RE: [NTSysADM] RE: DNS server settings getting changed

[Melvin Backus]

We've considered that.  We're going to swap the FW in a couple of weeks as part 
of something else, so that will eliminate that part, and as I said, we've got a 
temp solution, but we still need to figure out why this office does this and 
all the others work as expected.  Obviously something's different, but we 
haven't found it yet. :)



--
There are 10 kinds of people in the world...
         those who understand binary and those who don't.

From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On 
Behalf Of John Cook
Sent: Thursday, April 24, 2014 9:51 AM
To: ntsysadm@lists.myitforum.com
Subject: RE: [NTSysADM] RE: DNS server settings getting changed

Well at this point I'd add DHCP to another server (if you have one available) 
configure it identically and disable it on the current server to eliminate some 
possibilities. I'm sure you have other fish to fry and that may just be the 
resolution.

 John W. Cook
Director of Network Operations
Partnership For Strong Families
5950 NW 1st Place
Gainesville, Fl 32607
Office (352) 244-1610
Cell     (352) 215-6944

MCSE, MCP+I, MCTS,
CompTIA  A+, N+, Security +
VSP4, VTSP4

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Melvin Backus
Sent: Thursday, April 24, 2014 9:41 AM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: RE: [NTSysADM] RE: DNS server settings getting changed

No reason I can think of.  Even if they resolved, they wouldn't be accessible.  
While I did consider malware, the fact that it reverts to our internal servers, 
and that those were where things would have legitimately pointed 6 weeks ago, 
make me think it's more likely something else, but we've run out of ideas on 
what at this point, hence my query to the list.  I try to never rule anything 
out until I can prove it's something else.  It just gets moved down the list.

--
There are 10 kinds of people in the world...
         those who understand binary and those who don't.

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Micheal Espinola Jr
Sent: Thursday, April 24, 2014 9:25 AM
To: ntsysadm
Subject: Re: [NTSysADM] RE: DNS server settings getting changed

That software would be per-client.  Its a DNS hijacking trojan.
It seems odd that these systems are getting your Domain DNS.  Would those 
servers be providing resolution to systems that would otherwise not?  Would 
someone want to use your Domain DNS over what you are configuring?

--
Espi


On Thu, Apr 24, 2014 at 6:15 AM, Melvin Backus 
<melvin.bac...@byers.com<mailto:melvin.bac...@byers.com>> wrote:
No, it's changing back to our domain DNS.  Just curious though, did that only 
affect the machine with the software or was it able to touch other machines 
across the network?


--
There are 10 kinds of people in the world...
         those who understand binary and those who don't.

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>] 
On Behalf Of Jimmy Tran
Sent: Thursday, April 24, 2014 9:12 AM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: [NTSysADM] RE: DNS server settings getting changed

Had this problem happen to two different clients.  The machines someone got 
some software called DNSchanger installed.  It would change DNS to 8.8.8.8 and 
8.8.4.4.

Are those the IP's its changing to?

From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Melvin Backus
Sent: Thursday, April 24, 2014 5:27 AM
To: ntsysadm@lists.myitforum.com<mailto:ntsysadm@lists.myitforum.com>
Subject: [NTSysADM] DNS server settings getting changed

OK, this has been driving us nuts for a couple of days now.

One of our remote sites is seeing seemingly random PCs change their DNS server 
settings.  They're all configured to get them from the DHCP server, and it has 
the correct DNS servers.  All the PCs do in fact get the correct settings when 
they get or renew an IP.  That all seems to be working as we expect.  But 
periodically we'll see a machine change the DNS servers to something else.  
This causes applications to start failing because the hosts they need no longer 
resolve.  As soon as the PC renews it's IP, whether automatically or manually, 
everything goes back to normal and stuff works again.

We have a short term fix (force the DNS server settings manually instead of 
DHCP) but that doesn't explain what's going on, and since we're using this same 
setup in 20 offices it also begs the question of why just this office.

Background:
Multiple small offices with either /28 or /27 networks.  They are publicly 
routable IPs due to requirements for a partner VPN.  The DHCP server is on the 
Juniper SSG FW.  It servers two pools, one for PCs, another for phones.  The PC 
subnet is publicly routable, the phone subnet is a non-routable 10.x subnet 
with matching ranges.  (12.x.x.x/27 and 10.x.x.x/27).  All DNS points to the 
home office.  Until recently these pointed strictly to our domain DNS servers.  
As part of the VPN requirement we have set up a second set of DNS servers which 
are used to resolve hosts in the partner's domains.  This is done with 
conditional forwarders.  Partner DNS traffic gets resolved by their servers, 
everything else goes to our domain DNS or the Internet as required.

This all works fine except in a single office.  Even in that office it worked 
fine for weeks and has suddenly started this "revert" behavior.  When the PCs 
change, they go back to pointing to our domain DNS which can't resolve the 
partner hosts.

My question becomes (sorry it took so long) how do we track what is actually 
changing the DNS settings?  I can tell when it happens fairly easily, but 
nothing in the event logs, etc., seems to indicate what triggered it, or what 
process is doing it.  It doesn't happen as part of a DHCP operation as best we 
can tell.


--------------------
Melvin Backus | Sr. Systems Analyst | Byers Engineering Company | 
404.497.1565<tel:404.497.1565>
Service Desk | 404-497-1599<tel:404-497-1599> | http://servicedesk.byers.com
--
There are 10 kinds of people in the world...
         those who understand binary and those who don't.



________________________________

CONFIDENTIALITY STATEMENT: The information transmitted, or contained or 
attached to or with this Notice is intended only for the person or entity to 
which it is addressed and may contain Protected Health Information (PHI), 
confidential and/or privileged material. Any review, transmission, 
dissemination, or other use of, and taking any action in reliance upon this 
information by persons or entities other than the intended recipient without 
the express written consent of the sender are prohibited. This information may 
be protected by the Health Insurance Portability and Accountability Act of 1996 
(HIPAA), and other Federal and Florida laws. Improper or unauthorized use or 
disclosure of this information could result in civil and/or criminal penalties.
Consider the environment. Please don't print this e-mail unless you really need 
to.