False DNS Resolution - gator.com

Hello,

We have Windows 2003 Active Directory Domain & Windows 2003 DNS Servers.

We are facing a problem in DNS name resolution for some of the websites.
Most of our DNS name resolutions end up with IP Address - 67.18.199.2, which
points to some "gator.com" domain.

What is this problem and how can I solve it?

Thanks in Advance.

Regards,
Denis

Hello Denis,

How is your DNS configured? Use clients only domain internal DNS servers
on the NIC and did you configure forwarders in the DNS server? Please post
an unedited ipconfig /all form a client and your DNS server.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Hello,
>
> We have Windows 2003 Active Directory Domain & Windows 2003 DNS
> Servers.
>
> We are facing a problem in DNS name resolution for some of the
> websites. Most of our DNS name resolutions end up with IP Address -
> 67.18.199.2, which points to some "gator.com" domain.
>
> What is this problem and how can I solve it?
>
> Thanks in Advance.
>
> Regards,
> Denis

Yes, clients use only internal DNS Server. We have configured Forwarder.
Find below the output of IPCONFIG /ALL:
CLIENT
=====
E:\TOOLS>ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : denis
Primary Dns Suffix . . . . . . . : CADILAPHARMA.CO.IN
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : CADILAPHARMA.CO.IN
CO.IN

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom NetXtreme 57xx Gigabit
Controller
Physical Address. . . . . . . . . : 00-1D-09-0A-7D-CD
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.16.101
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.16.151
DNS Servers . . . . . . . . . . . : 192.168.16.9
192.168.15.21
Primary WINS Server . . . . . . . : 192.168.16.23

E:\TOOLS>


SERVER
=====
C:\>IPCONFIG /ALL

Windows IP Configuration

Host Name . . . . . . . . . . . . : cplbhatdc1
Primary Dns Suffix . . . . . . . : CADILAPHARMA.CO.IN
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : CADILAPHARMA.CO.IN
CO.IN

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom BCM5708C NetXtreme II GigE
(NDIS
VBD Client)
Physical Address. . . . . . . . . : 00-1D-09-15-D0-D4
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.16.9
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.16.151
DNS Servers . . . . . . . . . . . : 192.168.16.9
Primary WINS Server . . . . . . . : 192.168.16.23

C:\>







"Meinolf Weber [MVP-DS]" wrote:

> Hello Denis,
>
> How is your DNS configured? Use clients only domain internal DNS servers
> on the NIC and did you configure forwarders in the DNS server? Please post
> an unedited ipconfig /all form a client and your DNS server.
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>
> > Hello,
> >
> > We have Windows 2003 Active Directory Domain & Windows 2003 DNS
> > Servers.
> >
> > We are facing a problem in DNS name resolution for some of the
> > websites. Most of our DNS name resolutions end up with IP Address -
> > 67.18.199.2, which points to some "gator.com" domain.
> >
> > What is this problem and how can I solve it?
> >
> > Thanks in Advance.
> >
> > Regards,
> > Denis
>
>
>

Your configuration looks fine. I would be concerned about spyware, IIRC
gator is a bad thing. Go out to the Trend website and run Housecall against
one of your clients and see if it reports any issues.


--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"Denis" <> wrote in message
news:9B51DE0A-0C25-45D6-8F49-...
> Yes, clients use only internal DNS Server. We have configured Forwarder.
> Find below the output of IPCONFIG /ALL:
> CLIENT
> =====
> E:\TOOLS>ipconfig /all
>
> Windows IP Configuration
>
> Host Name . . . . . . . . . . . . : denis
> Primary Dns Suffix . . . . . . . : CADILAPHARMA.CO.IN
> Node Type . . . . . . . . . . . . : Hybrid
> IP Routing Enabled. . . . . . . . : No
> WINS Proxy Enabled. . . . . . . . : No
> DNS Suffix Search List. . . . . . : CADILAPHARMA.CO.IN
> CO.IN
>
> Ethernet adapter Local Area Connection:
>
> Connection-specific DNS Suffix . :
> Description . . . . . . . . . . . : Broadcom NetXtreme 57xx Gigabit
> Controller
> Physical Address. . . . . . . . . : 00-1D-09-0A-7D-CD
> Dhcp Enabled. . . . . . . . . . . : No
> IP Address. . . . . . . . . . . . : 192.168.16.101
> Subnet Mask . . . . . . . . . . . : 255.255.255.0
> Default Gateway . . . . . . . . . : 192.168.16.151
> DNS Servers . . . . . . . . . . . : 192.168.16.9
> 192.168.15.21
> Primary WINS Server . . . . . . . : 192.168.16.23
>
> E:\TOOLS>
>
>
> SERVER
> =====
> C:\>IPCONFIG /ALL
>
> Windows IP Configuration
>
> Host Name . . . . . . . . . . . . : cplbhatdc1
> Primary Dns Suffix . . . . . . . : CADILAPHARMA.CO.IN
> Node Type . . . . . . . . . . . . : Hybrid
> IP Routing Enabled. . . . . . . . : No
> WINS Proxy Enabled. . . . . . . . : No
> DNS Suffix Search List. . . . . . : CADILAPHARMA.CO.IN
> CO.IN
>
> Ethernet adapter Local Area Connection:
>
> Connection-specific DNS Suffix . :
> Description . . . . . . . . . . . : Broadcom BCM5708C NetXtreme II GigE
> (NDIS
> VBD Client)
> Physical Address. . . . . . . . . : 00-1D-09-15-D0-D4
> DHCP Enabled. . . . . . . . . . . : No
> IP Address. . . . . . . . . . . . : 192.168.16.9
> Subnet Mask . . . . . . . . . . . : 255.255.255.0
> Default Gateway . . . . . . . . . : 192.168.16.151
> DNS Servers . . . . . . . . . . . : 192.168.16.9
> Primary WINS Server . . . . . . . : 192.168.16.23
>
> C:\>
>
>
>
>
>
>
>
> "Meinolf Weber [MVP-DS]" wrote:
>
>> Hello Denis,
>>
>> How is your DNS configured? Use clients only domain internal DNS servers
>> on the NIC and did you configure forwarders in the DNS server? Please
>> post
>> an unedited ipconfig /all form a client and your DNS server.
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers
>> no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>
>>
>> > Hello,
>> >
>> > We have Windows 2003 Active Directory Domain & Windows 2003 DNS
>> > Servers.
>> >
>> > We are facing a problem in DNS name resolution for some of the
>> > websites. Most of our DNS name resolutions end up with IP Address -
>> > 67.18.199.2, which points to some "gator.com" domain.
>> >
>> > What is this problem and how can I solve it?
>> >
>> > Thanks in Advance.
>> >
>> > Regards,
>> > Denis
>>
>>
>>

"Paul Bergson [MVP-DS]" <pbbergs@no_spammsn.com> wrote in message news:%...
> Your configuration looks fine. I would be concerned about spyware, IIRC
> gator is a bad thing. Go out to the Trend website and run Housecall against
> one of your clients and see if it reports any issues.

Paul, I agree. I think either the HOSTS file was hijacked by Gator's spyware installation, or Gator's software altered the client side resolver. A good cleanup with Housecall, MalwareBytes (www.malwarebytes.com), Adaware, etc, should do the trick.

Also, as a side note, sometimes I make the HOSTS file Read Only to insure this can't happen, that is if the HOSTS file is involved.

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and confers no rights.

Please reply back to the newsgroup/forum to benefit from collaboration among responding engineers, as well as to help others benefit from your resolution.

Ace Fekay, MCT, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging
Microsoft Certified Trainer

http://twitter.com/acefekay

For urgent issues, you may want to contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers.

I like the ro on the hosts file. That sounds like it would be a great
option within a gpo.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"Ace Fekay [Microsoft Certified Trainer]" <>
wrote in message news:eEI1$...
"Paul Bergson [MVP-DS]" <pbbergs@no_spammsn.com> wrote in message
news:%...
> Your configuration looks fine. I would be concerned about spyware, IIRC
> gator is a bad thing. Go out to the Trend website and run Housecall
> against
> one of your clients and see if it reports any issues.

Paul, I agree. I think either the HOSTS file was hijacked by Gator's spyware
installation, or Gator's software altered the client side resolver. A good
cleanup with Housecall, MalwareBytes (www.malwarebytes.com), Adaware, etc,
should do the trick.

Also, as a side note, sometimes I make the HOSTS file Read Only to insure
this can't happen, that is if the HOSTS file is involved.

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup/forum to benefit from collaboration among
responding engineers, as well as to help others benefit from your
resolution.

Ace Fekay, MCT, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging
Microsoft Certified Trainer

http://twitter.com/acefekay

For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

"Paul Bergson [MVP-DS]" <pbbergs@no_spammsn.com> wrote in message news:%...
>I like the ro on the hosts file. That sounds like it would be a great
> option within a gpo.

I don't think you can directly make it RO within a GPO, but scripting it as part of a machine startup script?

In news:%,
Paul Bergson [MVP-DS] <pbbergs@no_spammsn.com>, posted the following, which I replied to down below...: Hello Paul Bergson [MVP-DS]
>> I like the ro on the hosts file. That sounds like it would be a
>> great option within a gpo.
>
> I don't think you can directly make it RO within a GPO, but scripting
> it as part of a machine startup script?


Nevermind - drew a blank on that one for a spit second!
Computer Config/Windows Settings/Security Settings/File System

Ace

Thanks Ace and Paul for your valued inputs.

I scanned both my client and DNS Server with Malwarebytes' Anti-Malware, but
found no infections. Also, I checked the hosts file, which is neat and clean.

Find below the nslookup result on my client:

===============================================
C:\>nslookup
Default Server: mydnsserver.mydomain.co.in
Address: 192.168.16.9

> yahoo.com
Server: mydnsserver.mydomain.co.in
Address: 192.168.16.9

Non-authoritative answer:
Name: com.CO.IN
Address: 67.18.199.2
Aliases: yahoo.com.CO.IN

>
>
> aol.com
Server: mydnsserver.mydomain.co.in
Address: 192.168.16.9

Non-authoritative answer:
Name: com.CO.IN
Address: 67.18.199.2
Aliases: aol.com.CO.IN

>
================================================

Thanks in Advance!

Regards,
Denis






"Ace Fekay [Microsoft Certified Trainer]" wrote:

> In news:%,
> Paul Bergson [MVP-DS] <pbbergs@no_spammsn.com>, posted the following, which I replied to down below...: Hello Paul Bergson [MVP-DS]
> >> I like the ro on the hosts file. That sounds like it would be a
> >> great option within a gpo.
> >
> > I don't think you can directly make it RO within a GPO, but scripting
> > it as part of a machine startup script?
>
>
> Nevermind - drew a blank on that one for a spit second!
> Computer Config/Windows Settings/Security Settings/File System
>
> Ace
>

"Denis" <> wrote in message
news:A50196BF-2284-4210-A10F-...
> Thanks Ace and Paul for your valued inputs.
>
> I scanned both my client and DNS Server with Malwarebytes' Anti-Malware,
> but
> found no infections. Also, I checked the hosts file, which is neat and
> clean.
>
> Find below the nslookup result on my client:
>
> ===============================================
> C:\>nslookup
> Default Server: mydnsserver.mydomain.co.in
> Address: 192.168.16.9
>
>> yahoo.com
> Server: mydnsserver.mydomain.co.in
> Address: 192.168.16.9
>
> Non-authoritative answer:
> Name: com.CO.IN
> Address: 67.18.199.2
> Aliases: yahoo.com.CO.IN
>
>>
>>
>> aol.com
> Server: mydnsserver.mydomain.co.in
> Address: 192.168.16.9
>
> Non-authoritative answer:
> Name: com.CO.IN
> Address: 67.18.199.2
> Aliases: aol.com.CO.IN
>
>>
> ================================================
>
> Thanks in Advance!
>
> Regards,
> Denis
>

Ahh, that's due to the search suffix. Uncheck the "Append Parent Suffix" in
the NIC properties, check with ipconfig /all that the 'co.in" has been
removed, and try again with nslookup.

Ace