Cached Lookups vary between PDC and BDC

Discussion in 'DNS Server' started by Saucer Man, Mar 29, 2010.

  1. Saucer Man

    Saucer Man Guest

    Is this normal? I know that the two servers are syncing changes in the
    forward & reverse lookup zones but should they sync the cached lookups also?
     
    Saucer Man, Mar 29, 2010
    #1
    1. Advertisements


  2. Cached lookups are individual to each server's DNS service's cache. Cache does not get shared.

    --
    Ace

    This posting is provided "AS-IS" with no warranties or guarantees and confers no rights.

    Please reply back to the newsgroup or forum for collaboration benefit among responding engineers, and to help others benefit from your resolution.

    Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    If you feel this is an urgent issue and require immediate assistance, please contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers.
     
    Ace Fekay [MVP-DS, MCT], Mar 29, 2010
    #2
    1. Advertisements

  3. Saucer Man

    Saucer Man Guest

    Thanks again Ace!


    Cached lookups are individual to each server's DNS service's cache. Cache
    does not get shared.
     
    Saucer Man, Mar 29, 2010
    #3
  4. You are welcome!

    Ace
     
    Ace Fekay [MVP-DS, MCT], Mar 30, 2010
    #4
  5. Saucer Man

    Saucer Man Guest

    I record keeps populating in the .root folder of cached lookups. The record
    is abc-domain and in it is a record for one of our old servers that no
    longer exists. Under the server entry are two NS records pointing to some
    unknown outside servers. I deleted this record yesterday from the PDC. It
    wasn't in the BDC. Today, it is back in the PDC's cache and also the BDC's.
    How is it getting there?


    You are welcome!

    Ace
     
    Saucer Man, Mar 30, 2010
    #5
  6. Apaprently something is querying it. Check all zone properties, nameservers tab. Also, run Wireshark for inbound UDP 53 and check to see where it's coming from. It could be from an old machine sitting around.

    Also, are you implying it's a single label name?


    --
    Ace

    This posting is provided "AS-IS" with no warranties or guarantees and confers no rights.

    Please reply back to the newsgroup or forum for collaboration benefit among responding engineers, and to help others benefit from your resolution.

    Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    If you feel this is an urgent issue and require immediate assistance, please contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers.
     
    Ace Fekay [MVP-DS, MCT], Mar 31, 2010
    #6
  7. Saucer Man

    Saucer Man Guest

    something is
    querying it. Check all zone properties, nameservers tab. Also, run Wireshark
    for inbound UDP 53 and check to see where it's coming from. It could be from
    an old machine sitting around.

    Also, are you implying it's a single label name?


    --
    Ace



    Yes. Remember I had the single label name abc-domain in my forward lookup
    zone? I had deleted that zone like we discussed. However, right underneath
    the .(root) level in Cached Lookups is this abc-domain record. Under it,
    there is a reference to an old server. I agree at least one device is still
    querying the old server. If I find that device(s) and correct it will the
    abc-domain record stop appearing?

    Does wireshark need to be installed on the actual DC where DNS is running or
    can I install it on my laptop?
     
    Saucer Man, Apr 1, 2010
    #7
  8. Yes, if you can nail down that machine, and change whatever is querying it, it will not show up in cache. You can use wireshark to check inbound UDP 53, then look at the query string for that name.

    Ace
     
    Ace Fekay [MVP-DS, MCT], Apr 1, 2010
    #8
  9. Saucer Man

    Saucer Man Guest

    Yes, if you can nail down that machine, and change whatever is querying it,
    it will not show up in cache. You can use wireshark to check inbound UDP 53,
    then look at the query string for that name.

    Ace


    OK. I will try to install Wireshark on the DC. I wish I could install it
    elsewhere. I see in ADDT that the Domain name (pre-Windows 2000) is
    abc-domain. I wonder if this could be causing an issue somewhere.
     
    Saucer Man, Apr 6, 2010
    #9
  10. You could install it on a workstation, but you would have to install the workstation and DC on a Hub (not a switch), that is uplinked to your switch. This way in promiscuous mode, the workstation can "see' the traffic going to the DC.

    What is it doing in ADDT? Was there a trust setup to it? I would suggest to remove it.

    Ace
     
    Ace Fekay [MVP-DS, MCT], Apr 7, 2010
    #10
  11. Saucer Man

    Saucer Man Guest

    Can I use Network Monitor which is built-in to Windows 2003 instead of
    Wireshark?

    In ADDT we have only one domain ... abc-domain.local. When I right-click
    this and select properties, I see that abc-domain is there as the
    pre-Windows 2000 name. It's uneditable or deletable.

    Also, I am getting some very strange queries in DNS. Cached Lookups has
    this now...

    - Cached Lookups
    - .(root)
    - abc-domain
    + old server name
    + casjhajasjd
    + lwdkdqwkd
    + com
    + daasdqdf
    etc...

    There are a bunch of these crazy character folders. What's happening here?



    You could install it on a workstation, but you would have to install the
    workstation and DC on a Hub (not a switch), that is uplinked to your switch.
    This way in promiscuous mode, the workstation can "see' the traffic going to
    the DC.

    What is it doing in ADDT? Was there a trust setup to it? I would suggest to
    remove it.

    Ace
     
    Saucer Man, Apr 7, 2010
    #11
  12. That surely doesn't look right. Put DNS in Advanced mode, and check out the
    properties of any records under those folders, for a date and time stamp.

    Is there a compromised machine on the network?

    Yes, you can use Network Monitor, but not the built-in version. That will
    only look at traffic to and from itself, which means it does not support
    promiscuous mode, where I think you would rather install it on another
    server to get an outside perspective. You can download Microsoft NetMon
    v3.3, which is the beefed up version (previously released only in SMS) that
    allows promiscuous mode.

    Download details: Microsoft Network Monitor 3.3
    http://www.microsoft.com/downloads/details.aspx?FamilyID=983b941d-06cb-4658-b7f6-3088333d062f

    Ace
     
    Ace Fekay [MVP-DS, MCT], Apr 8, 2010
    #12
  13. Saucer Man

    Saucer Man Guest

    Well, I found one of the devices that is referencing the old server. I am
    using SmartSniff which doesn't even require an install. It is using the
    built-in netmon driver. I checked the device and I can't find any
    references in this PC to that old server. The user doesn't recall doing
    anything special at the time the query was logged. I don't understand it.

    As far as the crazy character queries, each folder only has two NS records.
    Right-clicking them doesn't show the time stamp. That field is greyed out.
    I am in advanced mode. It could be that a PC is infected somewhere now I
    just have to track it down!
     
    Saucer Man, Apr 9, 2010
    #13
  14. I was actually asking about the properties of the old server reference, not the name servers.

    But now you've mentioned it, what are the two NS records that are authorative for the old record?





    --
    Ace

    This posting is provided "AS-IS" with no warranties or guarantees and confers no rights.

    Please reply back to the newsgroup or forum for collaboration benefit among responding engineers, and to help others benefit from your resolution.

    Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    If you feel this is an urgent issue and require immediate assistance, please contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers.
     
    Ace Fekay [MVP-DS, MCT], Apr 9, 2010
    #14
  15. Saucer Man

    Saucer Man Guest

    The Properties option is only available when I right-click on the name
    servers in the folder. If I right-click anything else, I do not get the
    Properties option. The NS records for the old server are wsc1.jomax.net and
    wsc2.jomax.net. These also happen to be the same NS records in the crazy
    character folders. I found out that these crazy character queries are also
    coming from the same PC.

    I was actually asking about the properties of the old server reference, not
    the name servers.

    But now you've mentioned it, what are the two NS records that are
    authorative for the old record?
     
    Saucer Man, Apr 9, 2010
    #15
  16. Interesting. Have you scanned the machine it is coming from for malware? When you run an ipconfig /displaydns, do you see the oddball record in there? What do the hosts and lmhosts files look like?

    Other than that, I'm actually at a loss to think of what else could be causing it.

    Ace
     
    Ace Fekay [MVP-DS, MCT], Apr 11, 2010
    #16
  17. Saucer Man

    Saucer Man Guest

    I think there was malware on the laptop. I found a program in
    Start-Programs called XP Access. He didn't know what it was. The
    executable was something like xp-a.exe or something like that. We only
    found it on one site that said it was malware. We deleted it and I haven't
    seen the entries return but it is still to early to tell. The funny thing
    is I couldn't find any references to this program running or starting when
    the laptop starts. I haven't checked the hosts and lmhosts files. I will
    do that when he comes in.




    Interesting. Have you scanned the machine it is coming from for malware?
    When you run an ipconfig /displaydns, do you see the oddball record in
    there? What do the hosts and lmhosts files look like?

    Other than that, I'm actually at a loss to think of what else could be
    causing it.

    Ace
     
    Saucer Man, Apr 12, 2010
    #17
  18. That can surely do it. Good find! Also search the registry for that name. See where it shows up. If it is associated with a CLSID, look up that CLSID and delete the whole 'apartment' it exists in.


    Ace
     
    Ace Fekay [MVP-DS, MCT], Apr 13, 2010
    #18
  19. Saucer Man

    Saucer Man Guest

    That can surely do it. Good find! Also search the registry for that name.
    See where it shows up. If it is associated with a CLSID, look up that CLSID
    and delete the whole 'apartment' it exists in.


    Ace


    Looks like I spoke too soon. That laptop is still trying to query the old
    server and those crazy character names. I scanned it with a malware
    software tool but it didn't find anything. At least I know it's only one
    machine and not several. Thanks again for all your help!
     
    Saucer Man, Apr 14, 2010
    #19

  20. Have you looked at the LMHOSTS and HOSTS files? Check the registry to make sure the HOSTS file location is pointing to the default location.

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DataBasePath

    Also, check WINS, if you haven't already.

    Ace
     
    Ace Fekay [MVP-DS, MCT], Apr 15, 2010
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.