False DNS Resolution - gator.com

Discussion in 'DNS Server' started by Denis, Jul 9, 2009.

  1. Denis

    Denis Guest

    Hello,

    We have Windows 2003 Active Directory Domain & Windows 2003 DNS Servers.

    We are facing a problem in DNS name resolution for some of the websites.
    Most of our DNS name resolutions end up with IP Address - 67.18.199.2, which
    points to some "gator.com" domain.

    What is this problem and how can I solve it?

    Thanks in Advance.

    Regards,
    Denis
     
    Denis, Jul 9, 2009
    #1
    1. Advertisements

  2. Hello Denis,

    How is your DNS configured? Use clients only domain internal DNS servers
    on the NIC and did you configure forwarders in the DNS server? Please post
    an unedited ipconfig /all form a client and your DNS server.

    Best regards

    Meinolf Weber
     
    Meinolf Weber [MVP-DS], Jul 9, 2009
    #2
    1. Advertisements

  3. Denis

    Denis Guest

    Yes, clients use only internal DNS Server. We have configured Forwarder.
    Find below the output of IPCONFIG /ALL:
    CLIENT
    =====
    E:\TOOLS>ipconfig /all

    Windows IP Configuration

    Host Name . . . . . . . . . . . . : denis
    Primary Dns Suffix . . . . . . . : CADILAPHARMA.CO.IN
    Node Type . . . . . . . . . . . . : Hybrid
    IP Routing Enabled. . . . . . . . : No
    WINS Proxy Enabled. . . . . . . . : No
    DNS Suffix Search List. . . . . . : CADILAPHARMA.CO.IN
    CO.IN

    Ethernet adapter Local Area Connection:

    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Broadcom NetXtreme 57xx Gigabit
    Controller
    Physical Address. . . . . . . . . : 00-1D-09-0A-7D-CD
    Dhcp Enabled. . . . . . . . . . . : No
    IP Address. . . . . . . . . . . . : 192.168.16.101
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . : 192.168.16.151
    DNS Servers . . . . . . . . . . . : 192.168.16.9
    192.168.15.21
    Primary WINS Server . . . . . . . : 192.168.16.23

    E:\TOOLS>


    SERVER
    =====
    C:\>IPCONFIG /ALL

    Windows IP Configuration

    Host Name . . . . . . . . . . . . : cplbhatdc1
    Primary Dns Suffix . . . . . . . : CADILAPHARMA.CO.IN
    Node Type . . . . . . . . . . . . : Hybrid
    IP Routing Enabled. . . . . . . . : No
    WINS Proxy Enabled. . . . . . . . : No
    DNS Suffix Search List. . . . . . : CADILAPHARMA.CO.IN
    CO.IN

    Ethernet adapter Local Area Connection:

    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Broadcom BCM5708C NetXtreme II GigE
    (NDIS
    VBD Client)
    Physical Address. . . . . . . . . : 00-1D-09-15-D0-D4
    DHCP Enabled. . . . . . . . . . . : No
    IP Address. . . . . . . . . . . . : 192.168.16.9
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . : 192.168.16.151
    DNS Servers . . . . . . . . . . . : 192.168.16.9
    Primary WINS Server . . . . . . . : 192.168.16.23

    C:\>
     
    Denis, Jul 9, 2009
    #3
  4. Your configuration looks fine. I would be concerned about spyware, IIRC
    gator is a bad thing. Go out to the Trend website and run Housecall against
    one of your clients and see if it reports any issues.


    --
    Paul Bergson
    MVP - Directory Services
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, 2003, 2000 (Early Achiever), NT4
    Microsoft's Thrive IT Pro of the Month - June 2009

    http://www.pbbergs.com

    Please no e-mails, any questions should be posted in the NewsGroup This
    posting is provided "AS IS" with no warranties, and confers no rights.
     
    Paul Bergson [MVP-DS], Jul 9, 2009
    #4
  5. Paul, I agree. I think either the HOSTS file was hijacked by Gator's spyware installation, or Gator's software altered the client side resolver. A good cleanup with Housecall, MalwareBytes (www.malwarebytes.com), Adaware, etc, should do the trick.

    Also, as a side note, sometimes I make the HOSTS file Read Only to insure this can't happen, that is if the HOSTS file is involved.

    --
    Ace

    This posting is provided "AS-IS" with no warranties or guarantees and confers no rights.

    Please reply back to the newsgroup/forum to benefit from collaboration among responding engineers, as well as to help others benefit from your resolution.

    Ace Fekay, MCT, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging
    Microsoft Certified Trainer

    http://twitter.com/acefekay

    For urgent issues, you may want to contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers.
     
    Ace Fekay [Microsoft Certified Trainer], Jul 9, 2009
    #5
  6. I like the ro on the hosts file. That sounds like it would be a great
    option within a gpo.

    --
    Paul Bergson
    MVP - Directory Services
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, 2003, 2000 (Early Achiever), NT4
    Microsoft's Thrive IT Pro of the Month - June 2009

    http://www.pbbergs.com

    Please no e-mails, any questions should be posted in the NewsGroup This
    posting is provided "AS IS" with no warranties, and confers no rights.

    "Ace Fekay [Microsoft Certified Trainer]" <>
    wrote in message
    Paul, I agree. I think either the HOSTS file was hijacked by Gator's spyware
    installation, or Gator's software altered the client side resolver. A good
    cleanup with Housecall, MalwareBytes (www.malwarebytes.com), Adaware, etc,
    should do the trick.

    Also, as a side note, sometimes I make the HOSTS file Read Only to insure
    this can't happen, that is if the HOSTS file is involved.

    --
    Ace

    This posting is provided "AS-IS" with no warranties or guarantees and
    confers no rights.

    Please reply back to the newsgroup/forum to benefit from collaboration among
    responding engineers, as well as to help others benefit from your
    resolution.

    Ace Fekay, MCT, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging
    Microsoft Certified Trainer

    http://twitter.com/acefekay

    For urgent issues, you may want to contact Microsoft PSS directly. Please
    check http://support.microsoft.com for regional support phone numbers.
     
    Paul Bergson [MVP-DS], Jul 10, 2009
    #6
  7. I don't think you can directly make it RO within a GPO, but scripting it as part of a machine startup script?
     
    Ace Fekay [Microsoft Certified Trainer], Jul 10, 2009
    #7
  8. In

    Nevermind - drew a blank on that one for a spit second!
    Computer Config/Windows Settings/Security Settings/File System

    Ace
     
    Ace Fekay [Microsoft Certified Trainer], Jul 10, 2009
    #8
  9. Denis

    Denis Guest

    Thanks Ace and Paul for your valued inputs.

    I scanned both my client and DNS Server with Malwarebytes' Anti-Malware, but
    found no infections. Also, I checked the hosts file, which is neat and clean.

    Find below the nslookup result on my client:

    ===============================================
    C:\>nslookup
    Default Server: mydnsserver.mydomain.co.in
    Address: 192.168.16.9
    Server: mydnsserver.mydomain.co.in
    Address: 192.168.16.9

    Non-authoritative answer:
    Name: com.CO.IN
    Address: 67.18.199.2
    Aliases: yahoo.com.CO.IN
    Server: mydnsserver.mydomain.co.in
    Address: 192.168.16.9

    Non-authoritative answer:
    Name: com.CO.IN
    Address: 67.18.199.2
    Aliases: aol.com.CO.IN
    ================================================

    Thanks in Advance!

    Regards,
    Denis
     
    Denis, Jul 14, 2009
    #9
  10. Ahh, that's due to the search suffix. Uncheck the "Append Parent Suffix" in
    the NIC properties, check with ipconfig /all that the 'co.in" has been
    removed, and try again with nslookup.

    Ace
     
    Ace Fekay [MCT], Jul 14, 2009
    #10
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.