General discussion


DNS erroneous ip entry/Nslookup error

By sbelcher ·
Hello All,
I've been banging my head against this problem for a while. It's a small but very annoying issue. I have a win 03 domain, two domain controllers, with one as Start of Auth. When I arrived at this domain, I immediately got rid of the problematic servers they had and migrated to new servers. Everything seems to work fine most of the time, except as follows. I first noticed this during a migration from Novell groupwise to Exchange 07. When I would install a client, the client wouldn't find the server, couldn't even ping the domain name "" it would come back with a ip address not even in my scheme. I looked at the Dns entries and noticed a fake IP address as a DNS Server. I deleted this from GC forward zone and domain and forest dns zones. This fixed the problem, however this re occurs everyday. I can't find where its coming from. Whats more, I'm getting a error when using NSlookup that states " (target host)can't find nslookup: Non-existent domain "

Any ideas?

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

Could be malware

by NickNielsen In reply to DNS erroneous ip entry/Ns ...

If you keep clearing it and it keeps coming back, it may be some form of malware.

Is all your software up-to-date? No non-essential services running? Obvious holes (unused ports, etc.) closed?

You will probable get better results by posting this as a question (click on the "Ask a Question" part of the Start a Discussion button).

Collapse -


by Jellimonsta In reply to DNS erroneous ip entry/Ns ...

There could be a number of causes for these issues. You state that a client does not get an IP address in your scheme. This would generally denote a rogue DHCP server on your network. Is your network segmented with VLANs? If so, you may find that your client is getting an IP from a rogue DHCP server on their local segment as opposed to your servers. In order to track it down you should go to an affected host and do an ipconfig /all. Take note of the ip address of the default gateway and do an arp on your layer 3 switch (or router if you only have layer 2 switches). You should then get the mac-address. Do a show mac-address (with the mac) on your switch and it will give you the switch port it is connected to. You can then trace out your culprit.
Another scenario to check is that your affected host is not connecting to rogue wireless networks or ad-hoc (if wireless enabled).

Collapse -

IP address

by Jellimonsta In reply to Scenarios

If you mean that the client resolves the domain name/ server to an IP not in your scheme, you may also want to check the hosts or lmhosts file on the client. It will always take precedence over DNS.

Collapse -

Host File

by sbelcher In reply to IP address

The host file sounds more likely, its not that the client isn't getting a good IP, it's that the domain is being seen as a bad IP. The DNS server is also the domain controller so it shouldn't be any issues of syncing in Active Directory. But, we do however run a program that requires a host file for the network. I'm guessing that there maybe a old file that could be pointing to a old server that is no longer in circulation? I didn't know that the host file would take precedence.

Collapse -

Domain IP

by sbelcher In reply to Scenarios

The clients don't receive bad IP's it's the domain, if you ping "" you get the bad IP address. I've tried tracing it and arping it and I don't get anything. We're running AVG, and all of our windows updates have been applied ( I know that means about nothing but... ) It always happens at the same time. 3 in the morning, until recently, when I added a new subnet to my site. Now it happens at 4 pm.

Related Discussions

Related Forums