Ask Your Question
0

Have a rogue DHCP server handing out an incorrect DNS entry

asked 2019-06-24 17:49:03 +0000

StealthTCF gravatar image

On the network, I have switched over the voice switches to the data network as of yesterday morning. When I did this, it would appear that there is a rogue DHCP server on the network.

The DNS address on the client systems is changing from the current DHCP/DNS server 192.168.1.210 over to 192.168.1.1 which is my Fortigate Firewall.

This happened after I plugged phones into the data LAN yesterday. Every 15-20 minutes this morning I have had to go back and release and renew on the client systems to get them to where they are not looking at 192.168.1.1 (Fortigate) to 192.168.1.210 If I release and renew, it comes up correctly most times. Sometimes though it doesn't release 192.168.1.1 right away.

Rebooting doesn't work. I have rebooted the firewall and switches. It appears to have started after connecting the voice network to the data network.

Currently we have unplugged all Comcast voice services and we have plugged in the Polycom 401's and 600's. When I did a capture, from this you tube video, I only see the one DHCP server on the network. https://www.youtube.com/watch?v=uyvEa...

Any ideas on what could be handing out 192.168.1.1 DNS server IP to the workstations DHCP wise to client systems? I try to capture the packets on the network to show me if there are DHCP offer's coming from multiple IP's but I just see the one server which is my Domain Controller / DHCP server all in one.

Is there a way for me to find the source of the 192.168.1.1 DNS server hand out?

edit retag flag offensive close merge delete

Comments

Just a few questions to better understand, What happens if you introduce a new client, a new machine on the network ? Are you able to ping both DHCP/DNS servers? Are you able to take a packet capture at boot time on the new machine connected to the network ?

xinxolHH gravatar imagexinxolHH ( 2019-06-25 06:48:17 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2019-06-26 10:19:08 +0000

SYN-bit gravatar image

I try to capture the packets on the network to show me if there are DHCP offer's coming from multiple IP's but I just see the one server which is my Domain Controller / DHCP server all in one.

How are you making this capture? The DHCP response with the wrong DNS server might be sent with a unicast packet which means it will not be visible unless you're capture point is in the path of the rogue DHCP server and the client that does the DHCP request. I would suggest using a TAP or SPAN port to one system and boot that system to see where the DHCP packets are coming from.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2019-06-24 17:49:03 +0000

Seen: 1,137 times

Last updated: Jun 26 '19