Service provider takeaway: This tip will explain how to resolve some issues that come up during a DNS server failure, including how domain name resolutions can cause DNS server failures.
In the first part of this series, I explained that many DNS server failures are not related to the DNS server
The HOSTS File
If a workstation is resolving DNS names incorrectly, begin by checking the HOSTS file. This file is left over from early versions of Windows and Unix. In the early days, the TCP/IP protocol did not use DNS servers for domain name resolution. Instead, every computer had a file that contained a comprehensive list of every domain name that was in use on the Internet. Over time, the number of domain names on the Internet grew and it became impractical to maintain local lists of domain names. Even so, this mechanism still exists in Windows in the form of the HOSTS file. This file is a favorite target of malware authors.
The HOSTS file is located by default in the \Windows\System32\drivers\etc. folder. Unless you have explicitly modified the HOSTS file, it should only contain the following entries:
The second entry is an IPv6 entry only present in Windows Server 2008 or Windows Vista, unless the IPv6 protocol has been manually installed onto the system.
The LMHOSTS File
The Microsoft-specific LMHOSTS file is located in the \Windows\System32\drivers\etc. folder and works similarly to the HOSTS file, except that it is Microsoft-specific. The LMHOSTS file's purpose is to map IP addresses to NetBIOS names. LMHOSTS file entries interfering with domain name resolutions are fairly rare, but it is still something that you should check if you are having domain name resolution problems.
There are some browser add-ons that redirect domain name resolution requests. These types of browser add-ons are associated with malware infections, but I have seen a few that are self-contained. Internet Explorer 6 and 7 allow you to manage browser add-ons and disable anything that should not be there. In Internet Explorer 7 you can access the browser add-ons by choosing the Options command from the Tools menu to access the Internet options properties sheet. Next, go to the Programs tab and click on the Manage Add-ons button. You can scroll through the list of browser add-ons and disable anything that you do not want.
If the domain name resolution problems are unique to Internet Explorer, then you have the option of running Internet Explorer with no browser add-ons. This is a great way of testing whether or not browser add-ons are causing the problem. Unfortunately, only Internet Explorer 7 has the option of running with no add-ons. There is a shortcut to that version of Internet Explorer located in the Start | All Programs | Accessories | System Tools folder. You can also run Internet Explorer without add-ons by launching it from a command line. To do so, enter the following command:
"C:\Program Files\Internet Explorer\iexplorer.exe" --extoff
There are many forms of malware that have the potential to redirect domain names. For example, I recently removed a virus from my sister's computer that would redirect attempts to access sites such as Google, eBay and Facebook. It is difficult to explain how the domain name resolutions are poisoned, because there are thousands of viruses that use this technique, each with different implementation. The infection often relies on a browser helper and on malicious registry entries.
Don't expect to be able to browse the registry, locate the URL for the malicious site and remove the offending entry. Occasionally this technique has worked for me, but more often than not the actual redirection is performed by a DLL file. The trick then becomes figuring out which DLL file is rightfully running on the system, and where it is being called from.
Malware removal tools are helpful in these types of situations, but in most cases I've had to use a combination of malware removal tools and manual removal techniques. If you're trying to locate a malicious DLL file, use the Task Manager to look at the processes running on the machine with misspelled names. Malware authors often try to give malware names similar to legitimate processes in an effort to make them blend in. It is also common to see malicious DLL files use a combination of random numbers and letters. Once you have located a suspicious DLL file, you can research whether or not it really is malicious. Getting rid of the file then becomes a matter of booting the machine into safe mode, removing the DLL file and then removing calls to the DLL file from the registry. Keep in mind that you may need to get rid of multiple DLL files to completely remove the infection.
About the author
Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. Brien has served as the CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer he has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies.
This was first published in October 2008