Kevin D. Goodknecht Sr. said:
In

It is possible for your clients to get the DNS address from a Group policy,
it would not show in the ipconfig /all but when running nslookup you will
get it.
You're saying that there is no machine at 192.168.1.12?
And that the DHCP server is publishing the address of the local DNS server
192.168.1.1 and not the IP of the router?
Are you using DHCP on the server or the router? (if you have a router)
Click to expand...
Thanks for the reply.

No, there is no machine at all on 192.168.1.12, and the DHCP server is
configured correctly to give a DNS server address of 192.168.1.1.
We are using a DHCP server that has a different address altogether.

The strange thing is that this switch happens whilst a user is logged
on and has been for a while...not on machine start up or logon.

Any ideas?

Dilan
 
In
Dilan Weerasinghe said:
Thanks for the reply.

No, there is no machine at all on 192.168.1.12, and the DHCP server is
configured correctly to give a DNS server address of 192.168.1.1.
We are using a DHCP server that has a different address altogether.

The strange thing is that this switch happens whilst a user is logged
on and has been for a while...not on machine start up or logon.

Any ideas?

Dilan
Click to expand...

I think we're going to need more info to help you out on this one.

Is 192.168.1.1 your router? If it is, is it a Windows machine or a 3rd party
router?

If you disable DHCP on the 192.168.1.1 machine, and then do an ipconfig
/release and then an ipconfig /renew, what DHCP server shows up in the
ipconfig /all?

Honestly, if 192.168.1.1 is not a Windows machine, it would be to your
advantage, and to AD and DNS' advantage, to use a Windows machine for DHCP
and DNS, since the two services and APIs are tied together for proper
dynamic registration performance and reliability.

If this is a Windows DHCP, did you set the Scope Option 006 and Server
Option 006?

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.
 
Ace Fekay said:
In

I think we're going to need more info to help you out on this one.

Is 192.168.1.1 your router? If it is, is it a Windows machine or a 3rd party
router?

If you disable DHCP on the 192.168.1.1 machine, and then do an ipconfig
/release and then an ipconfig /renew, what DHCP server shows up in the
ipconfig /all?

Honestly, if 192.168.1.1 is not a Windows machine, it would be to your
advantage, and to AD and DNS' advantage, to use a Windows machine for DHCP
and DNS, since the two services and APIs are tied together for proper
dynamic registration performance and reliability.

If this is a Windows DHCP, did you set the Scope Option 006 and Server
Option 006?

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.
Click to expand...

Ace,

To clarify;

Our network is configured as following -

DHCP server: 192.168.1.1
DNS Servers: 192.168.1.1/ 192.168.1.2

(All above addresses are static)

All workstations are set to DHCP, and I've checked the scope options
on the DHCP server itself as regards DNS, and it points to the correct
addresses.

Our router is on a completely different address.

The problem is that, randomly, users seem to lose their internet
connection. As I mentioned before, the actual connectivity is there
but the fault lies with name resolution as we can ping
externally/internally by IP address but not by name. Checking the
IPCONFIG shows that the faulty machines are picking up 192.168.1.10 as
their DNS server, although all other settings are correct.
Rebooting the machines solves the problem until it happens again.
I understand that we could set the workstations to statically point at
the correct DNS servers, however this is a workaround, not a solution
and I'd like to find out what's causing this.
The faulty machines always pick up x.10 as the DNS server.
x.10 itself is excluded from our DHCP range for distribution, and is
also not currently being used, so I have no idea why they are picking
this address up as a DNS server.

Many thanks for your help
Dilan
 
In
Dilan Weerasinghe said:
"Ace Fekay [MVP]"
<PleaseSubstituteMyActualFirstName&[email protected]>
wrote in message


Ace,

To clarify;

Our network is configured as following -

DHCP server: 192.168.1.1
DNS Servers: 192.168.1.1/ 192.168.1.2

(All above addresses are static)

All workstations are set to DHCP, and I've checked the
scope options
on the DHCP server itself as regards DNS, and it points
to the correct
addresses.

Our router is on a completely different address.

The problem is that, randomly, users seem to lose their
internet
connection. As I mentioned before, the actual
connectivity is there
but the fault lies with name resolution as we can ping
externally/internally by IP address but not by name.
Checking the
IPCONFIG shows that the faulty machines are picking up
192.168.1.10 as
their DNS server, although all other settings are correct.
Rebooting the machines solves the problem until it
happens again.
I understand that we could set the workstations to
statically point at
the correct DNS servers, however this is a workaround,
not a solution
and I'd like to find out what's causing this.
The faulty machines always pick up x.10 as the DNS server.
x.10 itself is excluded from our DHCP range for
distribution, and is
also not currently being used, so I have no idea why they
are picking
this address up as a DNS server.

Many thanks for your help
Dilan
Click to expand...

On the ipconfig for the machines with the bogus DNS address, what IP do they
show for the DHCP server?
 
In
Kevin D. Goodknecht Sr. said:
On the ipconfig for the machines with the bogus DNS address, what IP
do they show for the DHCP server?
Click to expand...

Curious about that as well, when he gets the bogus DNS address.

Ace
 
Kevin D. Goodknecht Sr. said:
On the ipconfig for the machines with the bogus DNS address, what IP do they
show for the DHCP server?
Click to expand...

Kevin,

They show the correct DHCP server (192.168.1.1). Would it have been
different, I would have assumed we had some sort of rogue DHCP machine
on the network giving out wrong DNS server info, but in all cases the
faulty machines are using the correct DHCP server.

Thanks
Dilan
 
In
Kevin,

They show the correct DHCP server (192.168.1.1). Would it
have been
different, I would have assumed we had some sort of rogue
DHCP machine
on the network giving out wrong DNS server info, but in
all cases the
faulty machines are using the correct DHCP server.
Click to expand...

It has to be getting it from DHCP, a GPO and/or the registry.
 
In
Dilan Weerasinghe said:
Kevin,

They show the correct DHCP server (192.168.1.1). Would it have been
different, I would have assumed we had some sort of rogue DHCP machine
on the network giving out wrong DNS server info, but in all cases the
faulty machines are using the correct DHCP server.

Thanks
Dilan
Click to expand...

One question, are you using a DHCP Relay agent ?

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.
 
Ace Fekay said:
In

One question, are you using a DHCP Relay agent ?

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.
Click to expand...

Ace,

No, we aren't.

Regards
Dilan
 
In
Dilan Weerasinghe said:
Ace,

No, we aren't.

Regards
Dilan
Click to expand...

Ok, I've seen this before with Relay Agents. Just to recap, there are no
errors in any machines' Event logs? It is strange that the Options are not
coming across. And you do not have any GPOs that would be overriding this or
registry entries in a GPO or the machine? Is there a VPN on the client? Or a
PPPoE connection or anything else? Personal firewall possibly?

Ace
 
Ace Fekay said:
In

Ok, I've seen this before with Relay Agents. Just to recap, there are no
errors in any machines' Event logs? It is strange that the Options are not
coming across. And you do not have any GPOs that would be overriding this or
registry entries in a GPO or the machine? Is there a VPN on the client? Or a
PPPoE connection or anything else? Personal firewall possibly?

Ace
Click to expand...


Ace,

We've checked the event logs of the machines and, although there are
entries, these all relate to events that occur as a result of the
inablity to resolve names. We don't have any GPO's that relate to DNS
settings, nor any of the other things you've mentioned.

Something that was brought up, however, was that the problems
initially started to occur around the a third party came in to carry
out some work on one of our Cisco routers. We're checking this now, as
I'm led to believe that Cisco routers can also give out information
regarding DNS servers.

Whilst it was only one or two machines that picked up this incorrect
setting around the time of the router change, it has somehow spread to
the entire subnet, and we've had to manually configure our local DNS
servers into the TCP/IP properties of all our workstations.

I'll let you know how we get on...

Thanks for the continuing support - much appreciated
Dilan
 
In
Dilan Weerasinghe said:
Ace,

We've checked the event logs of the machines and, although there are
entries, these all relate to events that occur as a result of the
inablity to resolve names. We don't have any GPO's that relate to DNS
settings, nor any of the other things you've mentioned.

Something that was brought up, however, was that the problems
initially started to occur around the a third party came in to carry
out some work on one of our Cisco routers. We're checking this now, as
I'm led to believe that Cisco routers can also give out information
regarding DNS servers.

Whilst it was only one or two machines that picked up this incorrect
setting around the time of the router change, it has somehow spread to
the entire subnet, and we've had to manually configure our local DNS
servers into the TCP/IP properties of all our workstations.

I'll let you know how we get on...

Thanks for the continuing support - much appreciated
Dilan
Click to expand...

Thanks for the update. Curious what you find out.

Ace
 
Back
Top