General discussion


DNS Spoof/Hijack/Poison

By hbombvi ·
I'm not sure what the proper terminology is in this matter, but this has been driving me nuts.

Here's the situation. In my network, DHCP is assigned by the router. Everyone once in a while (for the past couple weeks_ when my users turn on their computers they pick up the address of another computer in the network as the DNS server. Now it's always the same address and I've tracked down the computer that I believe is causing this problem but I can't find a thing wrong on it. So far I've run two full Malwarebytes scans and a full Symantec Antivirus scan. Nada!

I've checked that computer a few times now. It never fails to get the right DNS servers from the router.

Now here's the really weird part. In the past when this happened the users who got the wrong DNS entry couldn't access the Internet at all until I asked them to repair their network settings after which they get the right DNS entries. But today I've managed to surf the Internet for a full hour before I realized some slowdown and checked my DNS entry. To my surprise, it was the IP of that very machine.

Anyone ever deal with anything like this? I'd appreciate any ideas.

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

Have you considered a local human element in action?

by Deadly Ernest In reply to DNS Spoof/Hijack/Poison

and have you checked the DHCP server for an improper script?

Collapse -

The router is the server

by hbombvi In reply to Have you considered a loc ...

We're using workgroup settings with the router acting as the DHCP server.

Collapse -

How about human action on the system that seems to be the

by Deadly Ernest In reply to The router is the server

cause of the problem, with the normal server locked down.

Collapse -

Is the troublesome system a laptop, by any chance?

by CharlieSpencer In reply to DNS Spoof/Hijack/Poison

I've seen a similar problem caused by a laptop. The system somehow wound up as DNS server on a home network. I don't recall the details other than the problem started with a particular brand of PCMCIA wireless card (D-Link? Linksys? Details get fuzzy when you have CRS). I believe the card was configured from the factory to look for a DNS server, and if it didn't find one, it set up the system it was in as a DNS server.

All of this is out the window if you're dealing with a desktop.

Collapse -

That makes me wonder if it can also pick up a wifi network

by Deadly Ernest In reply to Is the troublesome system ...

and is setting up from that first.

Collapse -

Seems plausible

by hbombvi In reply to Is the troublesome system ...

Yes, it is a laptop. It could account for the not finding any viruses or malware. Guess the only way I could test would be to assign him static settings. But the user is using a wired connection, not the wireless.

Collapse -

Has it left the building?

by CharlieSpencer In reply to Seems plausible

You're original post says the problem started a couple of weeks ago. Did this laptop return from being on the road just before the problem started?
You might check the network settings and see if there's a new virtual adapter. You could run an IPCONFIG / RELEASE and then reboot. You could try a hard-coded IP address.

You could toss up your hands and re-image it. That depends on how much time you want to spend and how determined you are to find the actual source of the problem.

Good luck; I'm out of suggestions.

Collapse -

As much as I hate it

by hbombvi In reply to Has it left the building?

It's a personal laptop for an employee that's only been here a couple of weeks. It's something I really try to discourage but sometimes the higher ups block me on it.

It's looking like my only option is to tell him not to connect to our network.

Collapse -

Get the higher ups who approved to authorise you to

by Deadly Ernest In reply to As much as I hate it

give it static IP addresses for use on your network, that may resolve the issue.

Collapse -

I already did

by hbombvi In reply to Get the higher ups who ap ...

Related Discussions

Related Forums