DHCP clients losing DNS entries

Randon (apparently) DHCP clients on my network are losing thier DNS entries.
The users report what turn out to be connectivity problems with name based
hosts (raw IP related ones obviously resolve just fine.)

IPCONFIG ends up revealing a single DNS server entry which is not on my
network. I have had several different values, but they all fall in the
16x.X.X.X format. (Today's most recent one was 168.95.1.1)

The user PCs are able to reconnect temporarily by executing ipconfig /renew
(or re-starting the system.)

This is 2003 Server, SP2 (although searcing back in my memory, I seem to
recall similar incidents with SP 1 and native 2k3 Server.) Standard DHCP
server modules, typical configuration. There are 4 DNS servers in the
information handed out in the lease.

C. Newell
Shiawassee County, MI

Hello,

this DNS ip is assigned to:
(HiNet) Chunghwa Telecom Co., Ltd.

And it's a working public dns server.
It may be:
-another network node that also distribute dhcp lease (router/firewall)
-An previous dhcp lease that the user got from home adsl
is there any wifi activated on station ?

--
Cordialement,
Mathieu CHATEAU
http://lordoftheping.blogspot.com


"Christopher A. Newell" <(E-Mail Removed)> wrote in message
news:e25n%(E-Mail Removed)...
> Randon (apparently) DHCP clients on my network are losing thier DNS
> entries. The users report what turn out to be connectivity problems with
> name based hosts (raw IP related ones obviously resolve just fine.)
>
> IPCONFIG ends up revealing a single DNS server entry which is not on my
> network. I have had several different values, but they all fall in the
> 16x.X.X.X format. (Today's most recent one was 168.95.1.1)
>
> The user PCs are able to reconnect temporarily by executing ipconfig
> /renew (or re-starting the system.)
>
> This is 2003 Server, SP2 (although searcing back in my memory, I seem to
> recall similar incidents with SP 1 and native 2k3 Server.) Standard DHCP
> server modules, typical configuration. There are 4 DNS servers in the
> information handed out in the lease.
>
> C. Newell
> Shiawassee County, MI
>

This is a medium sized enterprise network. I am very comfortable saying
that there is not another device on the segment which should be providing
conflicting DHCP (although I will not say NEVER.)

The affected PCs are fixed desktop units, so an old lease from a different
network is not likely. They are all wired ethernet. (I have a small number
of WiFi notebooks in use but they actually don't seem to be a problem. On
the other hand, this is so intermitent and they are such a small portion of
the total network that I just may not be hearing about it.)

The systems are obtaining a valid, complete configuration when they boot and
are then losing JUST the DNS entries (which is darned inconvenient as it
affects Internet, Active Directory, Exchange/Outlook, just about
everything.) After the systems lose connectivity, it can be restored by
executing "ipconfig /renew".

RECAP: This is after the system is up and running correctly. The users are
reporting a loss of most network connectivity. "ipconfig /all" shows all of
the entries correct as assigned by DHCP - EXCEPT the DNS, which has changed
from multiple servers within our network to a single IP which does not
appear to have any relationship to our network, usually a 168.x.x.x or
169.x.x.x. This has happened intermitently on multiple PCs running Windows
XP Pro (SP1 AND SP2) with DHCP provided by a Windows 2003 Server (DHCP
having been provided at different times by different physical servers at
both 2k3 SP1 and SP2.)

"Mathieu CHATEAU" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hello,
>
> this DNS ip is assigned to:
> (HiNet) Chunghwa Telecom Co., Ltd.
>
> And it's a working public dns server.
> It may be:
> -another network node that also distribute dhcp lease (router/firewall)
> -An previous dhcp lease that the user got from home adsl
> is there any wifi activated on station ?
>
> --
> Cordialement,
> Mathieu CHATEAU
> http://lordoftheping.blogspot.com
>
>
> "Christopher A. Newell" <(E-Mail Removed)> wrote in message
> news:e25n%(E-Mail Removed)...
>> Randon (apparently) DHCP clients on my network are losing thier DNS
>> entries. The users report what turn out to be connectivity problems with
>> name based hosts (raw IP related ones obviously resolve just fine.)
>>
>> IPCONFIG ends up revealing a single DNS server entry which is not on my
>> network. I have had several different values, but they all fall in the
>> 16x.X.X.X format. (Today's most recent one was 168.95.1.1)
>>
>> The user PCs are able to reconnect temporarily by executing ipconfig
>> /renew (or re-starting the system.)
>>
>> This is 2003 Server, SP2 (although searcing back in my memory, I seem to
>> recall similar incidents with SP 1 and native 2k3 Server.) Standard DHCP
>> server modules, typical configuration. There are 4 DNS servers in the
>> information handed out in the lease.
>>
>> C. Newell
>> Shiawassee County, MI
>>
>

Hello,

if:
-station are in dhcp (no manual dns server)
-fixed (no wifi)
-you are sure about your dhcp server (config ok and no other one)

then it may be a virus or so. This dns belongs to a chinese ISP and you
don't seem to live in china.

Can you run spybot search and destroy + antivirus ?
installing windows defender would be great too (for further protection)

--
Cordialement,
Mathieu CHATEAU
http://lordoftheping.blogspot.com


"Christopher A. Newell" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> This is a medium sized enterprise network. I am very comfortable saying
> that there is not another device on the segment which should be providing
> conflicting DHCP (although I will not say NEVER.)
>
> The affected PCs are fixed desktop units, so an old lease from a different
> network is not likely. They are all wired ethernet. (I have a small
> number of WiFi notebooks in use but they actually don't seem to be a
> problem. On the other hand, this is so intermitent and they are such a
> small portion of the total network that I just may not be hearing about
> it.)
>
> The systems are obtaining a valid, complete configuration when they boot
> and are then losing JUST the DNS entries (which is darned inconvenient as
> it affects Internet, Active Directory, Exchange/Outlook, just about
> everything.) After the systems lose connectivity, it can be restored by
> executing "ipconfig /renew".
>
> RECAP: This is after the system is up and running correctly. The users
> are reporting a loss of most network connectivity. "ipconfig /all" shows
> all of the entries correct as assigned by DHCP - EXCEPT the DNS, which has
> changed from multiple servers within our network to a single IP which does
> not appear to have any relationship to our network, usually a 168.x.x.x or
> 169.x.x.x. This has happened intermitently on multiple PCs running
> Windows XP Pro (SP1 AND SP2) with DHCP provided by a Windows 2003 Server
> (DHCP having been provided at different times by different physical
> servers at both 2k3 SP1 and SP2.)
>
> "Mathieu CHATEAU" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> Hello,
>>
>> this DNS ip is assigned to:
>> (HiNet) Chunghwa Telecom Co., Ltd.
>>
>> And it's a working public dns server.
>> It may be:
>> -another network node that also distribute dhcp lease (router/firewall)
>> -An previous dhcp lease that the user got from home adsl
>> is there any wifi activated on station ?
>>
>> --
>> Cordialement,
>> Mathieu CHATEAU
>> http://lordoftheping.blogspot.com
>>
>>
>> "Christopher A. Newell" <(E-Mail Removed)> wrote in message
>> news:e25n%(E-Mail Removed)...
>>> Randon (apparently) DHCP clients on my network are losing thier DNS
>>> entries. The users report what turn out to be connectivity problems with
>>> name based hosts (raw IP related ones obviously resolve just fine.)
>>>
>>> IPCONFIG ends up revealing a single DNS server entry which is not on my
>>> network. I have had several different values, but they all fall in the
>>> 16x.X.X.X format. (Today's most recent one was 168.95.1.1)
>>>
>>> The user PCs are able to reconnect temporarily by executing ipconfig
>>> /renew (or re-starting the system.)
>>>
>>> This is 2003 Server, SP2 (although searcing back in my memory, I seem to
>>> recall similar incidents with SP 1 and native 2k3 Server.) Standard
>>> DHCP server modules, typical configuration. There are 4 DNS servers in
>>> the information handed out in the lease.
>>>
>>> C. Newell
>>> Shiawassee County, MI
>>>
>>
>
>

The client PCs are definitely totally DHCP.
Wired desktop, so they would not pick up a foreign DHCP from an unsecured
SOHO router.
I took the offical, configured (i.e. the one I know about) DHCP server
temporarily off-line (paused) and tried to refresh IP information on a
couple of different PCs on the affected LAN segment. All came up with the
"default private" configuration (which includes NO DNS server entries)
confirming that there is no persistent competing DHCP server on the network.
We run CA's enterprise AV/AS solution, and the workstation that has been
most recently affected was a clean re-load (as in OS install fdisk and
format) within the last 60 days. Spybot is probably a good idea, and the
possibility of other malware sounds like a possibility. It would seem to
make sense to try to get PCs to go to bogus web sites by hijacking name
resolution.

Has anybody else heard of or seen anything like this? This would have to be
either a piece of malware running on the affected PC that is changing the
DNS post-lease or something running on another device on the LAN "pushing" a
change to JUST the DNS entries after the client had obtained a valid and
complete configuration from DHCP. I have not seen a device with a valid
lease automatically try to get new information (only at boot, if a "/renew"
command is issued, or if the lease is getting ready to expire.)

"Mathieu CHATEAU" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hello,
>
> if:
> -station are in dhcp (no manual dns server)
> -fixed (no wifi)
> -you are sure about your dhcp server (config ok and no other one)
>
> then it may be a virus or so. This dns belongs to a chinese ISP and you
> don't seem to live in china.
>
> Can you run spybot search and destroy + antivirus ?
> installing windows defender would be great too (for further protection)
>
> --
> Cordialement,
> Mathieu CHATEAU
> http://lordoftheping.blogspot.com
>
>
> "Christopher A. Newell" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> This is a medium sized enterprise network. I am very comfortable saying
>> that there is not another device on the segment which should be providing
>> conflicting DHCP (although I will not say NEVER.)
>>
>> The affected PCs are fixed desktop units, so an old lease from a
>> different network is not likely. They are all wired ethernet. (I have a
>> small number of WiFi notebooks in use but they actually don't seem to be
>> a problem. On the other hand, this is so intermitent and they are such a
>> small portion of the total network that I just may not be hearing about
>> it.)
>>
>> The systems are obtaining a valid, complete configuration when they boot
>> and are then losing JUST the DNS entries (which is darned inconvenient as
>> it affects Internet, Active Directory, Exchange/Outlook, just about
>> everything.) After the systems lose connectivity, it can be restored by
>> executing "ipconfig /renew".
>>
>> RECAP: This is after the system is up and running correctly. The users
>> are reporting a loss of most network connectivity. "ipconfig /all" shows
>> all of the entries correct as assigned by DHCP - EXCEPT the DNS, which
>> has changed from multiple servers within our network to a single IP which
>> does not appear to have any relationship to our network, usually a
>> 168.x.x.x or 169.x.x.x. This has happened intermitently on multiple PCs
>> running Windows XP Pro (SP1 AND SP2) with DHCP provided by a Windows 2003
>> Server (DHCP having been provided at different times by different
>> physical servers at both 2k3 SP1 and SP2.)
>>
>> "Mathieu CHATEAU" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed)...
>>> Hello,
>>>
>>> this DNS ip is assigned to:
>>> (HiNet) Chunghwa Telecom Co., Ltd.
>>>
>>> And it's a working public dns server.
>>> It may be:
>>> -another network node that also distribute dhcp lease (router/firewall)
>>> -An previous dhcp lease that the user got from home adsl
>>> is there any wifi activated on station ?
>>>
>>> --
>>> Cordialement,
>>> Mathieu CHATEAU
>>> http://lordoftheping.blogspot.com
>>>
>>>
>>> "Christopher A. Newell" <(E-Mail Removed)> wrote in message
>>> news:e25n%(E-Mail Removed)...
>>>> Randon (apparently) DHCP clients on my network are losing thier DNS
>>>> entries. The users report what turn out to be connectivity problems
>>>> with name based hosts (raw IP related ones obviously resolve just
>>>> fine.)
>>>>
>>>> IPCONFIG ends up revealing a single DNS server entry which is not on my
>>>> network. I have had several different values, but they all fall in the
>>>> 16x.X.X.X format. (Today's most recent one was 168.95.1.1)
>>>>
>>>> The user PCs are able to reconnect temporarily by executing ipconfig
>>>> /renew (or re-starting the system.)
>>>>
>>>> This is 2003 Server, SP2 (although searcing back in my memory, I seem
>>>> to recall similar incidents with SP 1 and native 2k3 Server.) Standard
>>>> DHCP server modules, typical configuration. There are 4 DNS servers in
>>>> the information handed out in the lease.
>>>>
>>>> C. Newell
>>>> Shiawassee County, MI
>>>>
>>>
>>
>>
>

I found a french post about someone having the dns server you mentionned
(168.95.1.1):
http://forum.telecharger.01net.com/t...essages-1.html

he was infected by zlob

--
Cordialement,
Mathieu CHATEAU
http://lordoftheping.blogspot.com


"Christopher A. Newell" <(E-Mail Removed)> wrote in message
news:%23$(E-Mail Removed)...
> The client PCs are definitely totally DHCP.
> Wired desktop, so they would not pick up a foreign DHCP from an unsecured
> SOHO router.
> I took the offical, configured (i.e. the one I know about) DHCP server
> temporarily off-line (paused) and tried to refresh IP information on a
> couple of different PCs on the affected LAN segment. All came up with the
> "default private" configuration (which includes NO DNS server entries)
> confirming that there is no persistent competing DHCP server on the
> network.
> We run CA's enterprise AV/AS solution, and the workstation that has been
> most recently affected was a clean re-load (as in OS install fdisk and
> format) within the last 60 days. Spybot is probably a good idea, and the
> possibility of other malware sounds like a possibility. It would seem to
> make sense to try to get PCs to go to bogus web sites by hijacking name
> resolution.
>
> Has anybody else heard of or seen anything like this? This would have to
> be either a piece of malware running on the affected PC that is changing
> the DNS post-lease or something running on another device on the LAN
> "pushing" a change to JUST the DNS entries after the client had obtained a
> valid and complete configuration from DHCP. I have not seen a device with
> a valid lease automatically try to get new information (only at boot, if a
> "/renew" command is issued, or if the lease is getting ready to expire.)
>
> "Mathieu CHATEAU" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> Hello,
>>
>> if:
>> -station are in dhcp (no manual dns server)
>> -fixed (no wifi)
>> -you are sure about your dhcp server (config ok and no other one)
>>
>> then it may be a virus or so. This dns belongs to a chinese ISP and you
>> don't seem to live in china.
>>
>> Can you run spybot search and destroy + antivirus ?
>> installing windows defender would be great too (for further protection)
>>
>> --
>> Cordialement,
>> Mathieu CHATEAU
>> http://lordoftheping.blogspot.com
>>
>>
>> "Christopher A. Newell" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed)...
>>> This is a medium sized enterprise network. I am very comfortable saying
>>> that there is not another device on the segment which should be
>>> providing conflicting DHCP (although I will not say NEVER.)
>>>
>>> The affected PCs are fixed desktop units, so an old lease from a
>>> different network is not likely. They are all wired ethernet. (I have
>>> a small number of WiFi notebooks in use but they actually don't seem to
>>> be a problem. On the other hand, this is so intermitent and they are
>>> such a small portion of the total network that I just may not be hearing
>>> about it.)
>>>
>>> The systems are obtaining a valid, complete configuration when they boot
>>> and are then losing JUST the DNS entries (which is darned inconvenient
>>> as it affects Internet, Active Directory, Exchange/Outlook, just about
>>> everything.) After the systems lose connectivity, it can be restored by
>>> executing "ipconfig /renew".
>>>
>>> RECAP: This is after the system is up and running correctly. The users
>>> are reporting a loss of most network connectivity. "ipconfig /all"
>>> shows all of the entries correct as assigned by DHCP - EXCEPT the DNS,
>>> which has changed from multiple servers within our network to a single
>>> IP which does not appear to have any relationship to our network,
>>> usually a 168.x.x.x or 169.x.x.x. This has happened intermitently on
>>> multiple PCs running Windows XP Pro (SP1 AND SP2) with DHCP provided by
>>> a Windows 2003 Server (DHCP having been provided at different times by
>>> different physical servers at both 2k3 SP1 and SP2.)
>>>
>>> "Mathieu CHATEAU" <(E-Mail Removed)> wrote in message
>>> news:(E-Mail Removed)...
>>>> Hello,
>>>>
>>>> this DNS ip is assigned to:
>>>> (HiNet) Chunghwa Telecom Co., Ltd.
>>>>
>>>> And it's a working public dns server.
>>>> It may be:
>>>> -another network node that also distribute dhcp lease (router/firewall)
>>>> -An previous dhcp lease that the user got from home adsl
>>>> is there any wifi activated on station ?
>>>>
>>>> --
>>>> Cordialement,
>>>> Mathieu CHATEAU
>>>> http://lordoftheping.blogspot.com
>>>>
>>>>
>>>> "Christopher A. Newell" <(E-Mail Removed)> wrote in message
>>>> news:e25n%(E-Mail Removed)...
>>>>> Randon (apparently) DHCP clients on my network are losing thier DNS
>>>>> entries. The users report what turn out to be connectivity problems
>>>>> with name based hosts (raw IP related ones obviously resolve just
>>>>> fine.)
>>>>>
>>>>> IPCONFIG ends up revealing a single DNS server entry which is not on
>>>>> my network. I have had several different values, but they all fall in
>>>>> the 16x.X.X.X format. (Today's most recent one was 168.95.1.1)
>>>>>
>>>>> The user PCs are able to reconnect temporarily by executing ipconfig
>>>>> /renew (or re-starting the system.)
>>>>>
>>>>> This is 2003 Server, SP2 (although searcing back in my memory, I seem
>>>>> to recall similar incidents with SP 1 and native 2k3 Server.)
>>>>> Standard DHCP server modules, typical configuration. There are 4 DNS
>>>>> servers in the information handed out in the lease.
>>>>>
>>>>> C. Newell
>>>>> Shiawassee County, MI
>>>>>
>>>>
>>>
>>>
>>
>
>