Weird DNS hi-jacking

Discussion in 'Computer Support' started by r.larsson@gmx.net, Mar 22, 2007.

  1. Guest

    Our small office network runs fine most of the time; we have about 10
    WinXP clients. Our local DHCP and DNS server (bind9) run under Linux.
    (It also runs Samba and mail, but that is probably not important
    here.)

    One or two days per month one of our salemen, Paul, is in the office.
    Everytime Paul connects his laptop to our network all other people
    lose network connections. More specifically, when we do ipconfig /
    all on the clients we can see that the DNS line points to Paul's
    laptop witrh a 192.168xxx address. Paul's computer must be
    broadcasting something, saying "Hey, I'm the DNS server on this place,
    forget about the previous one and ask me instead!".

    The short term solution, which we all have learned now, is to do
    ipconfig /renew on the clients. Does anyone know if there is a long
    term solution? I guess there must be something running (a service
    perhaps) on Paul's machine that is not supposed to run. (No virus or
    trojan is found by a recently updated Norton AV.)

    Any tips?

    --
    Robert Larsson
     
    , Mar 22, 2007
    #1
    1. Advertising

  2. why? Guest

    On 22 Mar 2007 02:51:27 -0700, r.larsson@ wrote:

    >Our small office network runs fine most of the time; we have about 10
    >WinXP clients. Our local DHCP and DNS server (bind9) run under Linux.


    For about 10 do you really need DHCP? Static would do just as well.

    >(It also runs Samba and mail, but that is probably not important
    >here.)
    >
    >One or two days per month one of our salemen, Paul, is in the office.
    >Everytime Paul connects his laptop to our network all other people
    >lose network connections. More specifically, when we do ipconfig /
    >all on the clients we can see that the DNS line points to Paul's
    >laptop witrh a 192.168xxx address. Paul's computer must be


    You don't need to xxx that IP address, that whole range is a private
    address and isn't accessable across the internet.

    >broadcasting something, saying "Hey, I'm the DNS server on this place,
    >forget about the previous one and ask me instead!".


    That would be about right, as every lease is checked a closer DNS is
    found and it renews from that source instead.

    >The short term solution, which we all have learned now, is to do
    >ipconfig /renew on the clients. Does anyone know if there is a long


    So that doesn't renew from his PC, Windows is funny like that it prefers
    the last server.

    >term solution? I guess there must be something running (a service
    >perhaps) on Paul's machine that is not supposed to run. (No virus or


    That's for the IT guys to fix.

    >trojan is found by a recently updated Norton AV.)


    Try something else than NAV as a double check, alternative products,
    online scanners oftem mentioned in posts in 24HSHD. Search
    http://groups.google.com/group/24hoursupport.helpdesk/topics

    Since it's Win you could look,

    Control Panel / Services for anything you don't recognise.

    Start / Programs for any apps that shouldn't be on a company machine.

    >Any tips?


    Some basic diagnostics, check if there port 67/68 open
    http://www.snapfiles.com/features/ed_usb_software.html

    CurrPorts

    StartupList

    SmartSniff , this isn't as simple as the first 2 but if you know the
    address of his PC, you can see it listed as a source, going to the other
    PCs on port 53 and the DHCP stuff is plain text.

    Although for a different sniffer, see
    http://www.packet-level.com/traces/index.htm
    DHCP: Standard Boot Sequence
    the zip file contains a .prn , view it in notepad. The bit you are
    looking for is


    UDP: ----- UDP Header -----
    UDP:
    UDP: Source port = 68 (Bootpc/DHCP)
    UDP: Destination port = 67 (Bootps/DHCP)

    and a bit that's the client PC requesting an address from his PC. You
    know the MAC (Client hardware address ) and it's name for each of your
    PCs, You know the IP of his PC )DHCP: Server IP address =
    [10.0.0.1])

    You will see the PC request
    ( Message Type = 3 (DHCP Request))

    DHCP: Client self-assigned IP address = [0.0.0.0]
    DHCP: Client IP address = [0.0.0.0]
    DHCP: Next Server to use in bootstrap = [0.0.0.0]
    DHCP: Relay Agent = [0.0.0.0]
    DHCP: Client hardware address = 00A0CC30C8DB
    DHCP:
    DHCP: Host name = ""
    DHCP: Boot file name = ""
    DHCP:
    DHCP: Vendor Information tag = 63825363
    DHCP: Message Type = 3 (DHCP Request)
    DHCP: Client identifier = 0100A0CC30C8DB
    DHCP: Request specific IP address = [10.0.99.2]
    DHCP: Server IP address = [10.0.0.1]
    DHCP: HostName = "UTBPOPKI"


    Then you will see a DHCP ACK sending the data to the PCs from his PC,
    this is the lease time, mask, gateway etc that is visible in
    ipconfig/all

    DHCP: Vendor Information tag = 63825363
    DHCP: Message Type = 5 (DHCP Ack)
    DHCP: Server IP address = [10.0.0.1]
    DHCP: Request IP address lease time = 300 (seconds)
    DHCP: Subnet mask = [255.0.0.0]
    DHCP: Gateway address = [10.0.0.1]
    DHCP: Domain Name Server address = [10.0.0.1]
    DHCP: Domain name = "netanalysis.org"


    Me
     
    why?, Mar 22, 2007
    #2
    1. Advertising

  3. Whiskers Guest

    On 2007-03-22, <> wrote:
    > Our small office network runs fine most of the time; we have about 10
    > WinXP clients. Our local DHCP and DNS server (bind9) run under Linux.
    > (It also runs Samba and mail, but that is probably not important
    > here.)
    >
    > One or two days per month one of our salemen, Paul, is in the office.
    > Everytime Paul connects his laptop to our network all other people
    > lose network connections. More specifically, when we do ipconfig /
    > all on the clients we can see that the DNS line points to Paul's
    > laptop witrh a 192.168xxx address. Paul's computer must be
    > broadcasting something, saying "Hey, I'm the DNS server on this place,
    > forget about the previous one and ask me instead!".
    >
    > The short term solution, which we all have learned now, is to do
    > ipconfig /renew on the clients. Does anyone know if there is a long
    > term solution? I guess there must be something running (a service
    > perhaps) on Paul's machine that is not supposed to run. (No virus or
    > trojan is found by a recently updated Norton AV.)
    >
    > Any tips?
    >
    > --
    > Robert Larsson
    >


    Tell Paul to re-configure his laptop so that it isn't trying to be a DNS
    server. Or configure your router to ban his machine based on the MAC
    number of his wireless card. If he won't do the former, the latter might
    help change his mind.

    --
    -- ^^^^^^^^^^
    -- Whiskers
    -- ~~~~~~~~~~
     
    Whiskers, Mar 22, 2007
    #3
  4. Guest

    > Try something else than NAV as a double check, alternative products,

    Good idea, will do that. Will also try the different sniffers you
    recommended. Thanks!

    --
    Robert
     
    , Mar 23, 2007
    #4
  5. Guest

    > Tell Paul to re-configure his laptop so that it isn't trying to be a DNS
    > server. Or configure your router to ban his machine based on the MAC
    > number of his wireless card. If he won't do the former, the latter might
    > help change his mind.


    I did block him in the router, but then he couldn't use his laptop to
    get mail etc (of course). I also did ask him to fix his computer, but
    he doesn't know how to do that. Most likely that task will be assigned
    to me... Since it is Windows and we cannot guess *what* service or
    process in his laptop is acting as a DNS server, a complete re-install
    of XP is probably the easiest way to go.

    Thanks, and have a great weekend!
    --
    Robert
     
    , Mar 23, 2007
    #5
  6. Whiskers Guest

    On 2007-03-23, <> wrote:
    >> Tell Paul to re-configure his laptop so that it isn't trying to be a DNS
    >> server. Or configure your router to ban his machine based on the MAC
    >> number of his wireless card. If he won't do the former, the latter might
    >> help change his mind.

    >
    > I did block him in the router, but then he couldn't use his laptop to
    > get mail etc (of course). I also did ask him to fix his computer, but
    > he doesn't know how to do that. Most likely that task will be assigned
    > to me... Since it is Windows and we cannot guess *what* service or
    > process in his laptop is acting as a DNS server, a complete re-install
    > of XP is probably the easiest way to go.
    >
    > Thanks, and have a great weekend!
    > --
    > Robert


    Have fun with the rogue machine :))

    --
    -- ^^^^^^^^^^
    -- Whiskers
    -- ~~~~~~~~~~
     
    Whiskers, Mar 23, 2007
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Lars Bonnesen
    Replies:
    9
    Views:
    7,335
    chris
    Apr 8, 2006
  2. none
    Replies:
    5
    Views:
    3,212
  3. Jose Padilla

    DNS question - reverse DNS getting cluttered

    Jose Padilla, Jan 21, 2004, in forum: Computer Support
    Replies:
    0
    Views:
    609
    Jose Padilla
    Jan 21, 2004
  4. Replies:
    1
    Views:
    1,103
    Rohan
    Nov 18, 2006
  5. Brian M. Godfrey

    Weird DNS?

    Brian M. Godfrey, Jan 15, 2006, in forum: Computer Support
    Replies:
    2
    Views:
    433
    Brian M. Godfrey
    Jan 15, 2006
Loading...

Share This Page