I can't rule that out yet, but it doesn't act like it. There are about 20
machines in that office and they happen at random times, sometimes hours apart,
but if the DHCP refresh is long enough (it was set to 1 day) they end up with
most / all of them getting affected.
Anyway, the good news is I've identified the svchost thread doing the update.
The bad news is that of the 38 processes using svchost, 26 of them are using
this instance. :(
Hey, but at least we're moving forward.
--
There are 10 kinds of people in the world...
those who understand binary and those who don't.
From: [email protected] [mailto:[email protected]] On
Behalf Of Rankin, James R
Sent: Thursday, April 24, 2014 12:38 PM
To: [email protected]
Subject: Re: [NTSysADM] RE: DNS server settings getting changed
Could it be some sort of Scheduled Task causing this?
(Late to the party)
Sent from my (new!) BlackBerry, which may make me an antiques dealer, but it's
reliable as hell for email delivery :-)
________________________________
From: Melvin Backus <[email protected]<mailto:[email protected]>>
Sender: [email protected]<mailto:[email protected]>
Date: Thu, 24 Apr 2014 16:34:33 +0000
To:
[email protected]<[email protected]<mailto:[email protected]%[email protected]>>
ReplyTo: [email protected]<mailto:[email protected]>
Subject: RE: [NTSysADM] RE: DNS server settings getting changed
OK, regmon says it's svchost, so now I've just got to track down which service
that instance is handling, and hope it isn't more than one. :)
--
There are 10 kinds of people in the world...
those who understand binary and those who don't.
From: [email protected]<mailto:[email protected]>
[mailto:[email protected]] On Behalf Of Andrew S. Baker
Sent: Thursday, April 24, 2014 12:24 PM
To: ntsysadm
Subject: Re: [NTSysADM] RE: DNS server settings getting changed
You're now left with wireshark and/or Process Monitor for troubleshooting.
ASB
http://XeeMe.com/AndrewBaker<http://xeeme.com/AndrewBaker>
Providing Virtual CIO Services (IT Operations & Information Security) for the
SMB market...
On Thu, Apr 24, 2014 at 11:19 AM, Melvin Backus
<[email protected]<mailto:[email protected]>> wrote:
I was actually already doing that, just in case. No joy. Supported by the
fact that gpupdate /force doesn't induce the problem.
--
There are 10 kinds of people in the world...
those who understand binary and those who don't.
From: [email protected]<mailto:[email protected]>
[mailto:[email protected]<mailto:[email protected]>]
On Behalf Of Charles F Sullivan
Sent: Thursday, April 24, 2014 11:12 AM
To: [email protected]<mailto:[email protected]>
Subject: Re: [NTSysADM] RE: DNS server settings getting changed
I would at least run rsop.msc on one of the affected machines to make sure, as
this still sounds to me like a possibility.
On Thu, Apr 24, 2014 at 10:32 AM, Andrew S. Baker
<[email protected]<mailto:[email protected]>> wrote:
The other place to check, since you pointed out that it's pointing to your own
DNS server, is Group Policy.
Those servers may be in a group or OU affected by an explicit push of DNS
server info.
Regards,
ASB
http://XeeMe.com/AndrewBaker<http://xeeme.com/AndrewBaker>
Providing Virtual CIO Services (IT Operations & Information Security) for the
SMB market...
On Thu, Apr 24, 2014 at 9:41 AM, Melvin Backus
<[email protected]<mailto:[email protected]>> wrote:
No reason I can think of. Even if they resolved, they wouldn't be accessible.
While I did consider malware, the fact that it reverts to our internal servers,
and that those were where things would have legitimately pointed 6 weeks ago,
make me think it's more likely something else, but we've run out of ideas on
what at this point, hence my query to the list. I try to never rule anything
out until I can prove it's something else. It just gets moved down the list.
--
There are 10 kinds of people in the world...
those who understand binary and those who don't.
From: [email protected]<mailto:[email protected]>
[mailto:[email protected]<mailto:[email protected]>]
On Behalf Of Micheal Espinola Jr
Sent: Thursday, April 24, 2014 9:25 AM
To: ntsysadm
Subject: Re: [NTSysADM] RE: DNS server settings getting changed
That software would be per-client. Its a DNS hijacking trojan.
It seems odd that these systems are getting your Domain DNS. Would those
servers be providing resolution to systems that would otherwise not? Would
someone want to use your Domain DNS over what you are configuring?
--
Espi
On Thu, Apr 24, 2014 at 6:15 AM, Melvin Backus
<[email protected]<mailto:[email protected]>> wrote:
No, it's changing back to our domain DNS. Just curious though, did that only
affect the machine with the software or was it able to touch other machines
across the network?
--
There are 10 kinds of people in the world...
those who understand binary and those who don't.
From: [email protected]<mailto:[email protected]>
[mailto:[email protected]<mailto:[email protected]>]
On Behalf Of Jimmy Tran
Sent: Thursday, April 24, 2014 9:12 AM
To: [email protected]<mailto:[email protected]>
Subject: [NTSysADM] RE: DNS server settings getting changed
Had this problem happen to two different clients. The machines someone got
some software called DNSchanger installed. It would change DNS to 8.8.8.8 and
8.8.4.4.
Are those the IP's its changing to?
From: [email protected]<mailto:[email protected]>
[mailto:[email protected]] On Behalf Of Melvin Backus
Sent: Thursday, April 24, 2014 5:27 AM
To: [email protected]<mailto:[email protected]>
Subject: [NTSysADM] DNS server settings getting changed
OK, this has been driving us nuts for a couple of days now.
One of our remote sites is seeing seemingly random PCs change their DNS server
settings. They're all configured to get them from the DHCP server, and it has
the correct DNS servers. All the PCs do in fact get the correct settings when
they get or renew an IP. That all seems to be working as we expect. But
periodically we'll see a machine change the DNS servers to something else.
This causes applications to start failing because the hosts they need no longer
resolve. As soon as the PC renews it's IP, whether automatically or manually,
everything goes back to normal and stuff works again.
We have a short term fix (force the DNS server settings manually instead of
DHCP) but that doesn't explain what's going on, and since we're using this same
setup in 20 offices it also begs the question of why just this office.
Background:
Multiple small offices with either /28 or /27 networks. They are publicly
routable IPs due to requirements for a partner VPN. The DHCP server is on the
Juniper SSG FW. It servers two pools, one for PCs, another for phones. The PC
subnet is publicly routable, the phone subnet is a non-routable 10.x subnet
with matching ranges. (12.x.x.x/27 and 10.x.x.x/27). All DNS points to the
home office. Until recently these pointed strictly to our domain DNS servers.
As part of the VPN requirement we have set up a second set of DNS servers which
are used to resolve hosts in the partner's domains. This is done with
conditional forwarders. Partner DNS traffic gets resolved by their servers,
everything else goes to our domain DNS or the Internet as required.
This all works fine except in a single office. Even in that office it worked
fine for weeks and has suddenly started this "revert" behavior. When the PCs
change, they go back to pointing to our domain DNS which can't resolve the
partner hosts.
My question becomes (sorry it took so long) how do we track what is actually
changing the DNS settings? I can tell when it happens fairly easily, but
nothing in the event logs, etc., seems to indicate what triggered it, or what
process is doing it. It doesn't happen as part of a DHCP operation as best we
can tell.
--------------------
Melvin Backus | Sr. Systems Analyst | Byers Engineering Company |
404.497.1565<tel:404.497.1565>
Service Desk | 404-497-1599<tel:404-497-1599> | http://servicedesk.byers.com
--
There are 10 kinds of people in the world...
those who understand binary and those who don't.
--
Charlie Sullivan
Sr. Windows Systems Administrator
Boston College
197 Foster St. Room 367
Brighton, MA 02135
617-552-4318<tel:617-552-4318>
