DNS changes unexpectedly.

Douglas Armstrong doug at ovationdata.com
Tue May 2 03:30:55 UTC 2006 

 In Linux grep dhcp-server-identifier /var/lib/dhclient/dhclient-eth0.leases
for eth0 , /var/lib/dhclient/dhclient-eth1.leases if there is a second
interface. The  server info will be presented with the most resent last.
# grep dhcp-server-identifier /var/lib/dhclient/dhclient-eth0.leases
  option dhcp-server-identifier 192.168.168.1;
  option dhcp-server-identifier 192.168.168.1;
  option dhcp-server-identifier 192.168.168.1;
  option dhcp-server-identifier 192.168.168.1;


Glenn Satchell wrote: Date: Mon, 1 May 2006 17:06:32 -0700 (PDT) From: Keith
Woodworth <kwoody at citytel.net>[1] To: dhcp-users at isc.org[2] Subject: DNS
changes unexpectedly. Over the last week weve had a part of our network
getting some strange DNS. Its about 400 clients but not all of them seem to
be affected as far as we can tell. Client boots up gets valid IP and DNS.
Things will work for anywhere from 10 mins to 3 hrs, then suddenly the
clientwill not be able to get any webpages but they can still be streaming
audio or be on some online chat but the web and email go down. In
troubleshooting this I'm finding that these clients, while they still have a
valid IP address, their DNS has changed to 192.168.1.1. As soon as they
repair/renew their DNS is back and away they go. As a fix Ive been getting
the DNS hardcoded but this should be be a permanent fix. I'm guessing
someonehas a router plugged in backwards on this subnet and just started
sniffing the network. Why would just the DNS change and not the IP too? It
seems odd that just the DNS Ip would change and not the IP of their machine
too. Lease times are 7 days so the way I understand it the client should not
be trying to renew the IP or DNS for 3.5 days. But we are seeing only the
DNSchange as fast as 10 mins after their initial DHCP request. Thanks for
anyinsight. Keith Definitely seems very weird ... but is it possible that
there could be a rogue DHCP server somewhere on your net? When you find a
client with the bad DNS info can you check to see what it thinks is the DHCP
server's address? On windows that's 'ipconfig /all' but I'm not sure for
unixor linux. If you search the mailing list archives for entries on 'rogue
server' I seem to remember a posting saying there was a utility in one of
theWindows resource kits for tracking down rogue dhcp servers. regards,
-glenn 


--- Links ---
   1 mailto:kwoody at citytel.net
   2 mailto:dhcp-users at isc.org

More information about the dhcp-users mailing list