DNS changes unexpectedly.

[Simon Hobson]

Keith Woodworth wrote:

>Client boots up gets valid IP and DNS. Things will work for anywhere from
>10 mins to 3 hrs, then suddenly the client will not be able to get any
>webpages but they can still be streaming audio or be on some online chat
>but the web and email go down.
>
>In troubleshooting this I'm finding that these clients, while they still
>have a valid IP address, their DNS has changed to 192.168.1.1. As soon as
>they repair/renew their DNS is back and away they go. As a fix Ive been
>getting the DNS hardcoded but this should be be a permanent fix.
>
>I'm guessing someone has a router plugged in backwards on this subnet and
>just started sniffing the network.
>
>Why would just the DNS change and not the IP too? It seems odd that just
>the DNS Ip would change and not the IP of their machine too.

If there was a rogue dhcp server then the client would ask for the 
address it had, and if it's valid for the network the rogue server 
could offer it. Hence the client could switch servers without 
changing address.

However, if it was just a rogue router, I'd expect different IP 
addresses based on the fact that the dns has changed (to a different 
subnet) and most small routers default to using themselves as the dns.

The other thing against it being a rogue server is that the clients 
would be unicasting their renewal requests to the server that gave 
out their lease in the first place - not broadcasting them to the 
whole network.

What OS are the clients running ?
What DNS are you setting via DHCP ?

I would be inclined to set up a packet capture for just dhcp packets 
and leave it running. When someone informs you of the problem, search 
in the packet trace for all packets to/from their MAC address and see 
if there's been any odd behaviour - and of course, check the contents 
of DHCP packets.

Simon