Guest Christopher A. Newell Posted September 6, 2007 Posted September 6, 2007 Randon (apparently) DHCP clients on my network are losing thier DNS entries. The users report what turn out to be connectivity problems with name based hosts (raw IP related ones obviously resolve just fine.) IPCONFIG ends up revealing a single DNS server entry which is not on my network. I have had several different values, but they all fall in the 16x.X.X.X format. (Today's most recent one was 168.95.1.1) The user PCs are able to reconnect temporarily by executing ipconfig /renew (or re-starting the system.) This is 2003 Server, SP2 (although searcing back in my memory, I seem to recall similar incidents with SP 1 and native 2k3 Server.) Standard DHCP server modules, typical configuration. There are 4 DNS servers in the information handed out in the lease. C. Newell Shiawassee County, MI
Guest Mathieu CHATEAU Posted September 6, 2007 Posted September 6, 2007 Re: DHCP clients losing DNS entries Hello, this DNS ip is assigned to: (HiNet) Chunghwa Telecom Co., Ltd. And it's a working public dns server. It may be: -another network node that also distribute dhcp lease (router/firewall) -An previous dhcp lease that the user got from home adsl is there any wifi activated on station ? -- Cordialement, Mathieu CHATEAU http://lordoftheping.blogspot.com "Christopher A. Newell" <infosystems@shiawassee.net> wrote in message news:e25n%23uJ8HHA.2208@TK2MSFTNGP06.phx.gbl... > Randon (apparently) DHCP clients on my network are losing thier DNS > entries. The users report what turn out to be connectivity problems with > name based hosts (raw IP related ones obviously resolve just fine.) > > IPCONFIG ends up revealing a single DNS server entry which is not on my > network. I have had several different values, but they all fall in the > 16x.X.X.X format. (Today's most recent one was 168.95.1.1) > > The user PCs are able to reconnect temporarily by executing ipconfig > /renew (or re-starting the system.) > > This is 2003 Server, SP2 (although searcing back in my memory, I seem to > recall similar incidents with SP 1 and native 2k3 Server.) Standard DHCP > server modules, typical configuration. There are 4 DNS servers in the > information handed out in the lease. > > C. Newell > Shiawassee County, MI >
Guest Christopher A. Newell Posted September 6, 2007 Posted September 6, 2007 Re: DHCP clients losing DNS entries This is a medium sized enterprise network. I am very comfortable saying that there is not another device on the segment which should be providing conflicting DHCP (although I will not say NEVER.) The affected PCs are fixed desktop units, so an old lease from a different network is not likely. They are all wired ethernet. (I have a small number of WiFi notebooks in use but they actually don't seem to be a problem. On the other hand, this is so intermitent and they are such a small portion of the total network that I just may not be hearing about it.) The systems are obtaining a valid, complete configuration when they boot and are then losing JUST the DNS entries (which is darned inconvenient as it affects Internet, Active Directory, Exchange/Outlook, just about everything.) After the systems lose connectivity, it can be restored by executing "ipconfig /renew". RECAP: This is after the system is up and running correctly. The users are reporting a loss of most network connectivity. "ipconfig /all" shows all of the entries correct as assigned by DHCP - EXCEPT the DNS, which has changed from multiple servers within our network to a single IP which does not appear to have any relationship to our network, usually a 168.x.x.x or 169.x.x.x. This has happened intermitently on multiple PCs running Windows XP Pro (SP1 AND SP2) with DHCP provided by a Windows 2003 Server (DHCP having been provided at different times by different physical servers at both 2k3 SP1 and SP2.) "Mathieu CHATEAU" <gollum123@free.fr> wrote in message news:emRgzJK8HHA.3900@TK2MSFTNGP02.phx.gbl... > Hello, > > this DNS ip is assigned to: > (HiNet) Chunghwa Telecom Co., Ltd. > > And it's a working public dns server. > It may be: > -another network node that also distribute dhcp lease (router/firewall) > -An previous dhcp lease that the user got from home adsl > is there any wifi activated on station ? > > -- > Cordialement, > Mathieu CHATEAU > http://lordoftheping.blogspot.com > > > "Christopher A. Newell" <infosystems@shiawassee.net> wrote in message > news:e25n%23uJ8HHA.2208@TK2MSFTNGP06.phx.gbl... >> Randon (apparently) DHCP clients on my network are losing thier DNS >> entries. The users report what turn out to be connectivity problems with >> name based hosts (raw IP related ones obviously resolve just fine.) >> >> IPCONFIG ends up revealing a single DNS server entry which is not on my >> network. I have had several different values, but they all fall in the >> 16x.X.X.X format. (Today's most recent one was 168.95.1.1) >> >> The user PCs are able to reconnect temporarily by executing ipconfig >> /renew (or re-starting the system.) >> >> This is 2003 Server, SP2 (although searcing back in my memory, I seem to >> recall similar incidents with SP 1 and native 2k3 Server.) Standard DHCP >> server modules, typical configuration. There are 4 DNS servers in the >> information handed out in the lease. >> >> C. Newell >> Shiawassee County, MI >> >
Guest Mathieu CHATEAU Posted September 7, 2007 Posted September 7, 2007 Re: DHCP clients losing DNS entries Hello, if: -station are in dhcp (no manual dns server) -fixed (no wifi) -you are sure about your dhcp server (config ok and no other one) then it may be a virus or so. This dns belongs to a chinese ISP and you don't seem to live in china. Can you run spybot search and destroy + antivirus ? installing windows defender would be great too (for further protection) -- Cordialement, Mathieu CHATEAU http://lordoftheping.blogspot.com "Christopher A. Newell" <infosystems@shiawassee.net> wrote in message news:e4s0unL8HHA.5012@TK2MSFTNGP02.phx.gbl... > This is a medium sized enterprise network. I am very comfortable saying > that there is not another device on the segment which should be providing > conflicting DHCP (although I will not say NEVER.) > > The affected PCs are fixed desktop units, so an old lease from a different > network is not likely. They are all wired ethernet. (I have a small > number of WiFi notebooks in use but they actually don't seem to be a > problem. On the other hand, this is so intermitent and they are such a > small portion of the total network that I just may not be hearing about > it.) > > The systems are obtaining a valid, complete configuration when they boot > and are then losing JUST the DNS entries (which is darned inconvenient as > it affects Internet, Active Directory, Exchange/Outlook, just about > everything.) After the systems lose connectivity, it can be restored by > executing "ipconfig /renew". > > RECAP: This is after the system is up and running correctly. The users > are reporting a loss of most network connectivity. "ipconfig /all" shows > all of the entries correct as assigned by DHCP - EXCEPT the DNS, which has > changed from multiple servers within our network to a single IP which does > not appear to have any relationship to our network, usually a 168.x.x.x or > 169.x.x.x. This has happened intermitently on multiple PCs running > Windows XP Pro (SP1 AND SP2) with DHCP provided by a Windows 2003 Server > (DHCP having been provided at different times by different physical > servers at both 2k3 SP1 and SP2.) > > "Mathieu CHATEAU" <gollum123@free.fr> wrote in message > news:emRgzJK8HHA.3900@TK2MSFTNGP02.phx.gbl... >> Hello, >> >> this DNS ip is assigned to: >> (HiNet) Chunghwa Telecom Co., Ltd. >> >> And it's a working public dns server. >> It may be: >> -another network node that also distribute dhcp lease (router/firewall) >> -An previous dhcp lease that the user got from home adsl >> is there any wifi activated on station ? >> >> -- >> Cordialement, >> Mathieu CHATEAU >> http://lordoftheping.blogspot.com >> >> >> "Christopher A. Newell" <infosystems@shiawassee.net> wrote in message >> news:e25n%23uJ8HHA.2208@TK2MSFTNGP06.phx.gbl... >>> Randon (apparently) DHCP clients on my network are losing thier DNS >>> entries. The users report what turn out to be connectivity problems with >>> name based hosts (raw IP related ones obviously resolve just fine.) >>> >>> IPCONFIG ends up revealing a single DNS server entry which is not on my >>> network. I have had several different values, but they all fall in the >>> 16x.X.X.X format. (Today's most recent one was 168.95.1.1) >>> >>> The user PCs are able to reconnect temporarily by executing ipconfig >>> /renew (or re-starting the system.) >>> >>> This is 2003 Server, SP2 (although searcing back in my memory, I seem to >>> recall similar incidents with SP 1 and native 2k3 Server.) Standard >>> DHCP server modules, typical configuration. There are 4 DNS servers in >>> the information handed out in the lease. >>> >>> C. Newell >>> Shiawassee County, MI >>> >> > >
Guest Christopher A. Newell Posted September 7, 2007 Posted September 7, 2007 Re: DHCP clients losing DNS entries The client PCs are definitely totally DHCP. Wired desktop, so they would not pick up a foreign DHCP from an unsecured SOHO router. I took the offical, configured (i.e. the one I know about) DHCP server temporarily off-line (paused) and tried to refresh IP information on a couple of different PCs on the affected LAN segment. All came up with the "default private" configuration (which includes NO DNS server entries) confirming that there is no persistent competing DHCP server on the network. We run CA's enterprise AV/AS solution, and the workstation that has been most recently affected was a clean re-load (as in OS install fdisk and format) within the last 60 days. Spybot is probably a good idea, and the possibility of other malware sounds like a possibility. It would seem to make sense to try to get PCs to go to bogus web sites by hijacking name resolution. Has anybody else heard of or seen anything like this? This would have to be either a piece of malware running on the affected PC that is changing the DNS post-lease or something running on another device on the LAN "pushing" a change to JUST the DNS entries after the client had obtained a valid and complete configuration from DHCP. I have not seen a device with a valid lease automatically try to get new information (only at boot, if a "/renew" command is issued, or if the lease is getting ready to expire.) "Mathieu CHATEAU" <gollum123@free.fr> wrote in message news:uI7JDnW8HHA.5752@TK2MSFTNGP04.phx.gbl... > Hello, > > if: > -station are in dhcp (no manual dns server) > -fixed (no wifi) > -you are sure about your dhcp server (config ok and no other one) > > then it may be a virus or so. This dns belongs to a chinese ISP and you > don't seem to live in china. > > Can you run spybot search and destroy + antivirus ? > installing windows defender would be great too (for further protection) > > -- > Cordialement, > Mathieu CHATEAU > http://lordoftheping.blogspot.com > > > "Christopher A. Newell" <infosystems@shiawassee.net> wrote in message > news:e4s0unL8HHA.5012@TK2MSFTNGP02.phx.gbl... >> This is a medium sized enterprise network. I am very comfortable saying >> that there is not another device on the segment which should be providing >> conflicting DHCP (although I will not say NEVER.) >> >> The affected PCs are fixed desktop units, so an old lease from a >> different network is not likely. They are all wired ethernet. (I have a >> small number of WiFi notebooks in use but they actually don't seem to be >> a problem. On the other hand, this is so intermitent and they are such a >> small portion of the total network that I just may not be hearing about >> it.) >> >> The systems are obtaining a valid, complete configuration when they boot >> and are then losing JUST the DNS entries (which is darned inconvenient as >> it affects Internet, Active Directory, Exchange/Outlook, just about >> everything.) After the systems lose connectivity, it can be restored by >> executing "ipconfig /renew". >> >> RECAP: This is after the system is up and running correctly. The users >> are reporting a loss of most network connectivity. "ipconfig /all" shows >> all of the entries correct as assigned by DHCP - EXCEPT the DNS, which >> has changed from multiple servers within our network to a single IP which >> does not appear to have any relationship to our network, usually a >> 168.x.x.x or 169.x.x.x. This has happened intermitently on multiple PCs >> running Windows XP Pro (SP1 AND SP2) with DHCP provided by a Windows 2003 >> Server (DHCP having been provided at different times by different >> physical servers at both 2k3 SP1 and SP2.) >> >> "Mathieu CHATEAU" <gollum123@free.fr> wrote in message >> news:emRgzJK8HHA.3900@TK2MSFTNGP02.phx.gbl... >>> Hello, >>> >>> this DNS ip is assigned to: >>> (HiNet) Chunghwa Telecom Co., Ltd. >>> >>> And it's a working public dns server. >>> It may be: >>> -another network node that also distribute dhcp lease (router/firewall) >>> -An previous dhcp lease that the user got from home adsl >>> is there any wifi activated on station ? >>> >>> -- >>> Cordialement, >>> Mathieu CHATEAU >>> http://lordoftheping.blogspot.com >>> >>> >>> "Christopher A. Newell" <infosystems@shiawassee.net> wrote in message >>> news:e25n%23uJ8HHA.2208@TK2MSFTNGP06.phx.gbl... >>>> Randon (apparently) DHCP clients on my network are losing thier DNS >>>> entries. The users report what turn out to be connectivity problems >>>> with name based hosts (raw IP related ones obviously resolve just >>>> fine.) >>>> >>>> IPCONFIG ends up revealing a single DNS server entry which is not on my >>>> network. I have had several different values, but they all fall in the >>>> 16x.X.X.X format. (Today's most recent one was 168.95.1.1) >>>> >>>> The user PCs are able to reconnect temporarily by executing ipconfig >>>> /renew (or re-starting the system.) >>>> >>>> This is 2003 Server, SP2 (although searcing back in my memory, I seem >>>> to recall similar incidents with SP 1 and native 2k3 Server.) Standard >>>> DHCP server modules, typical configuration. There are 4 DNS servers in >>>> the information handed out in the lease. >>>> >>>> C. Newell >>>> Shiawassee County, MI >>>> >>> >> >> >
Guest Mathieu CHATEAU Posted September 7, 2007 Posted September 7, 2007 Re: DHCP clients losing DNS entries I found a french post about someone having the dns server you mentionned (168.95.1.1): http://forum.telecharger.01net.com/telecharger/securite_virus_et_assimiles/virus/virus_video_activex_access-419755/messages-1.html he was infected by zlob -- Cordialement, Mathieu CHATEAU http://lordoftheping.blogspot.com "Christopher A. Newell" <infosystems@shiawassee.net> wrote in message news:%23$ARCFZ8HHA.1416@TK2MSFTNGP03.phx.gbl... > The client PCs are definitely totally DHCP. > Wired desktop, so they would not pick up a foreign DHCP from an unsecured > SOHO router. > I took the offical, configured (i.e. the one I know about) DHCP server > temporarily off-line (paused) and tried to refresh IP information on a > couple of different PCs on the affected LAN segment. All came up with the > "default private" configuration (which includes NO DNS server entries) > confirming that there is no persistent competing DHCP server on the > network. > We run CA's enterprise AV/AS solution, and the workstation that has been > most recently affected was a clean re-load (as in OS install fdisk and > format) within the last 60 days. Spybot is probably a good idea, and the > possibility of other malware sounds like a possibility. It would seem to > make sense to try to get PCs to go to bogus web sites by hijacking name > resolution. > > Has anybody else heard of or seen anything like this? This would have to > be either a piece of malware running on the affected PC that is changing > the DNS post-lease or something running on another device on the LAN > "pushing" a change to JUST the DNS entries after the client had obtained a > valid and complete configuration from DHCP. I have not seen a device with > a valid lease automatically try to get new information (only at boot, if a > "/renew" command is issued, or if the lease is getting ready to expire.) > > "Mathieu CHATEAU" <gollum123@free.fr> wrote in message > news:uI7JDnW8HHA.5752@TK2MSFTNGP04.phx.gbl... >> Hello, >> >> if: >> -station are in dhcp (no manual dns server) >> -fixed (no wifi) >> -you are sure about your dhcp server (config ok and no other one) >> >> then it may be a virus or so. This dns belongs to a chinese ISP and you >> don't seem to live in china. >> >> Can you run spybot search and destroy + antivirus ? >> installing windows defender would be great too (for further protection) >> >> -- >> Cordialement, >> Mathieu CHATEAU >> http://lordoftheping.blogspot.com >> >> >> "Christopher A. Newell" <infosystems@shiawassee.net> wrote in message >> news:e4s0unL8HHA.5012@TK2MSFTNGP02.phx.gbl... >>> This is a medium sized enterprise network. I am very comfortable saying >>> that there is not another device on the segment which should be >>> providing conflicting DHCP (although I will not say NEVER.) >>> >>> The affected PCs are fixed desktop units, so an old lease from a >>> different network is not likely. They are all wired ethernet. (I have >>> a small number of WiFi notebooks in use but they actually don't seem to >>> be a problem. On the other hand, this is so intermitent and they are >>> such a small portion of the total network that I just may not be hearing >>> about it.) >>> >>> The systems are obtaining a valid, complete configuration when they boot >>> and are then losing JUST the DNS entries (which is darned inconvenient >>> as it affects Internet, Active Directory, Exchange/Outlook, just about >>> everything.) After the systems lose connectivity, it can be restored by >>> executing "ipconfig /renew". >>> >>> RECAP: This is after the system is up and running correctly. The users >>> are reporting a loss of most network connectivity. "ipconfig /all" >>> shows all of the entries correct as assigned by DHCP - EXCEPT the DNS, >>> which has changed from multiple servers within our network to a single >>> IP which does not appear to have any relationship to our network, >>> usually a 168.x.x.x or 169.x.x.x. This has happened intermitently on >>> multiple PCs running Windows XP Pro (SP1 AND SP2) with DHCP provided by >>> a Windows 2003 Server (DHCP having been provided at different times by >>> different physical servers at both 2k3 SP1 and SP2.) >>> >>> "Mathieu CHATEAU" <gollum123@free.fr> wrote in message >>> news:emRgzJK8HHA.3900@TK2MSFTNGP02.phx.gbl... >>>> Hello, >>>> >>>> this DNS ip is assigned to: >>>> (HiNet) Chunghwa Telecom Co., Ltd. >>>> >>>> And it's a working public dns server. >>>> It may be: >>>> -another network node that also distribute dhcp lease (router/firewall) >>>> -An previous dhcp lease that the user got from home adsl >>>> is there any wifi activated on station ? >>>> >>>> -- >>>> Cordialement, >>>> Mathieu CHATEAU >>>> http://lordoftheping.blogspot.com >>>> >>>> >>>> "Christopher A. Newell" <infosystems@shiawassee.net> wrote in message >>>> news:e25n%23uJ8HHA.2208@TK2MSFTNGP06.phx.gbl... >>>>> Randon (apparently) DHCP clients on my network are losing thier DNS >>>>> entries. The users report what turn out to be connectivity problems >>>>> with name based hosts (raw IP related ones obviously resolve just >>>>> fine.) >>>>> >>>>> IPCONFIG ends up revealing a single DNS server entry which is not on >>>>> my network. I have had several different values, but they all fall in >>>>> the 16x.X.X.X format. (Today's most recent one was 168.95.1.1) >>>>> >>>>> The user PCs are able to reconnect temporarily by executing ipconfig >>>>> /renew (or re-starting the system.) >>>>> >>>>> This is 2003 Server, SP2 (although searcing back in my memory, I seem >>>>> to recall similar incidents with SP 1 and native 2k3 Server.) >>>>> Standard DHCP server modules, typical configuration. There are 4 DNS >>>>> servers in the information handed out in the lease. >>>>> >>>>> C. Newell >>>>> Shiawassee County, MI >>>>> >>>> >>> >>> >> > >
Recommended Posts