# some dhcp somewhere issuing incorrect ip info



## nvisibl (Jul 29, 2008)

is there a way where i can tell from an XP client which DHCP server the client got its IP from?

some of the clients are picking up incoorect dns info from somewhere and i can't yet locate whats causing it

thanks for your help


----------



## johnwill (Sep 26, 2002)

Not really, you could try using something like WireShark to monitor the connection and see where the DHCP handshake comes from.


----------



## djaburg (May 15, 2008)

Is this a wireless network?


----------



## Ghiyas (Mar 10, 2009)

Even u can use the command ipconfig /all to view the dhcp server ip address


----------



## johnwill (Sep 26, 2002)

Ghiyas said:


> Even u can use the command ipconfig /all to view the dhcp server ip address


Which doesn't tell you a thing about where the DHCP server is.


----------



## nvisibl (Jul 29, 2008)

ipconfig /all mentions the IP address of the DHCP server... would this then definately be the DHCP server from where the rest of the IP information came from?

I take it that it is.

The problem I have is that the clients are picking up an incorrect address for the primary DNS server. Should be 192.168.1.4 but instead its showing up as 192.168.1.1

My DHCP server runs on the same 192.168.1.4 server, and this is the DHCP server address that shows up on the clients when I do an ipconfig

On double checking the DHCP scope on the server the DNS server address is the correct one 192.168.1.4 so I don't understand how the clients are sporadicaly picking up 192.168.1.1 especially if it comes from the correct DHCP server on 192.168.1.4

The clients are configured to obtain their IP address and DNS from DHCP, so there is no static DNS entries on the clients within the IP properties page.


----------



## nvisibl (Jul 29, 2008)

hmmmmmm... something strange seems to be going on

*just done a brand new XP build as per our standard build*, it was connecting to the web okay etc... as it should and so had retrieved the correct IP info from the DHCP server which includes the primary DNS of 192.168.1.4

the dhcp lease time = 1 week

*without having switched off the pc or messed about with any settings IP or otherwise *i noticed that i couldn't connect to the web all of a sudden. and so on checking the ip details as a result of this i noticed the cause being that the primary DNS setting had changed to this incorrect address of 192.168.1.1 

strange or what? :normal:


----------



## clyde123 (Apr 10, 2008)

If this 192.168.1.4 should never change, just configure that into the Internet Connection as a fixed number for the DNS server.


----------



## nvisibl (Jul 29, 2008)

thank you and sure its the most viable workaround but doesn't answer the root issue and plus makes things less dynamic


----------



## djaburg (May 15, 2008)

Well my question still remains unanswered...is this a wireless network? If it's not, then you MUST have another device on the network acting as a DHCP server. Get a utility like lookatlan and have it scan.


----------



## nvisibl (Jul 29, 2008)

excuse for not before responding djaburg.... its a wired network.. i have lookatlan but not sure it can help other than by giving a general list of network nodes

the thing that puzzles me is that the DNS ip seems to change automatically without my rebooting or messing with the IP config. it changes even though the dhcp lease is set to 1 week


----------



## bilbus (Aug 29, 2006)

... ipconfig /all will list the dhcp server, and its IP.

You can use dhcpfind, its a free downloadable tool. It will list all the dhcp servers on your subnet, if you have relay agents, it will also show dhcp servers on a remote subnet.

I can tell you what the problem is, somone hooked up their home router to your network, and it's dhcping addresses. I bet they wanted to use wifi.


----------



## nvisibl (Jul 29, 2008)

dhcpfind sounds handy thabnks will go look for it now

if a client has a dhcp assigned IP config from a dhcp server with a lease time of 1 week, is it possible that client can obtain ip info from another dhcp server in the interim, even though the original lease remains current? this without the client being rebooted or reconfigured in any way.


----------



## bilbus (Aug 29, 2006)

Yup, wont be a problem

you may have to ipconfig /release, ipconfig /renew


----------



## nvisibl (Jul 29, 2008)

thanks but its not the IP onfo that needs changing, i'm trying to find out why the clients after picking up correct DHCP info are after a while picking up incorrect DNS info. this without the client being rebooted or my doing an ipconfig /release. i find it most puzzling, and wonder if its correct behaviour that a dhcp client should let go of its lease and pick up another even when the lease hasn't expired, and the machine hasn't been rebooted or initial IP released


----------



## bilbus (Aug 29, 2006)

It will ask for a new ip every time it boots up.

Usualy it will recieve the same ip, and won't change. If it gets a new IP, it should change it.

What dns information is wrong? server or workstation A recods?


----------



## nvisibl (Jul 29, 2008)

the dhcp server info is correct on the server and clients pick up the correct info from the correct DHCP, but many clients thereafter automatically configure with an incorrect DNS server IP........this occurs on a random basis



nvisibl said:


> hmmmmmm... something strange seems to be going on
> 
> *just done a brand new XP build as per our standard build*, it was connecting to the web okay etc... as it should and so had retrieved the correct IP info from the DHCP server which includes the correct primary DNS of 192.168.1.4
> 
> ...


----------



## nvisibl (Jul 29, 2008)

Okay... running dhcpfinder on a client and it reports that a DHCP server with address *8.255.0.0* is sending packets to it 

we operate a 192 network... and i am also unable to ping this 8.255.0.0. server wherever it is

why is this server contacting clients in our network?
seems like a spyware or virus issue but the client i'm testing on here is clean, as far as i can tell


----------



## bilbus (Aug 29, 2006)

dhcp is is broadcast based, does nto matter what it's ip is. When you ask for a ip address with dhcp, you have no ip address (see) so you send out a broadcast.

Change your ip to 8.255.0.1 and try to ping it.

If you can ping it you can find it

If you are a small office where you can unplug stuff, it will be easy to find. When you can no longer ping it after unpluging you know its on that port / switch.

If you are in a large office that you cant .. you will have to make a vlan with your self in it. And then add all the ports for the local switch, if cant ping it, add a second switch to the vlan, and a thirtd, untill you can. Now you know what switch it is. Move to that switch, vlan again add half the ports .. and keep narrowing it down.

Once you find the port you can look up the location and walk there.

Idealy, you want to vlan all of your desktop ports .. so they can not talk to other desktops.

So say switch 1 is all desktops. All switch ports can talk to port 24 (the uplink to the main switch) but 1-23 can not talk to each other.


----------



## nvisibl (Jul 29, 2008)

when i change my IP to 8.255.0.1 in order to ping the 8.255.0.0 address I get "destination address not valid". The vlan idea is good thanks, the walk round may be easier so will get to that today.


----------



## bilbus (Aug 29, 2006)

well, the same test can be preformed by arp, or dhcpfind.

Keep running dhcpfind, unplug cables from the switch until you stop getting dhcpfind responces.

I generaly unplug the uplings first, narrows it down alot faster.


----------



## grue155 (May 29, 2008)

This may be a little overly paranoid, but the description seems to match recent malware that spoofs DHCP so as to supply malware directed DNS addresses. Details at http://isc.sans.org/diary.html?storyid=5434 with a recent followup at http://isc.sans.org/diary.html?storyid=6025

Probably the only reliable way to locate the source of the problem, is with a network monitor such as Wireshark, and then start disconnecting networking cables to see what stops. Some kind of binary search tree would be the quickest way to isolate, but that can take some hardware resources that may not be available, depending on how your LAN is set up.


----------



## bilbus (Aug 29, 2006)

if you use dhcpfind and unplug cables you will find it.

How would wireshark help you find it? It will tell you the payload .. but it is not a packet detector / locator.


----------



## grue155 (May 29, 2008)

Wireshark can be useful in its reporting of the MAC addresses being used. If it's simply a misconfigured DHCP server, then the MAC will correspond to a real machine. But if the MAC is forged or otherwise bogus, it'll be much more obvious there is malware involved. And if it is malware, then it's likely doing something else, which Wireshark will likely be able to see. The more information available, the quicker it would be to narrow the scope of the problem.


----------

