You're now left with wireshark and/or Process Monitor for troubleshooting.
*ASB **http://XeeMe.com/AndrewBaker* <http://xeeme.com/AndrewBaker> *Providing Virtual CIO Services (IT Operations & Information Security) for the SMB market...* On Thu, Apr 24, 2014 at 11:19 AM, Melvin Backus <[email protected]>wrote: > I was actually already doing that, just in case. No joy. Supported by > the fact that gpupdate /force doesn't induce the problem. > > > > -- > There are 10 kinds of people in the world... > those who understand binary and those who don't. > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Charles F Sullivan > *Sent:* Thursday, April 24, 2014 11:12 AM > *To:* [email protected] > > *Subject:* Re: [NTSysADM] RE: DNS server settings getting changed > > > > I would at least run rsop.msc on one of the affected machines to make > sure, as this still sounds to me like a possibility. > > > > On Thu, Apr 24, 2014 at 10:32 AM, Andrew S. Baker <[email protected]> > wrote: > > The other place to check, since you pointed out that it's pointing to your > own DNS server, is Group Policy. > > Those servers may be in a group or OU affected by an explicit push of DNS > server info. > > Regards, > > > > > > > > *ASB **http://XeeMe.com/AndrewBaker* <http://xeeme.com/AndrewBaker> > *Providing Virtual CIO Services (IT Operations & Information Security) for > the SMB market...* > > > > > > On Thu, Apr 24, 2014 at 9:41 AM, Melvin Backus <[email protected]> > wrote: > > No reason I can think of. Even if they resolved, they wouldn't be > accessible. While I did consider malware, the fact that it reverts to our > internal servers, and that those were where things would have legitimately > pointed 6 weeks ago, make me think it's more likely something else, but > we've run out of ideas on what at this point, hence my query to the list. > I try to never rule anything out until I can prove it's something else. It > just gets moved down the list. > > > > -- > There are 10 kinds of people in the world... > those who understand binary and those who don't. > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Micheal Espinola Jr > *Sent:* Thursday, April 24, 2014 9:25 AM > *To:* ntsysadm > *Subject:* Re: [NTSysADM] RE: DNS server settings getting changed > > > > That software would be per-client. Its a DNS hijacking trojan. > > It seems odd that these systems are getting your Domain DNS. Would those > servers be providing resolution to systems that would otherwise not? Would > someone want to use your Domain DNS over what you are configuring? > > > -- > Espi > > > > > > On Thu, Apr 24, 2014 at 6:15 AM, Melvin Backus <[email protected]> > wrote: > > No, it's changing back to our domain DNS. Just curious though, did that > only affect the machine with the software or was it able to touch other > machines across the network? > > > > > > -- > > There are 10 kinds of people in the world... > those who understand binary and those who don't. > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Jimmy Tran > > > *Sent:* Thursday, April 24, 2014 9:12 AM > *To:* [email protected] > *Subject:* [NTSysADM] RE: DNS server settings getting changed > > > > Had this problem happen to two different clients. The machines someone > got some software called DNSchanger installed. It would change DNS to > 8.8.8.8 and 8.8.4.4. > > > > Are those the IP's its changing to? > > > > *From:* [email protected] [ > mailto:[email protected] <[email protected]>] *On > Behalf Of *Melvin Backus > > > *Sent:* Thursday, April 24, 2014 5:27 AM > *To:* [email protected] > > *Subject:* [NTSysADM] DNS server settings getting changed > > > > OK, this has been driving us nuts for a couple of days now. > > > > One of our remote sites is seeing seemingly random PCs change their DNS > server settings. They're all configured to get them from the DHCP server, > and it has the correct DNS servers. All the PCs do in fact get the correct > settings when they get or renew an IP. That all seems to be working as we > expect. But periodically we'll see a machine change the DNS servers to > something else. This causes applications to start failing because the > hosts they need no longer resolve. As soon as the PC renews it's IP, > whether automatically or manually, everything goes back to normal and stuff > works again. > > > > We have a short term fix (force the DNS server settings manually instead > of DHCP) but that doesn't explain what's going on, and since we're using > this same setup in 20 offices it also begs the question of why just this > office. > > > > Background: > > Multiple small offices with either /28 or /27 networks. They are publicly > routable IPs due to requirements for a partner VPN. The DHCP server is on > the Juniper SSG FW. It servers two pools, one for PCs, another for > phones. The PC subnet is publicly routable, the phone subnet is a > non-routable 10.x subnet with matching ranges. (12.x.x.x/27 and > 10.x.x.x/27). All DNS points to the home office. Until recently these > pointed strictly to our domain DNS servers. As part of the VPN requirement > we have set up a second set of DNS servers which are used to resolve hosts > in the partner's domains. This is done with conditional forwarders. > Partner DNS traffic gets resolved by their servers, everything else goes to > our domain DNS or the Internet as required. > > > > This all works fine except in a single office. Even in that office it > worked fine for weeks and has suddenly started this "revert" behavior. > When the PCs change, they go back to pointing to our domain DNS which can't > resolve the partner hosts. > > > > My question becomes (sorry it took so long) how do we track what is > actually changing the DNS settings? I can tell when it happens fairly > easily, but nothing in the event logs, etc., seems to indicate what > triggered it, or what process is doing it. It doesn't happen as part of a > DHCP operation as best we can tell. > > > > > > -------------------- > Melvin Backus | Sr. Systems Analyst | Byers Engineering Company | > 404.497.1565 > > Service Desk | 404-497-1599 | http://servicedesk.byers.com > > -- > There are 10 kinds of people in the world... > those who understand binary and those who don't. > > > > > > > > > > > > -- > > Charlie Sullivan > > Sr. Windows Systems Administrator > > Boston College > > 197 Foster St. Room 367 > > Brighton, MA 02135 > > 617-552-4318 >
