DNS changes unexpectedly.

Glenn Satchell Glenn.Satchell at uniq.com.au
Tue May 2 02:38:09 UTC 2006

>Date: Mon, 1 May 2006 17:06:32 -0700 (PDT)
>From: Keith Woodworth <kwoody at citytel.net>
>To: dhcp-users at isc.org
>Subject: DNS changes unexpectedly.
>Over the last week weve had a part of our network getting some strange
>Its about 400 clients but not all of them seem to be affected as far as
>we can tell.
>Client boots up gets valid IP and DNS. Things will work for anywhere from
>10 mins to 3 hrs, then suddenly the client will not be able to get any
>webpages but they can still be streaming audio or be on some online chat
>but the web and email go down.
>In troubleshooting this I'm finding that these clients, while they still
>have a valid IP address, their DNS has changed to As soon as
>they repair/renew their DNS is back and away they go. As a fix Ive been
>getting the DNS hardcoded but this should be be a permanent fix.
>I'm guessing someone has a router plugged in backwards on this subnet and
>just started sniffing the network.
>Why would just the DNS change and not the IP too? It seems odd that just
>the DNS Ip would change and not the IP of their machine too.
>Lease times are 7 days so the way I understand it the client should not
>be trying to renew the IP or DNS for 3.5 days. But we are seeing only the
>DNS change as fast as 10 mins after their initial DHCP request.
>Thanks for any insight.
Definitely seems very weird ... but is it possible that there could be
a rogue DHCP server somewhere on your net? When you find a client with
the bad DNS info can you check to see what it thinks is the DHCP
server's address? On windows that's 'ipconfig /all' but I'm not sure
for unix or linux.

If you search the mailing list archives for entries on 'rogue server' I
seem to remember a posting saying there was a utility in one of the
Windows resource kits for tracking down rogue dhcp servers.


More information about the dhcp-users mailing list