|
Posted by Christopher A. Newell on September 20, 2007, 7:04 pm
If you were Registered and logged in, you could reply and use other advanced thread options
The 7 subnets are physically separated by routers.
Two are totally static configurations. There are 5 DHCP servers, one
physically located on each subnet. Of the four (sorry, missed one) subnets
that are experiencing this, one is a core, and the other three are branched
in a distributed star. The server that is primary for the users in each of
the three branch networks runs DHCP, has a network conenction to the core,
and provides the routing. The DHCP is bound only to the NIC on the remote
side of the "distributed star". (The 5th DHCP is also an IP router to the
core, but it is a controller for a trusted domain.)
I am going to have to confirm, but I do not believe that any relay agents
are in operation.
There are three DNS servers running. One provides external lookup and
carried the primary site for our externally addressable sites, all three
resolve our inside *.local DNS entries. I don't think that this is actually
a DNS problem, except to the extent that when a client PC changes the DNS
server entries to the "foreign" server the client cannot resolve internal
names (and since they are blocked from direct outside access, they can't
contact the outside server to resolve public names either They just loose
all connectivity for any application that is DNS name dependent.)
> Chris a couple of questions;
> 7 Subnets, is there any routers connecting these subnets?
> How many DHCP server on the Network?
> How amny Dns Servers? secondary and primary?
>
> i will get to the internet access!!!
>
>
>
>
> "Christopher A. Newell" wrote:
>
>> I posted on this a couple of weeks ago and then the problem "appeared" to
>> clear up for a while.
>>
>> This appeared to be a very sporadic problem, but as I look more closely
>> it
>> seems to be more prevalent than I had imagined.
>>
>> I have a medium-small, but moderatly complex network configured in 7
>> logical
>> segments, each operating on it's own IP subnet. In three of the
>> segments,
>> dynamically addressed PCs are transiently loosing their DNS entries,
>> multiple local DNS servers being replaced by 168.95.1.1, an operating DNS
>> server in Taiwan. (in fact the only service answering on about half of
>> the
>> 168.95.1.x subnet is DNS) The loss of the correct DNS entrires disrupts
>> the
>> client's network connectivity until the configuration is restored (all
>> Internet access for user PCs is through a proxy server, our firewall
>> prevents any client address from communicating with the Internet in any
>> other way, so the affected PC gets no response at all.) "ipconfig
>> /renew"
>> seems to correct the problem, as does re-strating the PC.
>>
>> As a temporary workaround, I have assigned the outside IP to one of my
>> internal DNS servers and routed all requests for that IP to the correct
>> LAN
>> address. This is preserving my users' connectivity but is eliminating
>> thier
>> calls for help to notify me.
>>
>> After implementing the temporary solution, I have been monitoring
>> detailed
>> traffic on the DNS server, only to find that inquiries using the off-site
>> IP
>> are almost constant. It seems like there is one PC, occasionally two,
>> using
>> that IP for DNS (and SMB and a few other protocols) just about all the
>> time,
>> although the issue seems to move from computer to computer at no
>> identifiable interval. Apparently, either some of the users are
>> experiencing problems and just re-starting or the DNS error is not
>> lasting
>> long enough to cause them to actually see the connectivity loss.
>>
>> These PCs are in three different network segments, broken up at Layer 3,
>> configured by three different DHCP servers (although all are in the same
>> AD
>> forrest.) Before I identified the problem being present in three
>> different
>> segments, I tried stopping the known DHCP server and trying to obtain
>> address information - No rogue DHCP apparent. We are using 128 WEP on a
>> small number of wireless APs, but I have ruled out a customer notebook
>> with
>> an ICS configuration running.
>>
>> I have run throuough Spyware and AV scanns of some of the affected PCs
>> with
>> no notable results (CA-ITM and Spybot S&D). Staticly addressed PCs are
>> not
>> affected and one IP subnet that is dynamically addressed but operates in
>> an
>> independent AD domain also seems to be OK.
>>
>> Has anybody else ever seen anything remotely like this ?
>>
>> Any ideas what I can look at to figure out where a changing DNS IP could
>> be
>> getting injected into the system, across routers?
>>
>> I think that I would have gotten an incorrect IP configuration if I had a
>> hardware based DHCP on the LAN (like a SOHO router), but it may bear
>> noting
>> that a search on that IP reveals it to be one of the most commonly
>> referenced publicly accessable DNS servers. The IP appears in many
>> pieces
>> of hardware documentation (again, like SOHO gateways).
>>
>>
>>
| 
XML site map