I would at least run rsop.msc on one of the affected machines to make sure, as this still sounds to me like a possibility.
On Thu, Apr 24, 2014 at 10:32 AM, Andrew S. Baker <[email protected]> wrote: > The other place to check, since you pointed out that it's pointing to your > own DNS server, is Group Policy. > > Those servers may be in a group or OU affected by an explicit push of DNS > server info. > > Regards, > > > > > > > *ASB **http://XeeMe.com/AndrewBaker* <http://xeeme.com/AndrewBaker> > *Providing Virtual CIO Services (IT Operations & Information Security) for > the SMB market...* > > > > > On Thu, Apr 24, 2014 at 9:41 AM, Melvin Backus <[email protected]>wrote: > >> No reason I can think of. Even if they resolved, they wouldn't be >> accessible. While I did consider malware, the fact that it reverts to our >> internal servers, and that those were where things would have legitimately >> pointed 6 weeks ago, make me think it's more likely something else, but >> we've run out of ideas on what at this point, hence my query to the list. >> I try to never rule anything out until I can prove it's something else. It >> just gets moved down the list. >> >> >> >> -- >> There are 10 kinds of people in the world... >> those who understand binary and those who don't. >> >> >> >> *From:* [email protected] [mailto: >> [email protected]] *On Behalf Of *Micheal Espinola Jr >> *Sent:* Thursday, April 24, 2014 9:25 AM >> *To:* ntsysadm >> *Subject:* Re: [NTSysADM] RE: DNS server settings getting changed >> >> >> >> That software would be per-client. Its a DNS hijacking trojan. >> >> It seems odd that these systems are getting your Domain DNS. Would those >> servers be providing resolution to systems that would otherwise not? Would >> someone want to use your Domain DNS over what you are configuring? >> >> >> -- >> Espi >> >> >> >> >> >> On Thu, Apr 24, 2014 at 6:15 AM, Melvin Backus <[email protected]> >> wrote: >> >> No, it's changing back to our domain DNS. Just curious though, did that >> only affect the machine with the software or was it able to touch other >> machines across the network? >> >> >> >> >> >> -- >> There are 10 kinds of people in the world... >> those who understand binary and those who don't. >> >> >> >> *From:* [email protected] [mailto: >> [email protected]] *On Behalf Of *Jimmy Tran >> >> *Sent:* Thursday, April 24, 2014 9:12 AM >> *To:* [email protected] >> *Subject:* [NTSysADM] RE: DNS server settings getting changed >> >> >> >> Had this problem happen to two different clients. The machines someone >> got some software called DNSchanger installed. It would change DNS to >> 8.8.8.8 and 8.8.4.4. >> >> >> >> Are those the IP's its changing to? >> >> >> >> *From:* [email protected] [ >> mailto:[email protected] <[email protected]>] *On >> Behalf Of *Melvin Backus >> >> *Sent:* Thursday, April 24, 2014 5:27 AM >> *To:* [email protected] >> *Subject:* [NTSysADM] DNS server settings getting changed >> >> >> >> OK, this has been driving us nuts for a couple of days now. >> >> >> >> One of our remote sites is seeing seemingly random PCs change their DNS >> server settings. They're all configured to get them from the DHCP server, >> and it has the correct DNS servers. All the PCs do in fact get the correct >> settings when they get or renew an IP. That all seems to be working as we >> expect. But periodically we'll see a machine change the DNS servers to >> something else. This causes applications to start failing because the >> hosts they need no longer resolve. As soon as the PC renews it's IP, >> whether automatically or manually, everything goes back to normal and stuff >> works again. >> >> >> >> We have a short term fix (force the DNS server settings manually instead >> of DHCP) but that doesn't explain what's going on, and since we're using >> this same setup in 20 offices it also begs the question of why just this >> office. >> >> >> >> Background: >> >> Multiple small offices with either /28 or /27 networks. They are >> publicly routable IPs due to requirements for a partner VPN. The DHCP >> server is on the Juniper SSG FW. It servers two pools, one for PCs, >> another for phones. The PC subnet is publicly routable, the phone subnet >> is a non-routable 10.x subnet with matching ranges. (12.x.x.x/27 and >> 10.x.x.x/27). All DNS points to the home office. Until recently these >> pointed strictly to our domain DNS servers. As part of the VPN requirement >> we have set up a second set of DNS servers which are used to resolve hosts >> in the partner's domains. This is done with conditional forwarders. >> Partner DNS traffic gets resolved by their servers, everything else goes to >> our domain DNS or the Internet as required. >> >> >> >> This all works fine except in a single office. Even in that office it >> worked fine for weeks and has suddenly started this "revert" behavior. >> When the PCs change, they go back to pointing to our domain DNS which can't >> resolve the partner hosts. >> >> >> >> My question becomes (sorry it took so long) how do we track what is >> actually changing the DNS settings? I can tell when it happens fairly >> easily, but nothing in the event logs, etc., seems to indicate what >> triggered it, or what process is doing it. It doesn't happen as part of a >> DHCP operation as best we can tell. >> >> >> >> >> >> -------------------- >> Melvin Backus | Sr. Systems Analyst | Byers Engineering Company | >> 404.497.1565 >> >> Service Desk | 404-497-1599 | http://servicedesk.byers.com >> >> -- >> There are 10 kinds of people in the world... >> those who understand binary and those who don't. >> >> >> >> >> > > -- Charlie Sullivan Sr. Windows Systems Administrator Boston College 197 Foster St. Room 367 Brighton, MA 02135 617-552-4318
