6

I have an internal IP Address (192.168.0.57) that every couple of days will get assigned to a machine which will then periodically lose it's connection to the network throughout the day.

The first machine that this happened to was running OSX and the rest have been Windows. Neither OS has detected an IP conflict.

When I ping the hostname of the machine I know it's been assigned to, it will give me back the IP in question. When I ping -a the IP, it gives me a completely different hostname.

I can't find any machine on the network that has the second hostname. Is this an issue with the DNS? What could cause this?

HopelessN00b
  • 53,795
  • 33
  • 135
  • 209
Kalamane
  • 281
  • 1
  • 4
  • 14
  • Did you find an answer to your question? If so, awarding the answer and an upvote would be helpful to future readers. – Wesley Aug 04 '11 at 23:40

1 Answers1

8

You may well have a "rogue DHCP Server" on the network. The observation that the machines have not detected an IP conflict does not rule a rogue out. See the wikipedia article that I just linked to for a list of tools that can be used to detect if a rogue is on the network or not. Likely some access point has been introduced with its DHCP server turned on.

When you ping for the hostname, the machine doing the pinging is likely using the DNS server that you have set up on the network so it's no surprise that the "official" or "desired" address will be returned. Other factors come to mind such as the timing of the DORA conversation as well as authorization, but I shall not go into minute detail here.

ping -a does a reverse lookup, of course. So the ARP tables of either the local PC or the switch have been "poisoned" to now look at the last PC to broadcast itself as having that IP which then ties it to that new PC's own MAC address.

Analyze all network traffic for DHCP conversations and then track the villain down with ARP tables and port mappings if you have to. Terminate with extreme prejudice.

Wesley
  • 32,690
  • 9
  • 82
  • 117
  • 3
    A rogue DHCP server is doubly dangerous and hard to detect when you use such a common prefix as 192.168.0.0/24. Pick a more interesting address range; there's plenty of RFC1918 addresses to choose from! – womble Jul 19 '11 at 22:52
  • @womble Very good point. I knew there was a reason I picked oddball ranges for my home network. I also knew there was a reason I still have my mom's network on token ring. I never trusted that TCP/IP thing. – Wesley Jul 19 '11 at 22:59
  • 3
    TCP/IP and token ring aren't mutually exclusive. – womble Jul 19 '11 at 23:05
  • Indeed. I fail at correctly ordering the OSI model. A thousand lashes with a cord of thinnet for me. – Wesley Jul 19 '11 at 23:09
  • @WesleyDavid as penance you must go locate the lost token, place it in the bit bucket, and bring it back to the server room. – voretaq7 Jul 20 '11 at 05:15
  • 1
    @voretaq7 I captured the token! I caught it in my ether net. – Wesley Jul 20 '11 at 05:51
  • This was the issue. It was a malfunctioning switch. – Kalamane Dec 06 '11 at 20:48