DNS poisoned nslookup returns wrong ip address
Solution 1
You have (somehow) Primary DNS suffix or Connection-specific DNS Suffix defined and enable to add in TCP/IP settings
Check with ipconfig /all. Reconfigure (if needed) - Network Connection - Used connection (or interface)
Solution 2
If neither of the "ipconfig" or checking DNS settings works, you might find that the "virus" has created you a nice big Hosts file - look in %systemroot%\system32\drivers\etc (e.g. C:\Windows\system32\drivers\etc).
There should be a file called "Hosts" (not Hosts.txt). Open the file in Notepad. Alternative go to Start, Run and type in:
notepad %systemroot%\system32\drivers\etc\hosts
If you're just a home user, you shouldn't have more than a couple of entries in the file (you'll probably only need "localhost 127.0.0.1").
Related videos on Youtube
07 : 26
05 : 16
03 : 32
03 : 51
02 : 07
WikiWitz
(my about me is currently blank) click here to edit
Updated on September 18, 2022Comments
-
WikiWitz over 1 year
I recently had a 'redirect virus' while I was logged in as administrator. Every time I would query something in a search engine, I was redirected to
domaindiscount24.com. After a virus cleanup everything resumed to normal. Until I noticednslookup.exereturning wrong ip addresses:nslookup google.com: Non-authoritative answer: Name: google.com.domain.name Addresses: 213.128.138.236 109.234.109.20 109.234.109.21 nslookup yahoo.com: Non-authoritative answer: Name: yahoo.com.domain.name Addresses: 109.234.109.21 213.128.138.236 109.234.109.20Every time I nslookup a domain name, I get these same ip addresses, which point to
domaindiscount24.com. Is my dns server(modem/router) poisoned? Or the addresses are mere records from the redirect virus earlier?=========================** EDIT **===============================
-
WikiWitz over 12 yearsIt doesn't work. Some free software might have configured my dns settings. I remember getting a correct ip address from nslookup along with the two ip addresses (109.234.109.21 and ...20) but after that all nslookup queries returns the above addresses.
-
chmod over 12 yearsWhat is your DNS setting? try setting your DNS manually to OpenDNS 208.67.222.222 , 208.67.220.220 . The try ipconfig /flushdns again
-
WikiWitz over 12 yearsSetting it manually to opendns doesn't work.
-
Hasan Manzak over 12 yearsThis type of action can be caused by a hacked nslookup.exe file also... It's happened to me before and i was able to fix it by copying a clean nslookup.exe file from a clean system. That could be a solution for you, too..
-
Márcio Souza Júnior almost 7 yearsHad exact same problem and solved following this serverfault.com/a/74075/354078 serverfault.com/a/315355/354078
-
-
WikiWitz over 12 yearsActually, I was just playing around with the hosts file a few days ago and nope there were nothing there other than comments.
-
Lazy Badger over 12 years@mywiki-witwiki - no, just show dialogue for you (from XP, BTW). Your scrrensots show: 1. You have DNS suffix search list, 2. This domain added to all hostnames, I haven't Win7 now to find, where search list defined and how to remove it
-
WikiWitz over 12 yearsI don't think the Primary DNS Suffixing is the culprit. I successfully disabled it in the Group Policies but nslookup still returns the wrong IP addresses.
-
misterjaytee over 12 yearsWhy the downmark on the answer?
-
WikiWitz over 12 yearsMe? I didn't do that.
-
misterjaytee over 12 yearsSorry, I wasn't blaming you - just asking whoever downvoted my answer why they did it.
-
Ƭᴇcʜιᴇ007 over 11 yearsLink-only answers are a no-no due to possible future link rot. please include pertinent information in your answer.
