Wandering DNS entry

Giganews Newsgroups
Subject: Wandering DNS entry
Posted by:  Christopher A. Newell (infosyste…@shiawassee.net)
Date: Thu, 20 Sep 2007

I posted on this a couple of weeks ago and then the problem "appeared" to
clear up for a while.

This appeared to be a very sporadic problem, but as I look more closely it
seems to be more prevalent than I had imagined.

I have a medium-small, but moderatly complex network configured in 7 logical
segments, each operating on it's own IP subnet.  In three of the segments,
dynamically addressed PCs are transiently loosing their DNS entries,
multiple local DNS servers being replaced by 168.95.1.1, an operating DNS
server in Taiwan.  (in fact the only service answering on about half of the
168.95.1.x subnet is DNS)  The loss of the correct DNS entrires disrupts the
client's network connectivity until the configuration is restored (all
Internet access for user PCs is through a proxy server, our firewall
prevents any client address from communicating with the Internet in any
other way, so the affected PC gets no response at all.)  "ipconfig /renew"
seems to correct the problem, as does re-strating the PC.

As a temporary workaround, I have assigned the outside IP to one of my
internal DNS servers and routed all requests for that IP to the correct LAN
address.  This is preserving my users' connectivity but is eliminating thier
calls for help to notify me.

After implementing the temporary solution, I have been monitoring detailed
traffic on the DNS server, only to find that inquiries using the off-site IP
are almost constant.  It seems like there is one PC, occasionally two, using
that IP for DNS (and SMB and a few other protocols) just about all the time,
although the issue seems to move from computer to computer at no
identifiable interval.  Apparently, either some of the users are
experiencing problems and just re-starting or the DNS error is not lasting
long enough to cause them to actually see the connectivity loss.

These PCs are in three different network segments, broken up at Layer 3,
configured by three different DHCP servers (although all are in the same AD
forrest.)  Before I identified the problem being present in three different
segments, I tried stopping the known DHCP server and trying to obtain
address information - No rogue DHCP apparent.  We are using 128 WEP on a
small number of wireless APs, but I have ruled out a customer notebook with
an ICS configuration running.

I have run throuough Spyware and AV scanns of some of the affected PCs with
no notable results (CA-ITM and Spybot S&D).  Staticly addressed PCs are not
affected and one IP subnet that is dynamically addressed but operates in an
independent AD domain also seems to be OK.

Has anybody else ever seen anything remotely like this ?

Any ideas what I can look at to figure out where a changing DNS IP could be
getting injected into the system, across routers?

I think that I would have gotten an incorrect IP configuration if I had a
hardware based DHCP on the LAN (like a SOHO router), but it may bear noting
that a search on that IP reveals it to be one of the most commonly
referenced publicly accessable DNS servers.  The IP appears in many pieces
of hardware documentation (again, like SOHO gateways).

Replies