DNS server resolved 64.106.154.50 to all domain name

Discussion in 'DNS Server' started by Ravi, Jul 30, 2004.

  1. Ravi

    Ravi Guest

    Hi,

    Our DNS server is acting little funny. When we try to resolve any domain name it resolves to 64.106.154.50. We tried resinstalling dns server but no luck. Any suggesation?

    Thanks,
    Ravi
     
    Ravi, Jul 30, 2004
    #1
    1. Advertisements

  2. Ravi

    Sharad Naik Guest

    How exactly are you trying to resolve?
    Using nslookup or trying opening websites?
    If later is the case, are you using a proxy server?
    Did you try resolving from the server itself or from
    client machine?
    In any case it will help if you post results of ipconfig /all
    from the server and from one of the client machines.

    Sharad
    name it resolves to 64.106.154.50. We tried resinstalling dns server but no
    luck. Any suggesation?
     
    Sharad Naik, Jul 30, 2004
    #2
    1. Advertisements

  3. Ravi

    Sharad Naik Guest

    On ther server, start command prompt, type nslookup
    and press enter.
    Then type a domain name e.g. yahoo.com and press enter. What response do you
    get?


    Also post the results of ipconfig /all from the server.
    Please post unedited results.

    Sharad
    is same it is resolving 64.106.154.50.
    access websites it is resolving properly.
     
    Sharad Naik, Jul 30, 2004
    #3
  4. In
    It takes a combination of your DNS suffix matching a public domain that uses
    a wildcard record to do this.
    Usually if you deselect "Append parent suffixes of the primary DNS suffix"
    or select "Append these suffixes in order" with you local Domain suffix in
    the list only, it won't append the combination of suffixes to get the
    wildcard record.

    If when you run nslookup use the d2 switch you can see nslookup appending
    suffixes.

    Posting your ipconfig /all will verify this.


    --
    Best regards,
    Kevin D4 Dad Goodknecht Sr. [MVP]
    Hope This Helps
    ============================
    --
    When responding to posts, please "Reply to Group" via your
    newsreader so that others may learn and benefit from your
    issue. To respond directly to me remove the nospam. from my
    email. ==========================================
    http://www.lonestaramerica.com/
    ==========================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ==========================================
    Keep a back up of your OE settings and folders with
    OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ==========================================
     
    Kevin D. Goodknecht Sr. [MVP], Jul 30, 2004
    #4
  5. Ravi

    Roger Abell Guest

    Is it correct to say that star.adi.com aka star.optimos.com
    at 10.1.0.5 is your DNS server ?

    You have said you tried reinstalling DNS and it did not work.
    I take this to mean that you 1) uninstalled DNS, 2) successfully
    reinstalled DNS, 3) experienced no change as a result.

    Your DNS server does not seem to be the problem if it is
    this 10.1.0.5
    Note that the nslookups you have shown are getting the
    proper IPs back from your (? star) DNS server.
    So, the nslookups and the uninstall reinstall establish that
    it is not your DNS server that is the problem

    So, how to explain?
    First, know that nslookup uses its own resolver, and that
    Windows has two other resolvers: dnscache the newer
    caching resolvers, and the older resolver carried over from
    the NT 4 codebase.
    If you shut off dnscache then the older resolver takes over.
    nslookup uses its own code to drive the resolution process.

    Now, both your ping and you nslookup uses used your 10.1.0.5
    DNS server. The nslookup showed the responses from 10.1.0.5
    are correct. ping, using the Windows resolver, likely dnscache,
    would have received the same (if it actually did ask 10.1.0.5).

    But we see ping always ends up with 64.106.154.50.
    Well, that seems to indicate that you have an issue with the client
    resolvers (and on more than one machine at that)

    There are hijack codes about that edit the hosts file on machine,
    but it seems it would need to use wildcarding to cause what you
    are seeing via the hosts file (did not think that was defined).
    Are you certain that these machines where you see this behavior
    are squeaky clean ?

    --
    Roger Abell
    Microsoft MVP (Windows Server System: Security)
    MCSE (W2k3,W2k,Nt4) MCDBA
     
    Roger Abell, Jul 31, 2004
    #5
  6. Ravi

    Roger Abell Guest

    ipconfig /flushdns does not dump the cache from the server,
    it empties the client resolver cache

    That changing to the ISP's DNS server allieviates the false
    resolution is the one thing that does not fit with the analysis
    offered in the other post where your nslookup and ping
    results are examined.

    --
    Roger Abell
    Microsoft MVP (Windows Server System: Security)
    MCSE (W2k3,W2k,Nt4) MCDBA
    is same it is resolving 64.106.154.50.
    access websites it is resolving properly.
     
    Roger Abell, Jul 31, 2004
    #6
  7. In
    What is the name that resolves to this IP and what names are in your DNS
    Suffix Search List?





    --
    Best regards,
    Kevin D4 Dad Goodknecht Sr. [MVP]
    Hope This Helps
    ================================================
    --
    When responding to posts, please "Reply to Group"
    via your newsreader so that others may learn and
    benefit from your issue, to respond directly to
    me remove the nospam. from my email address.
    ================================================
    http://www.lonestaramerica.com/
    ================================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ================================================
    Keep a back up of your OE settings and folders
    with OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ================================================
     
    Kevin D. Goodknecht Sr. [MVP], Aug 10, 2004
    #7
  8. Ravi

    Roger Abell Guest

    I wish the OP of this thread had gotten back to us !
    It is strange you have the exact same IP showing up.

    Is this happening on clients configured to use only
    your DNS server(s)?
    If on such a client where you see this, is there any
    strange content in the hosts file (system32\drivers\etc)
    When on a client where you see this, when going to
    say www.somename.com if you then open a cmd
    windows and in it issue
    nslookup
    set q=all
    www.somename.com.
    do you get the correct IPs or this fake one ?

    Google on this IP only pulls up three sites caching this
    thread (and under subject of the following thread at that!)
    I am getting really curious why this person's
    http://ws.arin.net/cgi-bin/whois.pl?queryinput=! NET-64-106-154-50-1
    residential IP is showing up like this.
     
    Roger Abell, Aug 11, 2004
    #8
  9. In
    I think this is more a combination of their DNS suffix search list and a
    wild card record you are using in your domain that resolves to your IP. This
    is the first of two posts this week like this because of a wildcard record.

    Wildcard records are bad news in a public domain, but the answer is to
    remove the DNS suffix from the search list that is causing it to go to your
    domain in the first place.
    It was really bad last fall when NetSol took it on themselves to use a
    wildcard record in the .com and .net gTLD servers. No query in the .com or
    ..net TLD would fail.

    What is the domain name that resolves to this IP?

    --
    Best regards,
    Kevin D4 Dad Goodknecht Sr. [MVP]
    Hope This Helps
    ================================================
    --
    When responding to posts, please "Reply to Group"
    via your newsreader so that others may learn and
    benefit from your issue, to respond directly to
    me remove the nospam. from my email address.
    ================================================
    http://www.lonestaramerica.com/
    ================================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ================================================
    Keep a back up of your OE settings and folders
    with OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ================================================
     
    Kevin D. Goodknecht Sr. [MVP], Aug 12, 2004
    #9
  10. In
    Curious, what did you figure out? It will help us if we knew so we can help
    someone else if we see this again.

    Thank you.

    --
    Regards,
    Ace

    Please direct all replies ONLY to the Microsoft public newsgroups
    so all can benefit.

    This posting is provided "AS-IS" with no warranties or guarantees
    and confers no rights.

    Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
    Microsoft Windows MVP - Windows Server - Directory Services

    Security Is Like An Onion, It Has Layers
    HAM AND EGGS: A day's work for a chicken;
    A lifetime commitment for a pig.
     
    Ace Fekay [MVP], Aug 12, 2004
    #10
  11. Ravi

    Roger Abell Guest

    Thanks for chiming in with this enlightenment Matt.
    I know many do not run with cache pollution protection
    enabled in order to stretch DNS machine resources.
    I would have hoped MS had its DNS never even need
    to reverse verify (or overwrite) a TLD; but it sounds
    like this needs checking and if it does then get this
    submitted for a fix as I can see no reasonable situation
    in which overwriting what is cached for a TLD should
    be allowed if it did not originate at a root server.
     
    Roger Abell, Aug 13, 2004
    #11
  12. Ravi

    Roger Abell Guest

    Ace, did you look down at the info he appended at bottom
    of his post ?
     
    Roger Abell, Aug 13, 2004
    #12
  13. Ravi

    Roger Abell Guest

    Jim,

    Are you still with us ?

    Based on the info Matt provided, you may be able to
    resolve this by enabling protecting of the cache from
    pollution (in the Adv tab of the server node properties),
    and then using adv view so you can see the cache and
    going in and highlighting and deleting the cached entry
    for com.

    However, I am doubting that this will resolve things.
    The first poster showed us that ping got the bogus IP,
    but nslookup using their DNS did not.
    This tell me that the bad caching is happening not in
    the DNS server but in the DNS caching resolver client.
    You did not respond with the requested nslookup, so
    we do not know if this is also how it is on your machines.
     
    Roger Abell, Aug 13, 2004
    #13
  14. In
    Boy, it's been a long day!

    :)
     
    Ace Fekay [MVP], Aug 13, 2004
    #14
  15. Foolish and unwise, yes. Too often done however, yes.
    "Fix" in the sense that whether prevention of pollution is or is not
    enabled, there is simply no good reason for allow overwriting of
    the TLD servers in cache when DNS has info for direct means
    of obtaining, verifying these.

    I actually believe this is not a problem in DNS server anyway,
    but in the dnscache caching resolver client.
     
    Roger Abell [MVP], Aug 15, 2004
    #15
  16. Thanks for the checkback Matt.
    I wish the original posters would do the same so we could
    verify this as an issue not with Windows DNS but with the
    client resolver.



    --
    Roger Abell
    Microsoft MVP (Windows Server System: Security)
    MCDBA, MCSE W2k3+W2k+Nt4
     
    Roger Abell [MVP], Aug 22, 2004
    #16
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.