This is our old Q&A Site. Please post any new questions and answers at

Please have a look at this screenshot.

I am wondering why a local netbios query would result in a outside Colorado based IP being returned.



asked 03 Jun '12, 12:54

pluribus's gravatar image

accept rate: 0%

That's down to the name resolution done by IP, possibly your router. The two A records returned are and and neither of them seem to have much to do with the name "WORKGOUP" which comes from the default workgroup for a non-domain windows machine.

Wireshark shows the subsequent SYN requests with destination "WORKGROUP" due to the A records returned by the preceding DNS queries populating the name cache.


The IP addresses returned from the query are due to the user's ISP hijacking dns queries for unknown hosts. TimeWarner / RoadRunner dumbness.

permanent link

answered 03 Jun '12, 13:47

grahamb's gravatar image

grahamb ♦
accept rate: 22%

edited 04 Jun '12, 01:47

Thanks for the rapid reply. I am not sure I understood fully.

In a nutshell are you saying the events are not related to a lookup for "workgroup?"

Is this normal behavior that I am just not grasping?

(03 Jun '12, 13:54) pluribus

Also when i do a

ping workgroup PING workgroup ( 56(84) bytes of data.

why would my DNS server resolve the word "workgroup" to anything? I am confused.

I just got it, this is part of my ISP advertising, all unknown names return this landing page at

Ok one mystery solved, time to edit resolv.conf to something a little better like

(03 Jun '12, 14:00) pluribus

Looks a little odd to me, why is your dns resolver returning those A records? Does the machine at run a full dns resolver or is it just forwarding queries?

(03 Jun '12, 14:01) grahamb ♦ is a wireless router. If you navigate the the IP it is sort of like an ad for the ISP. So, if I ping anything at all with no TLD it will resolve to that IP. It is odd imo too, the has no DNS server enabled on it. When I changed /etc/resolv.conf to read instead of localhost the issue went away. Now when i "ping workgroup" i get the message "unknown host."

If any behavior seems odd please let me know what tests I can run because I have def been having strange expriences on the network lately including a lot of BAD TCP traffic and some other alarming traffic.

(03 Jun '12, 14:06) pluribus

That'll be an ISP "enhancement" then, that instead of returning "unknown host" as required, they instead return the IP address of a landing page to throw advertising at you.

Searching for "DNS landing page" will get you many similar complaints. What is your ISP?

(03 Jun '12, 14:11) grahamb ♦

timewarner / roadrunner

btw to test it, i changed my router's DNS servers to opendns and google.

now when i ping workgroup I get this

PING workgroup ( 56(84) bytes of data. 64 bytes from ( icmp_req=1 ttl=51 time=15.7 ms 64 bytes from ( icmp_req=2 ttl=51 time=15.0 ms

(03 Jun '12, 14:33) pluribus

That IP is another landing page, if you pop it into your browser, same idea. "Enhancement" , not unlike the rootkit enhancement know as computrace that has been put on millions of computers sold by HP. Dell. Lenovo, etc. All infected with a lojack device from Absolute Software that can be turned into a trojan by an attacker. Gotta love the manufactured consent of all these wonderful enchancement.

Thanks to wireshark I am finding and eliminating all these enhancements one at a time.

(03 Jun '12, 14:33) pluribus

those "enhancements" are a key feature of opendns. They try to filter your DNS requests for typos, malware sites and other things. Based on the result they will return an IP address of a landing page (malware, unknown host, etc.) or the right web site (typo). It's kind of a managed, enhanced DNS. Some people love it, some hate it ;-) However, the behaviour of your ISP is plain dumb. Resolving a single host query (not a FQDN) to an external landing page is a really bad idea and calls for trouble.

(04 Jun '12, 01:27) Kurt Knochner ♦
showing 5 of 8 show 3 more comments
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 03 Jun '12, 12:54

question was seen: 4,960 times

last updated: 04 Jun '12, 01:47

p​o​w​e​r​e​d by O​S​Q​A