Find Rogue DNS Server

V

VeeDubbs

Limp Gawd
Joined
Dec 9, 2005
Messages
398
Hi All -

On a small college campus here and this is happening solely in the admin building. Subnet is 10.3.x.x. Primary DNS server SHOULD be 10.2.0.53, however, on 10 or so different computers on different days the primary DNS server is getting changed to 192.168.0.1 and the DNS suffix is getting changed to mshome.net -- makes me think someone brought in a router. After an ipconfig /renew all is back to normal.

How can I go about hunting down this router? I've been scanning with wireshark everynow and then for the past few days and am finding nothing that sticks out at me. Any ideas?
 
Thanks Juic3. Anyway to hunt that down? There are hundreds of PCs in this building.
 
If you can find the MAC address of the device that holds the 192.168.0.1 IP address, say with wireshark or another tool, then you can query the bridge learning table on your switches if they are managed to isolate it to a switch port. Once you have a switch port, you should be able to determine what ethernet run the host is attached to.
 
That's exactly what I had planned on doing Christopher. It's just that my scans don't seem to find the offending device!
 
I would put a PC on the lan running look@lan and leave it running until the IP logs on, then run wireshark.
 
Yea it's not really a rogue DNS server it's a rogue DHCP server most likely.
 
wy don't you just use the routing table to block the 192.168.x.x subnet if you don't use it? It should then block all IPs on the subnet from being able to "see" your server in any way.
 
I understand where you're coming from zlash -- but no one has gotten a bad IP address from it just yet. All it's screwing with is their Primary DNS.
 
They could of set it up to hand out the same range of IPs, I don't see how a client setup for DHCP could get a wrong DNS server any other way.
 
You must log in or register to reply here.
Back
Top