Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Tuesday, December 15, 2015 9:08 PM
Hi,
I have two DHCP server and it has only dhcp role installed. it's always making a DNS query on port 53 (
| 60801 | 199.212.0.63 | 53 | udp src inside:172.16.84.24/60801 dst outside:199.212.0.63/53 |
) though it doesn't have DNS role installed.
nslookup 199.212.0.63
Name: z.arin.net
Address: 199.212.0.63
svchost.exe (DHCPServer) 4044 z.arin.net
Don't understand reason behind this query ??? Please advice ??
Thanks
Hasan Mahmud
All replies (6)
Thursday, July 7, 2016 2:57 AM âś…Answered
Hi,
You could try to download and use Process Explorer
https://technet.microsoft.com/en-us/sysinternals/processexplorer.aspx?f=255&MSPPError=-2147217396
And look at not only the file name SVCHOST.EXE but the fully qualified name and path.
SVCHOST.EXE should ONLY be executed from the folder; %windir%\system32.If they are executed from any other location it is a sure sign of malware.
Also, there are DLLs that can be loaded and use SVCHOST.EXE such that the legitimate SVCHOST.EXE are being loaded and used but are loadingmalicuious DLL files.You could check this by Process Explorer too.It is on Services tab in properties.
You can also run MSCONFIG.EXE and compare what is loaded as administrator vs. what is loaded in your everyday account. You indicated the activity stopped when you logged on as admin.Thus what may be loaded to cause the activity is being loaded by that personal account.
________________________________________
Best Regards,
Cartman
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected].
Tuesday, December 15, 2015 9:47 PM
Most likely your DNS server has a DNS defined other than 127.0.0.1 in its network settings. Or a forwarding zone.
It is being asked to resolve the DNS name and cannot, so it is asking the other DNS server that is configured.
That is what DNS does.
There is something trying to resolve a public IP address using arin.net
Brian Ehlert
http://ITProctology.blogspot.com
Learn. Apply. Repeat.
Tuesday, December 15, 2015 10:22 PM
Thx @ Brian Ehlert
But problem is here DHCP server making DNS Query to arin.net . Don't understand reason behind this query ???
Friday, April 15, 2016 8:06 PM
I am seeing the same thing as Hasan is. A purely DHCP-only server that is making DNS queries to z.arin.net
Monday, June 27, 2016 1:10 PM
Any Ideas?...the same here....2008 R2 with DHCP installed.
Tuesday, October 8, 2019 7:37 AM
Hi,
Topic is old but...
I have been fighting with the same problem and I've found solution. So simple...
Probably one scope in DHCP is configured with option 006 DNS Servers pointing to an external DNS server (not domain DNS) and the scope has enabled DNS dynamic updates.
Dynamic updates are redirected to external server, which does not allow this. So DHCP server is trying to query arin.net for SOA records etc. That's why your DHCP sends query to z.arin.net.
Regards