dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
2675
share rss forum feed

kenrogers4

join:2007-09-27
Bandera, TX

Mystery DNS problem

I have a murder mystery! Or at least a harming. Last week wifi users to our library were harmed by not being able to access our library hot spot. Turns out with their laptops set to obtain DNS address automatically the system was returning the nonsense address: 192.168.3.1 for the DNS address! Our ethernet wired computers are all set to specific DNS addresses so they had no problem but when I set one of them to ask for automatic DNS, it had the same problem! So the mystery deepens. It's not a wifi issue at all.

I hard started the Netopia 3347 and reset everything...no joy.

I replaced the 3347 with one we had used before..no joy.

So, it's not a Netopia problem, it must be a ISP problem (ATT DSL.) So I simplified the system down to only one laptop on one port of the 3347, all other ports empty, this time the correct DNS setting came back! So it's not an ATT problem, it's a problem in the library network!

We have a simple network of (mostly) Dell desktops and laptops running Windows 7 plus a Dell server running our library software under Windows server 2003. Most computers are wired to banks of switches on two of the 3347 ports. A Linksys wifi access point is wired to one port of the 3347. Depending on library activity as many as 30 computers might be on at one time.

No address like 192.168.3.x is in use anywhere with just the single 3347. All of our internal addresses are 192.168.1.x.

Is there a Sherlock Holmes type out there with ideas as to how this nonsense DNS address is being returned by the system? Other addresses like the default Gateway address and the DHCP server address are returned satisfactorily.

We would greatly appreciate any leads as to the culprit or suggestions as to what to try to isolate the problem!

Ken Rogers
kenrogers@yahoo.com



tschmidt
Premium,MVM
join:2000-11-12
Milford, NH
kudos:9
Reviews:
·G4 Communications
·Fairpoint Commun..
·Hollis Hosting

1 recommendation

192.168.3.1 is a private IP so it is unlikely coming from your ISP it is being generated locally.

Assuming the clients are set to obtain IP settings automatically sounds like you have a rouge DHCP server.

Do any of the AP include DHCP server? If so probably one of them got turned on by mistake. Clients do a broadcast DHCP discovery and pick whomever responds first.

/tom


kenrogers4

join:2007-09-27
Bandera, TX

Thanks for the quick reply!!! What you say might be correct. We changed the one access point. Something else might be serving as a rogue one. How do I go about locating it? Pinging 192.168.3.1 shows nothing. ARP -a shows nothing. This address shows nowhere!

Ken



davidg
Good Bye My Friend
Premium,MVM
join:2002-06-15
none

1 recommendation

you will need to set your machine to 192.168.3.x so you can reach it. definitely a rogue DHCP, i would turn off EVERY access point one at a time to find it.

also try renaming your SSID and see if you can find the rogue.
--
Lack of Preparation on YOUR Part does NOT Constitute an Emergency on Mine!


kenrogers4

join:2007-09-27
Bandera, TX

Hi again Davidg!

We have only the one access point. I repeated the test with its power off: A hardwired computer set to automatically retrieve ip, etc. addresses comes back with good values for everything but the DNS address.

I noticed on a laptop there are two strong outside APs (nothing to do with the library.) They are both type n with WPA2 security. If somehow one of them could get into our closed system, that would explain it. Only someone wiring the place maliciously would work. This just started around Dec. 12th. Before that we never had any such problems.

Thanks, Ken



tschmidt
Premium,MVM
join:2000-11-12
Milford, NH
kudos:9
Reviews:
·G4 Communications
·Fairpoint Commun..
·Hollis Hosting
reply to kenrogers4

davidg See Profile beat me to it.

If the "real" LAN is 192.168.1.0/24 you will not be able to connect to the other LAN assuming a typical home subnet mask of 255.255.255.0. Take PC and manually set IP to 192.168.3.x. probably subnet mast 255.255.255.0, don't worry about the other stuff. That should allow you to connect to that AP (or whomever is handing out bogus IP.

Something else that may help if using Vista or later is from the command line:

netsh wlan show networks mode=bssid

That will display info about every AP the computer is able to see. Might help tracking down the AP.

Good Luck

/tom


kenrogers4

join:2007-09-27
Bandera, TX

tschmidt:

Thanks again! I will try both of those when the library closes this afternoon.

Ken



tschmidt
Premium,MVM
join:2000-11-12
Milford, NH
kudos:9
Reviews:
·G4 Communications
·Fairpoint Commun..
·Hollis Hosting

1 recommendation

reply to kenrogers4

said by kenrogers4:

I noticed on a laptop there are two strong outside APs (nothing to do with the library.) They are both type n with WPA2 security. If somehow one of them could get into our closed system, that would explain it.

Nope - since they are using WPA2 in order to connect the client needs to know the pass-phase. Even if the AP was maliciously connected to the library LAN in order to connect need to know the pass-phase.

But that did remind me of something. Check the preferred network profile on the "bad" PCs. It is possible they are set to connect to an open or even secured WLAN. If that WLAN happens to be stronger then the library the PC will preferentially connect to that Wi-Fi network.

/tom


tschmidt
Premium,MVM
join:2000-11-12
Milford, NH
kudos:9
Reviews:
·G4 Communications
·Fairpoint Commun..
·Hollis Hosting
reply to kenrogers4

Click for full size
TCP/IP properties
Oops sorry I just reread the thread you already checked this. Bad DNS only happens if DNS is set dynamically.

said by kenrogers4:

We have only the one access point. I repeated the test with its power off: A hardwired computer set to automatically retrieve ip, etc. addresses comes back with good values for everything but the DNS address.

Check the TCP/IP properties settings on the bad PC. If everything else is correct possible that DNS settings are set statically and someone fat-fingered the values.

/tom

kenrogers4

join:2007-09-27
Bandera, TX

1 recommendation

I've isolated the problem to a wifi type of device we are using! Something must have gone haywire with it on about Dec. 12.
Anyway with this device on: problem; with it off: no problem!

Next step is to get with the installer and fix it. Thanks for your time and efforts tschmidt and Davidg!

Ken Rogers


kenrogers4

join:2007-09-27
Bandera, TX

1 recommendation

Mystery SOLVED!

Turns out it was an unplugged cable on another site linked to the library. I had forgotten about it and the site wasn't in use. I only realized it was this remote connection after disconnecting/powering off everything else! The installer said this should not happen but we have days of torture to say it does.

Thanks again for help eliminating suspects.

Ken Rogers



tschmidt
Premium,MVM
join:2000-11-12
Milford, NH
kudos:9
Reviews:
·G4 Communications
·Fairpoint Commun..
·Hollis Hosting

said by kenrogers4:

Mystery SOLVED!

Think of it as an early Christmas present.

Problems are usually easy to sort out once you figure them out.

/tom


davidg
Good Bye My Friend
Premium,MVM
join:2002-06-15
none
reply to kenrogers4

glad you figured it out!