DNS Randomly changing on our workstations

[mac_cnc]

Recently, from time to time, throughout the work day certain workstations are automatically changing their DNS server. This will happen at any time with no explanation. It will change the workstations DNS server from our DNS server to 10.1.0.1. Internal apps/email/websites will continue to work. Outside internet will not. A release/renew will fix the issue but is inconvenient for the end user. This has been happening on and off for about 2 weeks, and the address does not ping or return an nslookup. I can not find this address anywhere in our infrastructure as a legacy address either. Our current ip schema is 172.x.x.x

Any help would be awesome. Thanks.

 

[TSaL]

Rogue router plugged into your network giving out IPs. Found a Airport extreme the other day doing the same thing to us.

 

[mac_cnc]

Yeah thats what Im thinking but not really sure how to track it down. Its a big network. LOL.

 

[unhappy_mage]

Do you have managed switches? You can often disable rogue DHCP services on managed gear: cisco, HP, Dell.

If you don't have managed switches, dhcploc or dhcp_probe may be useful diagnostic tools.

 

[MekoSuka]

Yeah thats what Im thinking but not really sure how to track it down. Its a big network. LOL.

Setup Wireshark on one of the machines having issues on your network and run a capture for DHCP packets. It's likely you'll see offers from devices other than your authorized DHCP box. From there you can grab the MAC of the box and drill down on your switch ARP tables.to locate the device physically.

In the future, as a countermeasure look into deploying some type of DHCP controls in your network to mitigate this from happening. CISCO uses DHCP snooping. Other manufacturers do something similar.

 

[mac_cnc]

We use Cisco Switches. 2960G for most of it. Any idea on commands for that. Im not much of a Cisco guy.

 

[TSaL]

Need to find the MAC of the Rogue so you can find the port its getting plugged into.

 

[MekoSuka]

We use Cisco Switches. 2960G for most of it. Any idea on commands for that. Im not much of a Cisco guy.

You need to grab the MAC as I mentioned before. You can use Wireshark to help you with this. Once you have it, login to the 2960 and do

'show arp | include <mac address>'

Note that CISCO std out for MAC is xxxx.xxxx.xxxx all in lower case

Here's a link on how to filter for DHCP traffic using Wireshark.

http://wiki.wireshark.org/DHCP

Here's a CISCO Support thread on using the show arp command:

https://supportforums.cisco.com/thread/2118852

 

[mac_cnc]

Thanks for the tips. I have wireshark churning right now and i will take a look at the log in 20 minutes or so. I will let you know what I find.

 

[gimp]

you could also try manually assigning a machine an IP address of 10.1.0.x and then see if the rogue gateway device has a web interface.
we've done that before here when somebody plugged in a router incorrectly in to the network

 

[thedocta45]

Rogue router plugged into your network giving out IPs. Found a Airport extreme the other day doing the same thing to us.

Lol, I had the same issue months ago. Couldn't figure it out at first but after some investigating we found a rouge Airport extreme up in the ceiling. Was quite funny.

I just identified the unit by the IP it was handing out. Finding it was a whole different issue.

 

[RocketTech]

Do you guys confiscate the device or just pour epoxy in the WAN port?

 

[Jay_2]

Just look at the ip of the DHCP server on a pc with the wrong DNS.

 

[MekoSuka]

Microsoft also has a tool you can use ... http://blogs.technet.com/b/teamdhcp/archive/2009/07/03/rogue-dhcp-server-detection.aspx

 

[mac_cnc]

Found it! We used wireshark for the Mac and then some sniffer tools to ID what switch then toned out the port. Turned out is was a stupid wifi point we gave to someone to use as a switch and neglected to remove all the settings first (I didnt give it out BTW).

Thanks for all the help everyone. It helped a ton.