Recurring DNS issue - It's a stumper!

[Deek]

Hi all, so I have a recurring DNS issue, I have been working on it for months with no success, here are the details.

SBS 2011 Essentials, fully updated, domain environment, DNS is done by the local server.

What happens is, periodically a random website will stop working...I have seen it happen with google.com, wellsfargo.com, apple.com, cnn.com, etc...the site seems to be random. An SSL site gave me my first glue. A user tried going to google.com the the browser returned a SSL domain mismatch, when I viewed the cert it was an apple.com cert coming back with the google query. This has happened at least 20 times in the last two months, always with different sites and different erroneous DNS resolutions. In fact, it is happening right now. A user was surfing on a wells fargo site and all was well, then they clicked a link that took them to a sub-domain of wellsfargo.com (wellsoffice.wellsfargo.com) and the site broke.

When I do a NSlookup from my network, wellsoffice.wellsfargo.com resolves to 159.45.161.243 (which is correct), when I do it from the client network it resolves to 23.221.41.198 (which reverse resolves to a23-221-41-198.deploy.static.akamaitechnologies.com) ? See below for relevant lookup dumps.

I have already tried:
- Updating root servers
- Disabling forwarding servers and recursion (so root servers only)
- Using public DNS servers as the forwarders like 8.8.8.8
- Using my own public DNS servers as the forwarders that I have never had an issue with
- I can tell it's a server issue since the issue is not tied to a specific user, it is tied to a specific random site (happens to all users at once), and when I do the nslookup from the server I get incorrect responses...


The temporary fix is to restart DNS on the server and do a ipconfig /flushdns on the client...but the issue always returns in 0-7 days

I am at a loss, please help, my client is beginning to get very frustrated.

**Note: On the good query below, the TTL is 16 sec? That is fairly odd.


NSLOOKUP FROM MY NETWORK (CORRECT)
----------------------------------------------------
[TABLE="width: 512"]
[TR]
[TD="colspan: 4"]C:\WINDOWS\system32>nslookup[/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[/TR]
[TR]
[TD="colspan: 4"]Default Server: lepton.cnets.net[/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[/TR]
[TR]
[TD="colspan: 3"]Address: 104.254.140.7[/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[/TR]
[TR]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[/TR]
[TR]
[TD="colspan: 2"]> set debug[/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[/TR]
[TR]
[TD="colspan: 3"]> wellsoffice.wellsfargo.com[/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[/TR]
[TR]
[TD="colspan: 3"]Server: lepton.cnets.net[/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[/TR]
[TR]
[TD="colspan: 3"]Address: 104.254.140.7[/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[/TR]
[TR]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[/TR]
[TR]
[TD="colspan: 2"]------------[/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[/TR]
[TR]
[TD="colspan: 2"]Got answer:[/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[/TR]
[TR]
[TD="colspan: 2"] HEADER:[/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[/TR]
[TR]
[TD="colspan: 5"] opcode = QUERY, id = 2, rcode = NXDOMAIN[/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[/TR]
[TR]
[TD="colspan: 8"] header flags: response, auth. answer, want recursion, recursion avail.[/TD]
[/TR]
[TR]
[TD="colspan: 7"] questions = 1, answers = 0, authority records = 1, additional = 0[/TD]
[TD][/TD]
[/TR]
[TR]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[/TR]
[TR]
[TD="colspan: 2"] QUESTIONS:[/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[/TR]
[TR]
[TD="colspan: 6"] wellsoffice.wellsfargo.com.cnets.net, type = A, class = IN[/TD]
[TD][/TD]
[TD][/TD]
[/TR]
[TR]
[TD="colspan: 3"] AUTHORITY RECORDS:[/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[/TR]
[TR]
[TD="colspan: 2"] -> cnets.net[/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[/TR]
[TR]
[TD="colspan: 3"] ttl = 3600 (1 hour)[/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[/TR]
[TR]
[TD="colspan: 5"] primary name server = lepton.cnets.net[/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[/TR]
[TR]
[TD="colspan: 5"] responsible mail addr = hostmaster.cnets.net[/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[/TR]
[TR]
[TD="colspan: 2"] serial = 140[/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[/TR]
[TR]
[TD="colspan: 3"] refresh = 900 (15 mins)[/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[/TR]
[TR]
[TD="colspan: 3"] retry = 600 (10 mins)[/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[/TR]
[TR]
[TD="colspan: 3"] expire = 86400 (1 day)[/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[/TR]
[TR]
[TD="colspan: 3"] default TTL = 3600 (1 hour)[/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[/TR]
[TR]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[/TR]
[TR]
[TD="colspan: 2"]------------[/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[/TR]
[TR]
[TD="colspan: 2"]------------[/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[/TR]
[TR]
[TD="colspan: 2"]Got answer:[/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[/TR]
[TR]
[TD="colspan: 2"] HEADER:[/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[/TR]
[TR]
[TD="colspan: 5"] opcode = QUERY, id = 3, rcode = NOERROR[/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[/TR]
[TR]
[TD="colspan: 6"] header flags: response, want recursion, recursion avail.[/TD]
[TD][/TD]
[TD][/TD]
[/TR]
[TR]
[TD="colspan: 7"] questions = 1, answers = 1, authority records = 0, additional = 0[/TD]
[TD][/TD]
[/TR]
[TR]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[/TR]
[TR]
[TD="colspan: 2"] QUESTIONS:[/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[/TR]
[TR]
[TD="colspan: 5"] wellsoffice.wellsfargo.com, type = A, class = IN[/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[/TR]
[TR]
[TD="colspan: 2"] ANSWERS:[/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[/TR]
[TR]
[TD="colspan: 4"] -> wellsoffice.wellsfargo.com[/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[/TR]
[TR]
[TD="colspan: 4"] internet address = 159.45.161.243[/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[/TR]
[TR]
[TD="colspan: 2"] ttl = 16 (16 secs)[/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[/TR]
[TR]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[/TR]
[TR]
[TD="colspan: 2"]------------[/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[/TR]
[TR]
[TD="colspan: 3"]Non-authoritative answer:[/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[/TR]
[TR]
[TD="colspan: 4"]Name: wellsoffice.wellsfargo.com[/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[/TR]
[TR]
[TD="colspan: 3"]Address: 159.45.161.243[/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[/TR]
[/TABLE]





NSLOOKUP FROM CLIENT NETWORK DURING ISSUE (INCORRECT)
------------------------------------------------------------
[TABLE="width: 448"]
[TR]
[TD="colspan: 2"][/TD]
[TD]U:\>nslookup
Default Server: UnKnown
Address: 192.168.1.5


> set debug
> wellsoffice.wellsfargo.com
Server: UnKnown
Address: 192.168.1.5


------------
Got answer:
HEADER:
opcode = QUERY, id = 2, rcode = NXDOMAIN
header flags: response, auth. answer, want recursion, recursion avail.
questions = 1, answers = 0, authority records = 1, additional = 0


QUESTIONS:
wellsoffice.wellsfargo.com.CapDevCo.local, type = A, class = IN
AUTHORITY RECORDS:
-> capdevco.local
ttl = 3600 (1 hour)
primary name server = server01.capdevco.local
responsible mail addr = hostmaster.capdevco.local
serial = 2543
refresh = 900 (15 mins)
retry = 600 (10 mins)
expire = 86400 (1 day)
default TTL = 3600 (1 hour)


------------
------------
Got answer:
HEADER:
opcode = QUERY, id = 3, rcode = NXDOMAIN
header flags: response, auth. answer, want recursion, recursion avail.
questions = 1, answers = 0, authority records = 1, additional = 0


QUESTIONS:
wellsoffice.wellsfargo.com.CapDevCo.local, type = AAAA, class = IN
AUTHORITY RECORDS:
-> capdevco.local
ttl = 3600 (1 hour)
primary name server = server01.capdevco.local
responsible mail addr = hostmaster.capdevco.local
serial = 2543
refresh = 900 (15 mins)
retry = 600 (10 mins)
expire = 86400 (1 day)
default TTL = 3600 (1 hour)


------------
------------
Got answer:
HEADER:
opcode = QUERY, id = 4, rcode = NOERROR
header flags: response, want recursion, recursion avail.
questions = 1, answers = 1, authority records = 0, additional = 0


QUESTIONS:
wellsoffice.wellsfargo.com, type = A, class = IN
ANSWERS:
-> wellsoffice.wellsfargo.com
internet address = 23.221.41.198
ttl = 536 (8 mins 56 secs)


------------
Non-authoritative answer:
------------
Got answer:
HEADER:
opcode = QUERY, id = 5, rcode = NOERROR
header flags: response, want recursion, recursion avail.
questions = 1, answers = 0, authority records = 0, additional = 1


QUESTIONS:
wellsoffice.wellsfargo.com, type = AAAA, class = IN
ADDITIONAL RECORDS:
-> (root)
??? unknown type 41 ???
ttl = 32768 (9 hours 6 mins 8 secs)


------------
Name: wellsoffice.wellsfargo.com
Address: 23.221.41.198[/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[/TR]
[/TABLE]

 

[Deek]

Wow 65 views and no ideas? Post if you have the same issue and no ideas as well.

 

[Digerati]

Well, I can say we are not ignoring you but that's about it. I don't know what's happening either. It would be much easier if your client(s) never connected but intermittent problems are always the most difficult.

Akamai is a huge cloud service provider. Are they consistently in the middle when these problems surface?

Is it always from the same client PC or multiple clients with no apparent pattern?

PS - Ouch! That last line of your signature seems like it might sting bit right now. I wish I new the answer.

 

[blueelvis]

Hi Deek,

I am facing a similar issue with the DNS servers right now in home. The symptoms which you mentioned are very similar. My problem extends to the thing that I even get redirected to adult websites even after going to google.com.

After doing several scans, I concluded that my system was not infected. After checking the router's settings, the DNS servers were changed to some other servers hosting adult content. The problem seems to repeat in a day, no matter if the router has been reset to factory settings or a simple restart.

I would advise you to check the router with which the server is connected.


-Pranav

 

[Deek]

Hi Deek,

I am facing a similar issue with the DNS servers right now in home. The symptoms which you mentioned are very similar. My problem extends to the thing that I even get redirected to adult websites even after going to google.com.

After doing several scans, I concluded that my system was not infected. After checking the router's settings, the DNS servers were changed to some other servers hosting adult content. The problem seems to repeat in a day, no matter if the router has been reset to factory settings or a simple restart.

I would advise you to check the router with which the server is connected.


-Pranav

In my case, my router doesn't perform any DNS services...It is just Main Server > Forwarders or root servers.

In your case, it sounds like you have a router with an exploit, If it's newer, do a firmware upgrade on the router, if its old, you can lookup the model to see if it has unpatched exploits which means you will need a new router. Happen to have a WRT54G or similar? That is a really common good, old router that will not be patched and will need to be replaced.

Deek

 

[Digerati]

I have not had any problems being redirected to adult sites, but if this is happening to multiple devices connected to the same router, then I would sure look at upgrading the firmware or getting a different/newer router.

Using something other than your ISP's DNS severs may help too. OpenDNS is used often and you can use these instructions to change the DNS servers your router uses. Changing it in your router ensures all your connected devices use OpenDNS instead of your ISP's.

 

[blueelvis]

In my case, my router doesn't perform any DNS services...It is just Main Server > Forwarders or root servers.

In your case, it sounds like you have a router with an exploit, If it's newer, do a firmware upgrade on the router, if its old, you can lookup the model to see if it has unpatched exploits which means you will need a new router. Happen to have a WRT54G or similar? That is a really common good, old router that will not be patched and will need to be replaced.

Deek

It is a custom router as in procured directly from the factory. It has been in home for like 5 years now so it deserves a change.

I have not had any problems being redirected to adult sites, but if this is happening to multiple devices connected to the same router, then I would sure look at upgrading the firmware or getting a different/newer router.

Using something other than your ISP's DNS severs may help too. OpenDNS is used often and you can use these instructions to change the DNS servers your router uses. Changing it in your router ensures all your connected devices use OpenDNS instead of your ISP's.

I have already tried using OpenDNS/Google DNS but after some time, the DNS servers are automatically changed. FYI there are 2 options in the router settings regarding the DNS settings. One setting is the Automatic one in which the router sets itself to the DNS servers provided by the ISP. The other option is to enter the DNS server values manually.

Even if I set it to procure the DNS servers automatically, it changes itself to Manual settings after sometimes and the manual settings have the malicious DNS servers which are generally hosting adult websites.

So, the router needs replacement. As a workaround, I have set the devices in home to use specific DNS servers since if the DNS servers are present in the Configuration settings of devices, those override the DNS servers present in the router.


-Pranav

 

[Digerati]

Even if I set it to procure the DNS servers automatically, it changes itself to Manual settings after sometimes and the manual settings have the malicious DNS servers which are generally hosting adult websites.

Yeah, definitely not right - and spooky! Not sure if there is a fault in the router, or something malicious going. Setting should not be changing on their own. Are these ISP provided routers or do you own it?

 

[blueelvis]

Even if I set it to procure the DNS servers automatically, it changes itself to Manual settings after sometimes and the manual settings have the malicious DNS servers which are generally hosting adult websites.

Yeah, definitely not right - and spooky! Not sure if there is a fault in the router, or something malicious going. Setting should not be changing on their own. Are these ISP provided routers or do you own it?

Yup very spooky. Recently, all of the devices in home were shown a popup that the flash player was outdated and needed to be updated. Just for fun, I downloaded the executable and as usual it had the file name - "FlAsh PlaYer.exe" and no signature from Adobe. Instant delete from my system. Even mobile devices were showing the Adobe update available :lol:

The router is owned by me. I talked with many security experts including our beloved Corrine and all of them came to the same conclusion that the router is being exploited.

Hopefully, next week the router would be changed.


-Pranav

 

[Deek]

UPDATE - Well my issue continues however, I found the root of the problem: Aparently SBS 2011/Server2008 want's to automatically add your gateway as a forwarder. The issue only crops up when the gateway is in the forwarder list. I remove the gateway as a forwarder and all is well.

After removing the forwarder, I found this in the registry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Server\Networking]
"NicGuidForIc"="328ccb41-812b-4a90-915d-50bf76280ddc"
"LastBasicConfigSuccessful"=dword:00000001
"AddedDnsForwarder"="192.168.1.1"

so I removed the "AddedDnsForwarder"="192.168.1.1" but I suspect the issue will come around again.

Does anyone know how to stop the server from auto adding a dns forwarder?

 

[Deek]

I found this:
h t t p s : / / social.technet.microsoft.com/Forums/en-US/4af5eea3-4065-431c-b414-2b18e2e85b85/prevent-the-default-gateway-to-be-added-to-the-dns-forwarders?forum=smallbusinessserver2011essentials

But the guys solution is lame...fix them using a scheduled task??? The forwarder shows up at random, so unless the task runs continuously this is not the solution

 

[tension]

Hi all, so I have a recurring DNS issue, I have been working on it for months with no success, here are the details.

SBS 2011 Essentials, fully updated, domain environment, DNS is done by the local server.

What happens is, periodically a random website will stop working...I have seen it happen with google.com, wellsfargo.com, apple.com, cnn.com, etc...the site seems to be random. An SSL site gave me my first glue. A user tried going to google.com the the browser returned a SSL domain mismatch, when I viewed the cert it was an apple.com cert coming back with the google query. This has happened at least 20 times in the last two months, always with different sites and different erroneous DNS resolutions. In fact, it is happening right now. A user was surfing on a wells fargo site and all was well, then they clicked a link that took them to a sub-domain of wellsfargo.com (wellsoffice.wellsfargo.com) and the site broke.

When I do a NSlookup from my network, wellsoffice.wellsfargo.com resolves to 159.45.161.243 (which is correct), when I do it from the client network it resolves to 23.221.41.198 (which reverse resolves to a23-221-41-198.deploy.static.akamaitechnologies.com) ? See below for relevant lookup dumps.

I have already tried:
- Updating root servers
- Disabling forwarding servers and recursion (so root servers only)
- Using public DNS servers as the forwarders like 8.8.8.8
- Using my own public DNS servers as the forwarders that I have never had an issue with
- I can tell it's a server issue since the issue is not tied to a specific user, it is tied to a specific random site (happens to all users at once), and when I do the nslookup from the server I get incorrect responses...


The temporary fix is to restart DNS on the server and do a ipconfig /flushdns on the client...but the issue always returns in 0-7 days

I am at a loss, please help, my client is beginning to get very frustrated.

**Note: On the good query below, the TTL is 16 sec? That is fairly odd.


NSLOOKUP FROM MY NETWORK (CORRECT)
----------------------------------------------------
[TABLE="width: 512"]
[TR]
[TD="colspan: 4"]C:\WINDOWS\system32>nslookup[/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[/TR]
[TR]
[TD="colspan: 4"]Default Server: lepton.cnets.net[/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[/TR]
[TR]
[TD="colspan: 3"]Address: 104.254.140.7[/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[/TR]
[TR]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[/TR]
[TR]
[TD="colspan: 2"]> set debug[/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[/TR]
[TR]
[TD="colspan: 3"]> wellsoffice.wellsfargo.com[/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[/TR]
[TR]
[TD="colspan: 3"]Server: lepton.cnets.net[/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[/TR]
[TR]
[TD="colspan: 3"]Address: 104.254.140.7[/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[/TR]
[TR]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[/TR]
[TR]
[TD="colspan: 2"]------------[/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[/TR]
[TR]
[TD="colspan: 2"]Got answer:[/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[/TR]
[TR]
[TD="colspan: 2"] HEADER:[/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[/TR]
[TR]
[TD="colspan: 5"] opcode = QUERY, id = 2, rcode = NXDOMAIN[/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[/TR]
[TR]
[TD="colspan: 8"] header flags: response, auth. answer, want recursion, recursion avail.[/TD]
[/TR]
[TR]
[TD="colspan: 7"] questions = 1, answers = 0, authority records = 1, additional = 0[/TD]
[TD][/TD]
[/TR]
[TR]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[/TR]
[TR]
[TD="colspan: 2"] QUESTIONS:[/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[/TR]
[TR]
[TD="colspan: 6"] wellsoffice.wellsfargo.com.cnets.net, type = A, class = IN[/TD]
[TD][/TD]
[TD][/TD]
[/TR]
[TR]
[TD="colspan: 3"] AUTHORITY RECORDS:[/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[/TR]
[TR]
[TD="colspan: 2"] -> cnets.net[/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[/TR]
[TR]
[TD="colspan: 3"] ttl = 3600 (1 hour)[/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[/TR]
[TR]
[TD="colspan: 5"] primary name server = lepton.cnets.net[/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[/TR]
[TR]
[TD="colspan: 5"] responsible mail addr = hostmaster.cnets.net[/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[/TR]
[TR]
[TD="colspan: 2"] serial = 140[/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[/TR]
[TR]
[TD="colspan: 3"] refresh = 900 (15 mins)[/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[/TR]
[TR]
[TD="colspan: 3"] retry = 600 (10 mins)[/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[/TR]
[TR]
[TD="colspan: 3"] expire = 86400 (1 day)[/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[/TR]
[TR]
[TD="colspan: 3"] default TTL = 3600 (1 hour)[/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[/TR]
[TR]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[/TR]
[TR]
[TD="colspan: 2"]------------[/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[/TR]
[TR]
[TD="colspan: 2"]------------[/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[/TR]
[TR]
[TD="colspan: 2"]Got answer:[/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[/TR]
[TR]
[TD="colspan: 2"] HEADER:[/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[/TR]
[TR]
[TD="colspan: 5"] opcode = QUERY, id = 3, rcode = NOERROR[/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[/TR]
[TR]
[TD="colspan: 6"] header flags: response, want recursion, recursion avail.[/TD]
[TD][/TD]
[TD][/TD]
[/TR]
[TR]
[TD="colspan: 7"] questions = 1, answers = 1, authority records = 0, additional = 0[/TD]
[TD][/TD]
[/TR]
[TR]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[/TR]
[TR]
[TD="colspan: 2"] QUESTIONS:[/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[/TR]
[TR]
[TD="colspan: 5"] wellsoffice.wellsfargo.com, type = A, class = IN[/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[/TR]
[TR]
[TD="colspan: 2"] ANSWERS:[/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[/TR]
[TR]
[TD="colspan: 4"] -> wellsoffice.wellsfargo.com[/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[/TR]
[TR]
[TD="colspan: 4"] internet address = 159.45.161.243[/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[/TR]
[TR]
[TD="colspan: 2"] ttl = 16 (16 secs)[/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[/TR]
[TR]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[/TR]
[TR]
[TD="colspan: 2"]------------[/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[/TR]
[TR]
[TD="colspan: 3"]Non-authoritative answer:[/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[/TR]
[TR]
[TD="colspan: 4"]Name: wellsoffice.wellsfargo.com[/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[/TR]
[TR]
[TD="colspan: 3"]Address: 159.45.161.243[/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[/TR]
[/TABLE]





NSLOOKUP FROM CLIENT NETWORK DURING ISSUE (INCORRECT)
------------------------------------------------------------
[TABLE="width: 448"]
[TR]
[TD="colspan: 2"][/TD]
[TD]U:\>nslookup
Default Server: UnKnown
Address: 192.168.1.5


> set debug
> wellsoffice.wellsfargo.com
Server: UnKnown
Address: 192.168.1.5


------------
Got answer:
HEADER:
opcode = QUERY, id = 2, rcode = NXDOMAIN
header flags: response, auth. answer, want recursion, recursion avail.
questions = 1, answers = 0, authority records = 1, additional = 0


QUESTIONS:
wellsoffice.wellsfargo.com.CapDevCo.local, type = A, class = IN
AUTHORITY RECORDS:
-> capdevco.local
ttl = 3600 (1 hour)
primary name server = server01.capdevco.local
responsible mail addr = hostmaster.capdevco.local
serial = 2543
refresh = 900 (15 mins)
retry = 600 (10 mins)
expire = 86400 (1 day)
default TTL = 3600 (1 hour)


------------
------------
Got answer:
HEADER:
opcode = QUERY, id = 3, rcode = NXDOMAIN
header flags: response, auth. answer, want recursion, recursion avail.
questions = 1, answers = 0, authority records = 1, additional = 0


QUESTIONS:
wellsoffice.wellsfargo.com.CapDevCo.local, type = AAAA, class = IN
AUTHORITY RECORDS:
-> capdevco.local
ttl = 3600 (1 hour)
primary name server = server01.capdevco.local
responsible mail addr = hostmaster.capdevco.local
serial = 2543
refresh = 900 (15 mins)
retry = 600 (10 mins)
expire = 86400 (1 day)
default TTL = 3600 (1 hour)


------------
------------
Got answer:
HEADER:
opcode = QUERY, id = 4, rcode = NOERROR
header flags: response, want recursion, recursion avail.
questions = 1, answers = 1, authority records = 0, additional = 0


QUESTIONS:
wellsoffice.wellsfargo.com, type = A, class = IN
ANSWERS:
-> wellsoffice.wellsfargo.com
internet address = 23.221.41.198
ttl = 536 (8 mins 56 secs)


------------
Non-authoritative answer:
------------
Got answer:
HEADER:
opcode = QUERY, id = 5, rcode = NOERROR
header flags: response, want recursion, recursion avail.
questions = 1, answers = 0, authority records = 0, additional = 1


QUESTIONS:
wellsoffice.wellsfargo.com, type = AAAA, class = IN
ADDITIONAL RECORDS:
-> (root)
??? unknown type 41 ???
ttl = 32768 (9 hours 6 mins 8 secs)


------------
Name: wellsoffice.wellsfargo.com
Address: 23.221.41.198[/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[TD][/TD]
[/TR]
[/TABLE]

Working here, want solution answer here...........I 'm a leaner here!:huh:

 

[peterracine]

I do work in IT but, I have not been in the field for very long. From my few experiences in the field it sound like Digerati could possibly be infected with malware. It could be a hijacker that redirects an ip address to another address (a.k.a hijacker). If you know someone proficient in cleaning out malware I would give that a try. If not I would recommend programs such as adwcleaner, malwarebytes, and use hitman pro to only rule out the possibility of malware and not to clean. As far as Deeks problem, it does seem really strange that he can flush the dns cache and the problem soon after reoccurs. If I can think of anything I will put my two cents in otherwise, I am interested to hear if anyone knows what is going on.

 

[Deek]

I isolated the problem, the scheduled task above does work, though my solution was different...I ran the power shell script as an argument for the task and setup more triggers. Apparently SBS 2011 Essentials thinks it's smart by automatically adding the gateway as a forwarder (by design)....no matter how many times you remove it, it always comes back. Though I haven't figured out how to stop the automatic process, the powershell script seems to do the trick...been good for about 3 weeks now.

MICROSOFT - THIS IS STUPID, OBSURD and unnecessary....If you sysadmin doesn't know how to use forwarders, you shouldn't have a server!