This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I'm observing a problem related to DNS server. I see my machine changes it's DNS server IP to some private ip-address automatically. I looked at the wireshark capture. I don't find any DHCP or DNS packets that could've looked suspicious.

I've uploaded capture @ http://www.filedropper.com/ram

Below is the snapshot of the problem, I'm talking about. If you notice in below capture, you see the PC 10.190.38.85 starts sending DNS packets to 192.168.19.1 instead of corporate DNS-server 10.190.12.27.

I tried looking at DHCP packets, but there aren't any except some DHCP inform.

Is it possible to force client to start using new DNS server, with out DHCP packets?

alt text

asked 05 Mar '15, 03:14

Ramprasad's gravatar image

Ramprasad
20101115
accept rate: 0%

Missed to mention:

It's not just the capture, even on interface configuration new DNS server ip is seen.

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : root.pri Description . . . . . . . . . . . : Intel(R) Ethernet Connection I217-LM Physical Address. . . . . . . . . : F0-1F-AF-37-91-5D DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes IPv4 Address. . . . . . . . . . . : 10.190.38.85(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.254.0 Lease Obtained. . . . . . . . . . : 04 March 2015 18:30:44 Lease Expires . . . . . . . . . . : 06 March 2015 18:30:44 Default Gateway . . . . . . . . . : 10.190.39.254 DHCPv4 Class ID . . . . . . . . . : CSR DHCP Server . . . . . . . . . . . : 10.190.12.35 DNS Servers . . . . . . . . . . . : 192.168.19.1 192.168.19.1 Primary WINS Server . . . . . . . : 10.147.1.1 Secondary WINS Server . . . . . . : 10.147.1.6 NetBIOS over Tcpip. . . . . . . . : Enabled

I place the capture files in the below location

(05 Mar '15, 03:16) Ramprasad

Looks like a Windows config issue. How is the Wireshark community supposed to help with this?

(05 Mar '15, 09:09) Kurt Knochner ♦

It's not windows config issue. It changes automatically. I was thinking some thing triggered this & can be figured out from network capture.

And moreever I see this forum addressing issues, not strictly related to wireshark, but some protocol understanding issues as well. If I'm on wrong page, I would restrain from posting...

(05 Mar '15, 10:03) Ramprasad

Can you share a capture in a publicly accessible spot, e.g. CloudShark? This allows anyone to look at the capture, even away from our Wireshark machine.

(05 Mar '15, 10:59) Jaap ♦

It's not windows config issue. It changes automatically.

it is a config issue, no matter if the change happens manually or automatically. There is no network protocol I know of, besides DHCP, to change the DNS servers of a system. As you mentioned it already, there is no DHCP traffic in the capture file (besides a single frame which is unrelated).

So, my guess is: There is a piece of software on your system that changes the DNS config for whatever reason. Could be legitimate or malware, while malware would not make much sense with that DNS IP addresses.

I was thinking some thing triggered this & can be figured out from network capture.

No. There is nothing in the capture file that could explain it. So, this is most likely a local windows and/or software problem.

And moreover I see this forum addressing issues, not strictly related to wireshark, but some protocol understanding issues as well. If I'm on wrong page, I would restrain from posting...

No need to be upset ;-) I'm among those here who tries to help even with problems that are not related to Wireshark at all. However, your problem is by no means related to any network problem, so there is nothing you/we can do to troubleshoot this with Wireshark nor with any other network troubleshooting ;-)

Again: This is a local windows config problem and/or a software problem on that system.

Are you using any kind of VPN clients (SSL, IPSEC)? If so, try to disable, better uninstall them and then check if the problem persists. VPN clients often change DNS settings. Usually they do it only on their own virtual VPN nic/adapter, but who knows ...

Regards
Kurt

permanent link

answered 05 Mar '15, 16:09

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Thanks Kurt.

These problems are seen on corporate machines which have antivirus installed. And not on just one machine, but on multiple machines this problem was reported at the same time.

And my IT department says it's due to someone misconfigured one of test laptops which contained ubuntu. Then I spoke to that engineer whose ubuntu laptop was causing this...all he knows is IT has removed the line "dns=dnsmasq" in networkmanager.conf file. And after this change, users wouldn't experience this problem. I did little search on google to findout what this dnsmasw is, but couldn't findout any answer which could cause this. Thus I thought network capture may help, but I couldn't figure out myself. So came here for help!

Thus, I never thought it could've caused by malware/virus. But as you elaborated, as the network capture isn't hinting on anything, I would provide this feedback to IT.

Thanks Again for the help!

(07 Mar '15, 09:25) Ramprasad
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×109

question asked: 05 Mar '15, 03:14

question was seen: 2,854 times

last updated: 07 Mar '15, 09:25

p​o​w​e​r​e​d by O​S​Q​A