DNS poisoned nslookup returns wrong ip address
Solution 1
You have (somehow) Primary DNS suffix or Connection-specific DNS Suffix defined and enable to add in TCP/IP settings
Check with ipconfig /all
. Reconfigure (if needed) - Network Connection - Used connection (or interface)
Solution 2
If neither of the "ipconfig" or checking DNS settings works, you might find that the "virus" has created you a nice big Hosts file - look in %systemroot%\system32\drivers\etc (e.g. C:\Windows\system32\drivers\etc).
There should be a file called "Hosts" (not Hosts.txt). Open the file in Notepad. Alternative go to Start, Run and type in:
notepad %systemroot%\system32\drivers\etc\hosts
If you're just a home user, you shouldn't have more than a couple of entries in the file (you'll probably only need "localhost 127.0.0.1").
Related videos on Youtube
WikiWitz
(my about me is currently blank) click here to edit
Updated on September 18, 2022Comments
-
WikiWitz over 1 year
I recently had a 'redirect virus' while I was logged in as administrator. Every time I would query something in a search engine, I was redirected to
domaindiscount24.com
. After a virus cleanup everything resumed to normal. Until I noticednslookup.exe
returning wrong ip addresses:nslookup google.com: Non-authoritative answer: Name: google.com.domain.name Addresses: 213.128.138.236 109.234.109.20 109.234.109.21 nslookup yahoo.com: Non-authoritative answer: Name: yahoo.com.domain.name Addresses: 109.234.109.21 213.128.138.236 109.234.109.20
Every time I nslookup a domain name, I get these same ip addresses, which point to
domaindiscount24.com
. Is my dns server(modem/router) poisoned? Or the addresses are mere records from the redirect virus earlier?=========================** EDIT **===============================
-
WikiWitz over 12 yearsIt doesn't work. Some free software might have configured my dns settings. I remember getting a correct ip address from nslookup along with the two ip addresses (109.234.109.21 and ...20) but after that all nslookup queries returns the above addresses.
-
chmod over 12 yearsWhat is your DNS setting? try setting your DNS manually to OpenDNS 208.67.222.222 , 208.67.220.220 . The try ipconfig /flushdns again
-
WikiWitz over 12 yearsSetting it manually to opendns doesn't work.
-
Hasan Manzak over 12 yearsThis type of action can be caused by a hacked nslookup.exe file also... It's happened to me before and i was able to fix it by copying a clean nslookup.exe file from a clean system. That could be a solution for you, too..
-
Márcio Souza Júnior almost 7 yearsHad exact same problem and solved following this serverfault.com/a/74075/354078 serverfault.com/a/315355/354078
-
-
WikiWitz over 12 yearsActually, I was just playing around with the hosts file a few days ago and nope there were nothing there other than comments.
-
Lazy Badger over 12 years@mywiki-witwiki - no, just show dialogue for you (from XP, BTW). Your scrrensots show: 1. You have DNS suffix search list, 2. This domain added to all hostnames, I haven't Win7 now to find, where search list defined and how to remove it
-
WikiWitz over 12 yearsI don't think the Primary DNS Suffixing is the culprit. I successfully disabled it in the Group Policies but nslookup still returns the wrong IP addresses.
-
misterjaytee over 12 yearsWhy the downmark on the answer?
-
WikiWitz over 12 yearsMe? I didn't do that.
-
misterjaytee over 12 yearsSorry, I wasn't blaming you - just asking whoever downvoted my answer why they did it.
-
Ƭᴇcʜιᴇ007 over 11 yearsLink-only answers are a no-no due to possible future link rot. please include pertinent information in your answer.