Network location profiles...I'm just sayin :) 2 minutes to delete and recreate, 30 minutes to wait for results.
On Thu, Apr 24, 2014 at 9:00 AM, Melvin Backus <[email protected]>wrote: > We’ve considered that. We’re going to swap the FW in a couple of weeks > as part of something else, so that will eliminate that part, and as I said, > we’ve got a temp solution, but we still need to figure out why this office > does this and all the others work as expected. Obviously something’s > different, but we haven’t found it yet. J > > > > > > > > -- > There are 10 kinds of people in the world... > those who understand binary and those who don't. > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *John Cook > *Sent:* Thursday, April 24, 2014 9:51 AM > *To:* [email protected] > *Subject:* RE: [NTSysADM] RE: DNS server settings getting changed > > > > Well at this point I’d add DHCP to another server (if you have one > available) configure it identically and disable it on the current server to > eliminate some possibilities. I’m sure you have other fish to fry and that > may just be the resolution. > > > > *John W. Cook* > > *Director of Network Operations* > > *Partnership For Strong Families* > > *5950 NW 1st Place* > > *Gainesville, Fl 32607* > > *Office (352) 244-1610 <%28352%29%20244-1610>* > > *Cell (352) 215-6944 <%28352%29%20215-6944>* > > > > *MCSE, MCP+I, MCTS, * > > *CompTIA A+, N+, Security +* > > *VSP4, VTSP4* > > > > *From:* [email protected] [ > mailto:[email protected] <[email protected]>] *On > Behalf Of *Melvin Backus > *Sent:* Thursday, April 24, 2014 9:41 AM > *To:* [email protected] > *Subject:* RE: [NTSysADM] RE: DNS server settings getting changed > > > > No reason I can think of. Even if they resolved, they wouldn’t be > accessible. While I did consider malware, the fact that it reverts to our > internal servers, and that those were where things would have legitimately > pointed 6 weeks ago, make me think it’s more likely something else, but > we’ve run out of ideas on what at this point, hence my query to the list. > I try to never rule anything out until I can prove it’s something else. It > just gets moved down the list. > > > > -- > There are 10 kinds of people in the world... > those who understand binary and those who don't. > > > > *From:* [email protected] [ > mailto:[email protected] <[email protected]>] *On > Behalf Of *Micheal Espinola Jr > *Sent:* Thursday, April 24, 2014 9:25 AM > *To:* ntsysadm > *Subject:* Re: [NTSysADM] RE: DNS server settings getting changed > > > > That software would be per-client. Its a DNS hijacking trojan. > > It seems odd that these systems are getting your Domain DNS. Would those > servers be providing resolution to systems that would otherwise not? Would > someone want to use your Domain DNS over what you are configuring? > > > -- > Espi > > > > > > On Thu, Apr 24, 2014 at 6:15 AM, Melvin Backus <[email protected]> > wrote: > > No, it’s changing back to our domain DNS. Just curious though, did that > only affect the machine with the software or was it able to touch other > machines across the network? > > > > > > -- > There are 10 kinds of people in the world... > those who understand binary and those who don't. > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Jimmy Tran > *Sent:* Thursday, April 24, 2014 9:12 AM > *To:* [email protected] > *Subject:* [NTSysADM] RE: DNS server settings getting changed > > > > Had this problem happen to two different clients. The machines someone > got some software called DNSchanger installed. It would change DNS to > 8.8.8.8 and 8.8.4.4. > > > > Are those the IP’s its changing to? > > > > *From:* [email protected] [ > mailto:[email protected] <[email protected]>] *On > Behalf Of *Melvin Backus > *Sent:* Thursday, April 24, 2014 5:27 AM > *To:* [email protected] > *Subject:* [NTSysADM] DNS server settings getting changed > > > > OK, this has been driving us nuts for a couple of days now. > > > > One of our remote sites is seeing seemingly random PCs change their DNS > server settings. They’re all configured to get them from the DHCP server, > and it has the correct DNS servers. All the PCs do in fact get the correct > settings when they get or renew an IP. That all seems to be working as we > expect. But periodically we’ll see a machine change the DNS servers to > something else. This causes applications to start failing because the > hosts they need no longer resolve. As soon as the PC renews it’s IP, > whether automatically or manually, everything goes back to normal and stuff > works again. > > > > We have a short term fix (force the DNS server settings manually instead > of DHCP) but that doesn’t explain what’s going on, and since we’re using > this same setup in 20 offices it also begs the question of why just this > office. > > > > Background: > > Multiple small offices with either /28 or /27 networks. They are publicly > routable IPs due to requirements for a partner VPN. The DHCP server is on > the Juniper SSG FW. It servers two pools, one for PCs, another for > phones. The PC subnet is publicly routable, the phone subnet is a > non-routable 10.x subnet with matching ranges. (12.x.x.x/27 and > 10.x.x.x/27). All DNS points to the home office. Until recently these > pointed strictly to our domain DNS servers. As part of the VPN requirement > we have set up a second set of DNS servers which are used to resolve hosts > in the partner’s domains. This is done with conditional forwarders. > Partner DNS traffic gets resolved by their servers, everything else goes to > our domain DNS or the Internet as required. > > > > This all works fine except in a single office. Even in that office it > worked fine for weeks and has suddenly started this “revert” behavior. > When the PCs change, they go back to pointing to our domain DNS which can’t > resolve the partner hosts. > > > > My question becomes (sorry it took so long) how do we track what is > actually changing the DNS settings? I can tell when it happens fairly > easily, but nothing in the event logs, etc., seems to indicate what > triggered it, or what process is doing it. It doesn’t happen as part of a > DHCP operation as best we can tell. > > > > > > -------------------- > Melvin Backus | Sr. Systems Analyst | Byers Engineering Company | > 404.497.1565 > > Service Desk | 404-497-1599 | http://servicedesk.byers.com > > -- > There are 10 kinds of people in the world... > those who understand binary and those who don't. > > > > > > > ------------------------------ > > > CONFIDENTIALITY STATEMENT: The information transmitted, or contained or > attached to or with this Notice is intended only for the person or entity > to which it is addressed and may contain Protected Health Information > (PHI), confidential and/or privileged material. Any review, transmission, > dissemination, or other use of, and taking any action in reliance upon this > information by persons or entities other than the intended recipient > without the express written consent of the sender are prohibited. This > information may be protected by the Health Insurance Portability and > Accountability Act of 1996 (HIPAA), and other Federal and Florida laws. > Improper or unauthorized use or disclosure of this information could result > in civil and/or criminal penalties. > Consider the environment. Please don't print this e-mail unless you really > need to. >
