DNS PTR records inexplicable appearance

pts.
Tags:
DHCP
DNS
Management
Microsoft Windows
Networking
Networking services
OS
Security
Servers
SQL Server
I've met some strange DNS server behavior. A month ago I've renamed the domain. Today I found a PTR record containing old domain name. I deleted it, but after refresh I saw this record again. I checked DNS update requests log for the request to create this record but didn't find anything. How can I find out who creates this record? Thanks. Mykhaylo Khodorev

Answer Wiki

Thanks. We'll let you know when a new response is added.

Hello,

You can trace the IP address of the record in question back to the device it is assigned. If you have reverses set up in DNS its as simple as typing nslookup from a command prompt to reveal the device name. Now you have a starting point from which to troubleshoot. Also, I’d check for other DNS records using the same IP address as the rouge record. If present this could give you additional clues to locating the problem.

Good Luck!

Discuss This Question: 10  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Ralfeus
    The host with such IP address existed, but now it has other address. That computer is Linux box. So, there is no host with IP address, which appear in reverse zone.
    0 pointsBadges:
    report
  • Tim123
    We had a problem with DNS records returning if they contain upper case characters. If this is the case you can call microsoft for the fix. This is free
    0 pointsBadges:
    report
  • Ralfeus
    All names are in lower case only
    0 pointsBadges:
    report
  • Ralfeus
    All names are in lower case only
    0 pointsBadges:
    report
  • Ctyauhk
    I have no solution. But is there any chance you have forgotten a DHCP server which is still leasing the ip address?
    0 pointsBadges:
    report
  • Richl01
    check your secondary DNS server to see if the old PTR is being replicated back. , or any other program trying to gain access through IP, including mapped drives.
    0 pointsBadges:
    report
  • Sonyfreek
    Ralfeus, Your question is who created the record? If you have your DNS Active Directory integrated, you should be able to look at the properties of the record and see who created it. I'm not sitting at a DNS server right now to test it, but I believe that there are properties on who is the owner. You'll have to fiddle around with it because I don't remember how to look at who owns it, but it's not extremely hard to do. Hope this helps, SF
    0 pointsBadges:
    report
  • Ralfeus
    An owner of that record is SYSTEM. I checked it first of all... Is it possible to log all update requests including username of update initiator and IP address of computer where request was send from? Thanks Mykhaylo
    0 pointsBadges:
    report
  • Petroleumman
    Hello, Does your Linux server have multiple NIC's? If this is the case check that you don't have an old IP still assigned to one of the secondary NIC's. If you do this could be the source of your rouge record in DNS. Also, check all of your IP settings on the Linux box for any old IP's that still may be configured. Just because your box is working on the network does not necessarily mean that an old address is not present somewhere. Good Luck!
    0 pointsBadges:
    report
  • Sonyfreek
    You can't filter by username because it's never the user that is requesting the DNS dynamic entry. The computer itself is the one that requests the entry. However, you could filter your logs based on IP Address, as mentioned in this article: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/2a2723c5-3462-411d-94e2-fe5fc08db07b.mspx Filtering it would allow you to see information from a specific IP Address. Maybe the information in the debug file will tell you what the computer is requesting. Since it's a PTR record that's being added, you should have the IP Address as well. SF
    0 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following