DNS cache showing different values

Hi

There have been a couple of issues lately on net connectivity - but this is the result of another PC sending many ARP requests in the network - not my PC - confirmed on this pretty much.

I had entered [a-z].asdafdgfgf.com & [a-z].222360.com and mumbailive.in to my hosts file. But how do these show up in my DNS cache when I've got so many other sites opened in FF and Im definitely not checking out these sites ?

Code:

C:\>ipconfig /flushdns
C:\>ipconfig /displaydns

Windows IP Configuration

         s.asdafdgfgf.com
         ----------------------------------------
         Record Name . . . . . : s.asdafdgfgf.com
         Record Type . . . . . : 1
         Time To Live  . . . . : 592323
         Data Length . . . . . : 4
         Section . . . . . . . : Answer
         A (Host) Record . . . : 127.0.0.1


         i.asdafdgfgf.com
         ----------------------------------------
         Record Name . . . . . : i.asdafdgfgf.com
         Record Type . . . . . : 1
         Time To Live  . . . . : 592323
         Data Length . . . . . : 4
         Section . . . . . . . : Answer
         A (Host) Record . . . : 127.0.0.1


         g.asdafdgfgf.com
         ----------------------------------------
         Record Name . . . . . : g.asdafdgfgf.com
         Record Type . . . . . : 1
         Time To Live  . . . . : 592323
         Data Length . . . . . : 4
         Section . . . . . . . : Answer
         A (Host) Record . . . : 127.0.0.1


         p.222360.com
         ----------------------------------------
         Record Name . . . . . : p.222360.com
         Record Type . . . . . : 1
         Time To Live  . . . . : 592323
         Data Length . . . . . : 4
         Section . . . . . . . : Answer
         A (Host) Record . . . : 127.0.0.1


         w.222360.com
         ----------------------------------------
         Record Name . . . . . : w.222360.com
         Record Type . . . . . : 1
         Time To Live  . . . . : 592323
         Data Length . . . . . : 4
         Section . . . . . . . : Answer
         A (Host) Record . . . : 127.0.0.1


         x.asdafdgfgf.com
         ----------------------------------------
         Record Name . . . . . : x.asdafdgfgf.com
         Record Type . . . . . : 1
         Time To Live  . . . . : 592323
         Data Length . . . . . : 4
         Section . . . . . . . : Answer
         A (Host) Record . . . : 127.0.0.1


         f.222360.com
         ----------------------------------------
         Record Name . . . . . : f.222360.com
         Record Type . . . . . : 1
         Time To Live  . . . . : 592323
         Data Length . . . . . : 4
         Section . . . . . . . : Answer
         A (Host) Record . . . : 127.0.0.1


         v.asdafdgfgf.com
         ----------------------------------------
         Record Name . . . . . : v.asdafdgfgf.com
         Record Type . . . . . : 1
         Time To Live  . . . . : 592323
         Data Length . . . . . : 4
         Section . . . . . . . : Answer
         A (Host) Record . . . : 127.0.0.1


         1.0.0.127.in-addr.arpa
         ----------------------------------------
         Record Name . . . . . : 1.0.0.127.in-addr.arpa.
         Record Type . . . . . : 12
         Time To Live  . . . . : 592323
         Data Length . . . . . : 4
         Section . . . . . . . : Answer
         PTR Record  . . . . . : localhost


         Record Name . . . . . : 1.0.0.127.in-addr.arpa.
         Record Type . . . . . : 12
         Time To Live  . . . . : 592323
         Data Length . . . . . : 4
         Section . . . . . . . : Answer
         PTR Record  . . . . . : mumbailive.in


         Record Name . . . . . : 1.0.0.127.in-addr.arpa.
         Record Type . . . . . : 12
         Time To Live  . . . . : 592323
         Data Length . . . . . : 4
         Section . . . . . . . : Answer
         PTR Record  . . . . . : 222360.com


         Record Name . . . . . : 1.0.0.127.in-addr.arpa.
         Record Type . . . . . : 12
         Time To Live  . . . . : 592323
         Data Length . . . . . : 4
         Section . . . . . . . : Answer
         PTR Record  . . . . . : a.222360.com


         Record Name . . . . . : 1.0.0.127.in-addr.arpa.
         Record Type . . . . . : 12
         Time To Live  . . . . : 592323
         Data Length . . . . . : 4
         Section . . . . . . . : Answer
         PTR Record  . . . . . : b.222360.com


         Section . . . . . . . : Answer

C:\>

 

If you've entered the addresses in your HOSTS files they won't appear in your DNS cache.

Your HOSTS file does exactly the same task as DNS. The difference between the two systems is:

• DNS is a server based system where a number of client systems use a central database to provide mappings of URL (network name) to IP address. The DNS client sends a request to the DNS server, asking for the server to provide the IP address that belongs to the given URL. The DNS server looks up the mapping in its central database and returns the appropriate IP address.
• HOSTS files provides a very simple database of IP address to URL This system is entirely housed within a single PC. Each PC having its own HOSTS file.

HOSTS file look up is faster than DNS lookup as with HOSTS you don't have to go over the network to access the database, and the database itself is a lot smaller (usually). However, it is a lot less flexible, doesn't understand about talking to other systems to help resolve an address and is difficult to manage across multiple PCs.

Because HOSTS is faster, Windows systems always look at the HOSTS file before they use DNS. Windows will only use DNS if there is no appropriate mapping in the HOSTS files. The other side of that is that if there is a HOSTS file entry, Windows will never use DNS to resolve that address. Why should it, as the HOSTS one will be quicker and easier.

So if a URL is in your HOSTS files, your system will not use DNS to resolve that URL and therefore, it will not appear in the DNS cache.

 

In that case how come these records are appearing in my DNS cache ? Because, this is what I have in my HOSTS file :

Code:

127.0.0.1       localhost

127.0.0.1       mumbailive.in

127.0.0.1       222360.com
127.0.0.1       a.222360.com
127.0.0.1       b.222360.com
127.0.0.1       c.222360.com
127.0.0.1       d.222360.com
127.0.0.1       e.222360.com
127.0.0.1       f.222360.com
127.0.0.1       g.222360.com
127.0.0.1       h.222360.com
127.0.0.1       i.222360.com
127.0.0.1       j.222360.com
127.0.0.1       k.222360.com
127.0.0.1       l.222360.com
127.0.0.1       m.222360.com
127.0.0.1       n.222360.com
127.0.0.1       o.222360.com
127.0.0.1       p.222360.com
127.0.0.1       q.222360.com
127.0.0.1       r.222360.com
127.0.0.1       s.222360.com
127.0.0.1       t.222360.com
127.0.0.1       u.222360.com
127.0.0.1       v.222360.com
127.0.0.1       w.222360.com
127.0.0.1       x.222360.com
127.0.0.1       y.222360.com
127.0.0.1       x.222360.com

127.0.0.1       asdafdgfgf.com
127.0.0.1       a.asdafdgfgf.com
127.0.0.1       b.asdafdgfgf.com
127.0.0.1       c.asdafdgfgf.com
127.0.0.1       d.asdafdgfgf.com
127.0.0.1       e.asdafdgfgf.com
127.0.0.1       f.asdafdgfgf.com
127.0.0.1       g.asdafdgfgf.com
127.0.0.1       h.asdafdgfgf.com
127.0.0.1       i.asdafdgfgf.com
127.0.0.1       j.asdafdgfgf.com
127.0.0.1       k.asdafdgfgf.com
127.0.0.1       l.asdafdgfgf.com
127.0.0.1       m.asdafdgfgf.com
127.0.0.1       n.asdafdgfgf.com
127.0.0.1       o.asdafdgfgf.com
127.0.0.1       p.asdafdgfgf.com
127.0.0.1       q.asdafdgfgf.com
127.0.0.1       r.asdafdgfgf.com
127.0.0.1       s.asdafdgfgf.com
127.0.0.1       t.asdafdgfgf.com
127.0.0.1       u.asdafdgfgf.com
127.0.0.1       v.asdafdgfgf.com
127.0.0.1       w.asdafdgfgf.com
127.0.0.1       x.asdafdgfgf.com
127.0.0.1       y.asdafdgfgf.com
127.0.0.1       x.asdafdgfgf.com

 

Because the ipconfig /displaydns command also includes HOSTS entries as well as addresses resolved by DNS. Have a look at the sixth bullet point in this article:

http://technet2.microsoft.com/windo...e8ee-4dae-9edb-8b08a37e53841033.mspx?mfr=true

I wonder is Firefox is using it's own DNS resolution system rather than the built in Windows one. This would account for lack of entries for URLs that Firefox has resolved (I'm assuming that your FF is Firefox)

I don't know why some HOSTS files entries are appearing in the displaydns output while others are not.

Try using NETSTAT to display connections and ports. That might show up a service that is connection to those addresses in the background.

 

Yes, using FireFox here.

I guess that could be it. FF resolves its own DNS. I am using AdBlockPlus extension to block those domains too from even getting parsed by FF.

netstat -b shows only FireFox.exe connections. Nothing else seem to be connecting to the net.

But will netstat show windows system files like svchost, winlogin etc if they're trying to establish a connection ?

 

solution to asdafdgfgf problem

We have developed windows application that can pinpoint the PC ARP spoofing in the network. We are releasing that as freeware.

You can download ARProtect from www.netoptima.in/arprotect
http://www.netoptima.in/arprotect

Trace PCs spoofing ARP and remove virus on those PCs using AVG free