DNS PTR records inexplicable appearance
Desktops, DHCP, DNS, Management, Microsoft Windows, Networking, Networking services, OS, Security, Servers, SQL Server
I've met some strange DNS server behavior. A month ago I've renamed the domain. Today I found a PTR record containing old domain name. I deleted it, but after refresh I saw this record again. I checked DNS update requests log for the request to create this record but didn't find anything. How can I find out who creates this record?
Thanks.
Mykhaylo Khodorev
Software/Hardware used:
Software/Hardware used:
ASKED:
January 6, 2006 2:35 AM
UPDATED:
January 11, 2006 10:24 PM
Answer Wiki:
Hello,
You can trace the IP address of the record in question back to the device it is assigned. If you have reverses set up in DNS its as simple as typing nslookup from a command prompt to reveal the device name. Now you have a starting point from which to troubleshoot. Also, I'd check for other DNS records using the same IP address as the rouge record. If present this could give you additional clues to locating the problem.
Good Luck!
To see all answers submitted to the Answer Wiki: View Answer History.
The host with such IP address existed, but now it has other address. That computer is Linux box. So, there is no host with IP address, which appear in reverse zone.
We had a problem with DNS records returning if they contain upper case characters. If this is the case you can call microsoft for the fix. This is free
All names are in lower case only
All names are in lower case only
I have no solution. But is there any chance you have forgotten a DHCP server which is still leasing the ip address?
check your secondary DNS server to see if the old PTR is being replicated back. , or any other program trying to gain access through IP, including mapped drives.
Ralfeus,
Your question is who created the record? If you have your DNS Active Directory integrated, you should be able to look at the properties of the record and see who created it. I’m not sitting at a DNS server right now to test it, but I believe that there are properties on who is the owner. You’ll have to fiddle around with it because I don’t remember how to look at who owns it, but it’s not extremely hard to do.
Hope this helps,
SF
An owner of that record is SYSTEM. I checked it first of all… Is it possible to log all update requests including username of update initiator and IP address of computer where request was send from?
Thanks
Mykhaylo
Hello,
Does your Linux server have multiple NIC’s? If this is the case check that you don’t have an old IP still assigned to one of the secondary NIC’s. If you do this could be the source of your rouge record in DNS.
Also, check all of your IP settings on the Linux box for any old IP’s that still may be configured. Just because your box is working on the network does not necessarily mean that an old address is not present somewhere.
Good Luck!
You can’t filter by username because it’s never the user that is requesting the DNS dynamic entry. The computer itself is the one that requests the entry. However, you could filter your logs based on IP Address, as mentioned in this article:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/2a2723c5-3462-411d-94e2-fe5fc08db07b.mspx
Filtering it would allow you to see information from a specific IP Address. Maybe the information in the debug file will tell you what the computer is requesting. Since it’s a PTR record that’s being added, you should have the IP Address as well.
SF