Where did this incorrect cached DNS lookup come from?

1

Somehow, I've been having a chronic issue where my computer will get an invalid DNS lookup in its cache for either of the two Exchange servers I use from Mail.app. My workplace runs one of the Exchange servers and I run the other (they are totally unrelated, hosted by different companies, etc.). The problem manifests as a certificate domain error.

When it happens, I can run nslookup mail.mydomain.com and I see the incorrect IP address (usually owned by either Apple or Akamai), but if I run nslookup mail.mydomain.com 8.8.8.8, I get the correct address. In fact, if I specify any of my computer's or router's DNS servers to nslookup, I get the correct address.

My real quest is to find out why this keeps happening, and to do that, I'd like to know which server is supplying me this bad DNS entry. Is there a way to check my DNS cache to see where this bad lookup came from?

Stephen Jennings

Posted 2010-04-13T02:33:36.477

Reputation: 21 788

1

Very hard to suggest any possible reason without the real domain name... http://dougbarton.us/DNS/bind-users-FAQ.html#RealNames

– bortzmeyer – 2010-04-13T10:43:01.380

Answers

3

Start Wireshark somewhere on your LAN, looking at traffic to your machine, then boot your machine, run nslookup, and watch at DNS traffic. You'll see where the bad entry comes from.

Fred

Posted 2010-04-13T02:33:36.477

Reputation: 1 205

The problem is that I don't know which DNS server to query to get the bad response. When I query any of my DNS servers, I get the proper address. – Stephen Jennings – 2010-04-13T02:52:47.980

1Run Wireshark while you do nslookup mail.mydomain.com -- it'll tell you which server's being queried. Note that you can run Wireshark on your own computer, it doesn't have to be somewhere else on the LAN; also, if you don't want to deal with installing Wireshark, you can just use the built-in tcpdump utility at the command line: sudo tcpdump -n -s0 port 53 – Gordon Davisson – 2010-04-13T19:27:16.503

I tried this tdoay; The incorrect DNS is coming from my router, so I guess it's just something my ISP's DNS servers are doing wrong. Oh well, I guess I'll just set my DNS servers manually. – Stephen Jennings – 2010-04-25T06:51:48.707

Check to see that the root servers are giving the correct authoritative servers for your domain. Just a guess, but could there be an old authoritative server with stale info that hasn't been removed from the list? – Fred – 2010-04-26T03:23:29.830

Thank you +Gordon Davisson. Found the erroneous DNS record by following your answer. Just a follow-up to your post: After you find the DNS record, make sure to delete the PTR record from the Reverse Lookup Zones also. Unless you do that, ping -a IP_ADDRESS will continue to bring the hostname even if you flush the DNS cache. – None – 2013-01-15T09:33:57.050

Asked: 2010-04-13T02:33:36.477

Viewed: 3 916 times

Active: 2013-01-15T09:33:57.050