Interesting DNS/DHCP problem..

[dawks]

So we have a DHCP server setup to hand out client IP config information, and its working fine.

We have two subnets setup, one in the local building and one in a remote location, a DHCP server in both locations. The local clients are supposed to connect to our local DHCP server and get their configuration information from it. All of them do connect and get their config info from the correct server, our local one. But some of them get the incorrect DNS settings. Their ipconfig/all shows the correct IP address, correct gateway, and correct wins, but their DNS addresses are completely incorrect. They are IP's of boxes on the other subnet, that im not even sure are DNS servers, not to mention the systems cannot contact those IP's because they aren't routable through the gateway they are configed to use.

The systems get these incorrect DNS servers on first boot and occasionally when they automatically renew their leases. A network adapter repair usually fixes the problem.

Cliffs:
1) Two subnets, each with DHCP server
2) Clients on one subnet contact their appropriate DHCP server, get proper settings except DNS
3) Network does not function properly due to incorrect DNS settings..

For now I have manually configured DNS but I'd like it to figure out the issue.

 

[ebaycj]

sounds like you may have a rogue dhcp server. find it and kill it.

or you may have dhcp relaying turned on in your router, possibly allowing them to grab addresses from the remote dhcp server.

 

[dawks]

Originally posted by: ebaycj
sounds like you may have a rogue dhcp server. find it and kill it.

or you may have dhcp relaying turned on in your router, possibly allowing them to grab addresses from the remote dhcp server.

It is a possibility.. Within our local building we have two switches, and the problem somewhat seems to be isolated to one of the two switches..

But the thing is, ALL the systems are reporting the correct DHCP server (the local one) in their settings.. and are getting the proper IP/Gateway. Its JUST the DNS values that are b0rked.

 

[nweaver]

I would check for ip-helper in the swtich config, and I would also fire up a sinffer and watch a few clients release/renew IP's. Check for mangled packets and check mac address to verify the box.

 

[mobilecommand]

i would make sure they the pc you are working on does not have the dns server staic on there ip settings.. Also if you do a ipconfig /all make sure the ip address for the dhcp server is the ip address of your server not someone elses.. If it is try to telnet, web or nbtstat -A 192.168.x.x the address of the device and try to figure out what it is..

 

[dawks]

well, i just saw it happen to my system.. It was working fine before lunch, came back two hours later, and my music was still streaming, indicating that my IP address hadnt changed or dropped for more then a few seconds.. but I couldn't get to any webpages. The DNS configuration had changed from the proper three, to three completely different IP's that are not even DNS servers..

The leases are 4 days long, but im not sure I was 50% through the lease, so it shouldnt have been attempting to renew it.. but its a possibility I guess.

 

[nweaver]

DHCP attempts to renew at halflife, and if it fails, it tries again at 75% life

 

[djdrastic]

please show us a copy of a correct system via ipconfig /all

and

show us a copy of an incorrect system via ipconfig /all

Please alter where neccesary , to protecty your network

 

[dawks]

Originally posted by: djdrastic
please show us a copy of a correct system via ipconfig /all

and

show us a copy of an incorrect system via ipconfig /all

Please alter where neccesary , to protecty your network

Incorrect Configuration:

Dhcp Enabled. . . . . . . . . . . . . .: Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . . . . .: 172.25.200.101
Subnet Mask . . . . . . . . . . . . . .: 255.255.255.0
Default Gateway . . . . . . . . . . .: 172.25.200.4
DHCP Server . . . . . . . . . . . . . : 172.25.200.26
DNS Servers . . . . . . . . . . . : 172.25.0.35
172.25.64.40
172.25.128.28
Primary WINS Server . . . . . . . .: 172.25.200.26
Secondary WINS Server . . . . . .: 10.150.1.30
Lease Obtained. . . . . . . . . . . . .: Wednesday, June 08, 2005 2:58:27 PM
Lease Expires . . . . . . . . . . . . . .: Sunday, June 12, 2005 2:58:27 PM


Correct Configuration:

Dhcp Enabled. . . . . . . . . . . . . .: Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . . . . .: 172.25.200.101
Subnet Mask . . . . . . . . . . . . . .: 255.255.255.0
Default Gateway . . . . . . . . . . . : 172.25.200.4
DHCP Server . . . . . . . . . . . . . .: 172.25.200.26
DNS Servers . . . . . . . . . . . . . .: 172.25.200.26
64.59.xxx.xxx
64.59.xxx.xxx
Primary WINS Server . . . . . . . . : 172.25.200.26
Secondary WINS Server . . . . . . : 10.150.1.30
Lease Obtained. . . . . . . . . . . . . : Thursday, June 09, 2005 8:14:22 AM
Lease Expires . . . . . . . . . . . . . .: Monday, June 13, 2005 8:14:22 AM

Note the DNS servers.. The 172.25.200.26, and the two 64.59.xxx.xxx are correct.

 

[Rapidskies]

You might try just recreating the DHCP scope on the server. It would be the easiest troubleshooting step to do and perhaps the DHCP server is having issues.

 

[djdrastic]

Make Sure you havent specified any "global" scope options that would override the settings that are in the scope .

Try and Restart the DHCP Service

Make Sure you dont' have any global scope options in there that override your DHCP scope address

Get a Packet Sniffer to make DEAD sure you dont have some pwn3d box in there

You might have to delete your current scope and re-create it

Do those incorrect DNS Server maybe relate to important hosts in your network ? Aka other DNS Servers etc , or Retired DNS Servers ?

As a last restort try netsh dhcp dump > dhcpcfg.txt and post the text file info to the forums . You Might want to edit certain parts of the file to protect your own internal network

Sorry I couldn't really give you a straight out answer

 

[spyordie007]

If you have a maintenance window to troubleshoot something that might be worthwhile would be to stop the dhcp service on your dhcp server so you can ensure that there isnt a rogue dhcp server out there. Once you've verified that you have the only dhcp server than I would proceed with some of the above suggestions for troubleshooting issues with your dhcp server.

Just a side question; why do you have your clients pointing at 64.59.xxx.xxx DNS servers? Assuming this is active directory the clients should only be pointing to your internal DNS server(s); pointing them to external DNS servers can be problematic.

 

[dawks]

Originally posted by: spyordie007
Just a side question; why do you have your clients pointing at 64.59.xxx.xxx DNS servers? Assuming this is active directory the clients should only be pointing to your internal DNS server(s); pointing them to external DNS servers can be problematic.

Im just in here for the summer and thats how they had it setup. I've gotten our local DNS server to do forwarding to those external DNS servers, but I have yet to switch the DHCP settings.. I want to ensure its working properly first.

Originally posted by: djdrastic
Make Sure you havent specified any "global" scope options that would override the settings that are in the scope .

Try and Restart the DHCP Service

Make Sure you dont' have any global scope options in there that override your DHCP scope address

Get a Packet Sniffer to make DEAD sure you dont have some pwn3d box in there

You might have to delete your current scope and re-create it

Do those incorrect DNS Server maybe relate to important hosts in your network ? Aka other DNS Servers etc , or Retired DNS Servers ?

As a last restort try netsh dhcp dump > dhcpcfg.txt and post the text file info to the forums . You Might want to edit certain parts of the file to protect your own internal network

Sorry I couldn't really give you a straight out answer

Service has been restarted...
I've checked and rechecked the DHCP server settings...
Packet sniffer? Ethereal? I havent dabbled much in this area.. What would I be looking for? Can the packet sniffer say "this is a DHCP packet"?

Want to avoid deleteing/recreating scope.. Though I might be able to try installing it on our new server (2003 - current one is 2000).

I'm not sure what those 'incorrect' servers are.. They aren't on our subnet or in our office.. but they are part of our parent companies WAN.. A higher up sysadmin hasnt gotten back to us yet.

Just a note: It happened again, and I did a netstat -a and no odd or out of place IP's showed up, so I am assuming the computer is not communicating with a rouge? perhaps it is incorrect settings or something similar on the DHCP server?

 

[djdrastic]

In the packet sniffer look at the MAC addresses of the DHCP Server

It does sound like some or other server miconfiguration tho