OS Windows 2019 Server STD
Recently I noticed that the DNS forwarders will change by themselves. the address will be set to this 10.64.6.6 or 10.64.5.5<\/p>\n
I did some research and I cannot find where or what that address leads to. it seems to be un-pingable try to run reverse DNS on it nothing. I have scanned the server with different kinds of malware software, but none of them can find anything. (Malwarebytes, Spybot, webroot, bitdefender)<\/p>\n
All computers on the network running Bitdefender Gravity Zone include the server. it is a mixed network of Mac and PC<\/p>\n
to prevent any damage or data leak I already block ALL traffic from or to the subnet of those IPs, but my problem now is that it keeps changing and stops all internet traffic as it changes.<\/p>\n
the only thing I can get from the Event Viewer DNS audit is that the change made by user S-1-5-18, that user reserved for the system only, so I’m not sure how it has been used. I thought it might be in my Task Manager but I checked all the tasks, and nothing using Powershell or a script of any kind that can trigger it.<\/p>\n
The last thing, the built-in admin account is disabled.<\/p>\n
Things I’m working on are scanning my GP and services.<\/p>\n
I would appreciate any ideas of where or what it might be.<\/p>\n
Thanks<\/p>","upvoteCount":5,"answerCount":7,"datePublished":"2025-03-03T22:02:18.667Z","author":{"@type":"Person","name":"elizarfati6467","url":"https://community.spiceworks.com/u/elizarfati6467"},"suggestedAnswer":[{"@type":"Answer","text":"
OS Windows 2019 Server STD
Recently I noticed that the DNS forwarders will change by themselves. the address will be set to this 10.64.6.6 or 10.64.5.5<\/p>\n
I did some research and I cannot find where or what that address leads to. it seems to be un-pingable try to run reverse DNS on it nothing. I have scanned the server with different kinds of malware software, but none of them can find anything. (Malwarebytes, Spybot, webroot, bitdefender)<\/p>\n
All computers on the network running Bitdefender Gravity Zone include the server. it is a mixed network of Mac and PC<\/p>\n
to prevent any damage or data leak I already block ALL traffic from or to the subnet of those IPs, but my problem now is that it keeps changing and stops all internet traffic as it changes.<\/p>\n
the only thing I can get from the Event Viewer DNS audit is that the change made by user S-1-5-18, that user reserved for the system only, so I’m not sure how it has been used. I thought it might be in my Task Manager but I checked all the tasks, and nothing using Powershell or a script of any kind that can trigger it.<\/p>\n
The last thing, the built-in admin account is disabled.<\/p>\n
Things I’m working on are scanning my GP and services.<\/p>\n
I would appreciate any ideas of where or what it might be.<\/p>\n
Thanks<\/p>","upvoteCount":5,"datePublished":"2025-03-03T22:02:18.745Z","url":"https://community.spiceworks.com/t/user-s-1-5-18-make-changes-on-dns-forwarders/1181509/1","author":{"@type":"Person","name":"elizarfati6467","url":"https://community.spiceworks.com/u/elizarfati6467"}},{"@type":"Answer","text":"\n\n
<\/div>\n
Eli Z:<\/div>\n
\n10.64.6.6<\/p>\n<\/blockquote>\n<\/aside>\n
That is in the private address range, it doesn’t go anywhere. However many ISP’s
User S-1-5-18 runs privileged system processes that launch from unprivileged services (like DHCP) It is the system’s internal equivalent to RunAS<\/p>\n
If you do tracert to some known address, like 8.8.8.8 it should pass through that address on the way, usually 1 or 2 hops out from where you start.<\/p>\n\n\n
<\/div>\n
Eli Z:<\/div>\n
\nit seems to be un-pingable<\/p>\n<\/blockquote>\n<\/aside>\n
Because you would be essentially pinging yourself, since you are likely
so my DHCP running from my firewall/router we do not have any scope of that IP range. even the ISP modem set for providing WAN IP only and the DHCP is off.<\/p>\n
if understand correctly you think i have another router on the network that providing DHCP for some reason and the windows DNS see it and update the forwarder accordingly?<\/p>\n
but why the DNS allow it to happen?<\/p>","upvoteCount":0,"datePublished":"2025-03-04T00:00:19.214Z","url":"https://community.spiceworks.com/t/user-s-1-5-18-make-changes-on-dns-forwarders/1181509/3","author":{"@type":"Person","name":"elizarfati6467","url":"https://community.spiceworks.com/u/elizarfati6467"}},{"@type":"Answer","text":"
Is your router allowing machines inside your network to send DHCP requests through it to the ISP? because the ISP DHCP will likely hand you an address if it does…<\/p>\n
If you are using NAT at the router, there are 2 different DHCP servers involved here, one for you inside, and one for your ISP to set the address of the ISP side of the router/modem.<\/p>","upvoteCount":0,"datePublished":"2025-03-04T14:54:47.055Z","url":"https://community.spiceworks.com/t/user-s-1-5-18-make-changes-on-dns-forwarders/1181509/4","author":{"@type":"Person","name":"somedude2","url":"https://community.spiceworks.com/u/somedude2"}},{"@type":"Answer","text":"
I think we are not on the same page here.<\/p>\n
The modem from the ISP is set to provide 5 Static WAN IP addresses. it does not provide any privet address at all.<\/p>\n
the modem only connect to the firewall/route.<\/p>\n
the firewall is the only unit in the building that provides DHCP. Firewall have VLANs set but they do not have that IP range I see in my DNS.<\/p>\n
there is any way to block the system account from doing the change? at the moment I have set a script that detects changes in the DNS and automatically replaces the address to the correct one but I do not want to keep running this for a long time.<\/p>","upvoteCount":0,"datePublished":"2025-03-04T20:32:15.855Z","url":"https://community.spiceworks.com/t/user-s-1-5-18-make-changes-on-dns-forwarders/1181509/5","author":{"@type":"Person","name":"elizarfati6467","url":"https://community.spiceworks.com/u/elizarfati6467"}},{"@type":"Answer","text":"\n\n
<\/div>\n
Eli Z:<\/div>\n
\n5 Static WAN IP addresses<\/p>\n<\/blockquote>\n<\/aside>\n
ok, I will assume they are routable addresses, here is the silly part, your ISP may also be sending you a dynamic address, it is not a common misconfiguration for ISP.<\/p>\n
There is no real way to block it if your router is forwarding it from the ISP, once it leaves the router, it looks exactly like the DHCP from the router for one of your 5 addresses.<\/p>\n
Do you have any WiFi devices in the VLAN? that is the other place you could be getting bogon DHCP from…<\/p>","upvoteCount":0,"datePublished":"2025-03-04T20:40:19.847Z","url":"https://community.spiceworks.com/t/user-s-1-5-18-make-changes-on-dns-forwarders/1181509/6","author":{"@type":"Person","name":"somedude2","url":"https://community.spiceworks.com/u/somedude2"}},{"@type":"Answer","text":"
yes have a lot of devices in on wifi but the change happens late at night or early morning when the building is empty. I will check with our ISP and see why at all they will do such a thing but it happened before. they try to push their security guard thing. we did contact them long ago to do reverse DNS for us so it will match our domain name could that be it? and if so why push local address? at the moment I’m not worried about it as much as it annoyed me, I must figure out where it coming from
OS Windows 2019 Server STD
Recently I noticed that the DNS forwarders will change by themselves. the address will be set to this 10.64.6.6 or 10.64.5.5
I did some research and I cannot find where or what that address leads to. it seems to be un-pingable try to run reverse DNS on it nothing. I have scanned the server with different kinds of malware software, but none of them can find anything. (Malwarebytes, Spybot, webroot, bitdefender)
All computers on the network running Bitdefender Gravity Zone include the server. it is a mixed network of Mac and PC
to prevent any damage or data leak I already block ALL traffic from or to the subnet of those IPs, but my problem now is that it keeps changing and stops all internet traffic as it changes.
the only thing I can get from the Event Viewer DNS audit is that the change made by user S-1-5-18, that user reserved for the system only, so I’m not sure how it has been used. I thought it might be in my Task Manager but I checked all the tasks, and nothing using Powershell or a script of any kind that can trigger it.
The last thing, the built-in admin account is disabled.
Things I’m working on are scanning my GP and services.
I would appreciate any ideas of where or what it might be.
Thanks
5 Spice ups
somedude2
March 3, 2025, 10:32pm
2
Eli Z:
10.64.6.6
That is in the private address range, it doesn’t go anywhere. However many ISP’s
User S-1-5-18 runs privileged system processes that launch from unprivileged services (like DHCP) It is the system’s internal equivalent to RunAS
If you do tracert to some known address, like 8.8.8.8 it should pass through that address on the way, usually 1 or 2 hops out from where you start.
Because you would be essentially pinging yourself, since you are likely
2 Spice ups
so my DHCP running from my firewall/router we do not have any scope of that IP range. even the ISP modem set for providing WAN IP only and the DHCP is off.
if understand correctly you think i have another router on the network that providing DHCP for some reason and the windows DNS see it and update the forwarder accordingly?
but why the DNS allow it to happen?
somedude2
March 4, 2025, 2:54pm
4
Is your router allowing machines inside your network to send DHCP requests through it to the ISP? because the ISP DHCP will likely hand you an address if it does…
If you are using NAT at the router, there are 2 different DHCP servers involved here, one for you inside, and one for your ISP to set the address of the ISP side of the router/modem.
I think we are not on the same page here.
The modem from the ISP is set to provide 5 Static WAN IP addresses. it does not provide any privet address at all.
the modem only connect to the firewall/route.
the firewall is the only unit in the building that provides DHCP. Firewall have VLANs set but they do not have that IP range I see in my DNS.
there is any way to block the system account from doing the change? at the moment I have set a script that detects changes in the DNS and automatically replaces the address to the correct one but I do not want to keep running this for a long time.
somedude2
March 4, 2025, 8:40pm
6
ok, I will assume they are routable addresses, here is the silly part, your ISP may also be sending you a dynamic address, it is not a common misconfiguration for ISP.
There is no real way to block it if your router is forwarding it from the ISP, once it leaves the router, it looks exactly like the DHCP from the router for one of your 5 addresses.
Do you have any WiFi devices in the VLAN? that is the other place you could be getting bogon DHCP from…
yes have a lot of devices in on wifi but the change happens late at night or early morning when the building is empty. I will check with our ISP and see why at all they will do such a thing but it happened before. they try to push their security guard thing. we did contact them long ago to do reverse DNS for us so it will match our domain name could that be it? and if so why push local address? at the moment I’m not worried about it as much as it annoyed me, I must figure out where it coming from
