Network Ip addresses showing weird signs.

[cire88]

I tried tracert and wireshark and all the addresses on this one network keep showing up weird or unusual.

 

For example this is a tracert to another computer. 

C:\Users\Cire>tracert 201.100.100.43

Tracing route to dsl-201-100-100-43-sta.prod-empresarial.com.mx [201.100.100.43]

over a maximum of 30 hops:

 

Wireshark give me the same wired endings.

 

1812 403.436785000 dsl-201-100-100-155-sta.prod-empresarial.com.mx 201.100.100.255 NBNS 92 Name query NB MITS4<20>

 

Wireshark data from a Linksys router.

 

1706 359.850595000 dsl-201-100-100-1-sta.prod-empresarial.com.mx 239.255.255.250 SSDP 398 NOTIFY * HTTP/1.1

 

It is on all the routers,printers, and machines. It is an older network. Please let me know if this is normal or what the sta.prod.empresarial.com.mx means.

[duddit2]

can you paste ipconfig /all results on here?

[+BudMan MVC]

That is what the PTR for that IP is, not sure I understand what your trying to ask?

 

budman@ubuntu:~$ dig -x 201.100.100.43

; <<>> DiG 9.9.3-rpz2+rl.13214.22-P2-Ubuntu-1:9.9.3.dfsg.P2-4ubuntu1.1 <<>> -x 201.100.100.43

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30427

;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:

;43.100.100.201.in-addr.arpa.   IN      PTR

;; ANSWER SECTION:

43.100.100.201.in-addr.arpa. 89971 IN   PTR     dsl-201-100-100-43-sta.prod-empresarial.com.mx.

;; Query time: 2 msec

;; SERVER: 192.168.1.253#53(192.168.1.253)

;; WHEN: Thu Feb 27 15:56:44 CST 2014

;; MSG SIZE  rcvd: 105

 

that network is owned by

 

inetnum:     201.96/12

status:      allocated

aut-num:     N/A

owner:       Uninet S.A. de C.V.

ownerid:     MX-USCV4-LACNIC

 

Do you not understand what a PTR? That is your reverse dns is another way to say it.

[duddit2]

that's a public IP based on Mexico given out to a DSL subscriber, can you give some more info on local network?

[cire88]

Its a small network in Louisiana. Nothing here should be owned by anything from Mexico. I just confused on the sta.prod-empresarial.com.mx. I not sure why  the other network 192.168.1.X in the same building does not have that extra bits and the 201.100.100.X does. Ill go research the PTR and Reverse DNS. Maybe the Doimain controllers got a weird setting.

[+BudMan MVC]

Are you saying that 201.x address is on your local network?  Your not suppose to use public IP space on your local network (that is not owned by you)  Bad practice - BAD network admin if that is what is going on.  You have the whole rfc1918 space to work with for your local networks, there is no reason to just grab address space out of the public space and use it.  Unless you actually own it with ARIN or whatever RIR for your part of the world owns that address space, in this case LACNIC

 

So when you do a traceroute - by default its going to do a PTR query for the IPs along the path so you can get an idea of who owns them, where they are, etc.

 

So for example

 

budman@ubuntu:~$ traceroute 4.2.2.2
traceroute to 4.2.2.2 (4.2.2.2), 30 hops max, 60 byte packets
 1  pfsense.local.lan (192.168.1.253)  3.699 ms  3.594 ms  3.570 ms
 2  c-24-13-xx-xx.hsd1.il.comcast.net (24.13.xx.xx)  18.023 ms  18.013 ms  20.088 ms
 3  te-0-0-0-17-sur03.mtprospect.il.chicago.comcast.net (68.85.131.149)  17.918 ms  17.865 ms  19.917 ms
 

You see my router there at pfsense.local.lan, then that hop 2 is my isp gateway, tell that I am in IL and my isp is comcast.  Then as trace goes through the comcast network, hop 3 that hop should be in mtprospect IL part of comcast network, etc..

 

then the last hop

 8  b.resolvers.Level3.net (4.2.2.2)  38.986 ms  40.043 ms  40.168 ms

 

This is a public dns owned and operated by level 3..

 

Again if that address is in your local network - BAD network admin!!  You should only be using rfc1918 or public space you actually own in your network!

 

The only ones that can setup PTR records for the reverse zones, in-addr.arpa. are those that are the registered owners of that space with the RIR for the address space in that region of the world.  Think of its just like a forward zone or domain, say neowin.net where the owners of the domain can setup records like www.neowin.net or ftp.neowin.net but for IP address space.

 

When a specific address space has been registered to you or a company, school etc.. Then you can register records for in-addr.arpa zone just like you would register A or Cname or MX records in your domain name.  You can look up the name servers for that zone just like you can with a forward zone.

 

If I look up the NS for your specific address I get told that the SOA (source of authority) is

 

;; QUESTION SECTION:
;43.100.100.201.in-addr.arpa.   IN      NS

;; AUTHORITY SECTION:
100.100.201.in-addr.arpa. 3600  IN      SOA     dnsadm-interno.uninet.net.mx. adm-dns.reduno.com.mx. 781 14400 3600 604800 3600

 

So if I then look up the NS for 100.100.201.in-addr.arpa I find the nameservers that maintain the records for that zone.

 

 

;; QUESTION SECTION:
;100.100.201.in-addr.arpa.      IN      NS

;; ANSWER SECTION:
100.100.201.in-addr.arpa. 88806 IN      NS      dnsadm-interno.uninet.net.mx.
100.100.201.in-addr.arpa. 88806 IN      NS      nsmex2.uninet.net.mx.
100.100.201.in-addr.arpa. 88806 IN      NS      nsgdl2.uninet.net.mx.
100.100.201.in-addr.arpa. 88806 IN      NS      nsmty2.uninet.net.mx.
 

[cire88]

Yes its a local network owned by the parish. We got 201.100.100.X , 10.10.96.X and 192.168.1.X for three separate local networks in one building each has there own Linksys router---->Switch----->MPLS Cisco router for a VPN tunnel to corporate.

 

The 201 is an old network that has not been touched in 10 years and I do have a plan to switch it over to the 192.168.1.X network when the new equipment arrive. But that might take a few more months.

 

I did figure out why its hitting the sta.prod-empresarial.com.mx. When I have the DNS on each computer going to 10 40.X.X first which is our corporate headquarters in Chicago I get that weird extension.

 

But its weird because the 192.168.1.X network is in the same building and using the same DNS but it does not get the sta.prod-empresarial.com.mx extension.

[riahc3]

Hello,

Yes its a local network owned by the parish. We got 201.100.100.X , 10.10.96.X and 192.168.1.X for three separate local networks in one building each has there own Linksys router---->Switch----->MPLS Cisco router for a VPN tunnel to corporate.

 

The 201 is an old network that has not been touched in 10 years and I do have a plan to switch it over to the 192.168.1.X network when the new equipment arrive. But that might take a few more months.

 

I did figure out why its hitting the sta.prod-empresarial.com.mx. When I have the DNS on each computer going to 10 40.X.X first which is our corporate headquarters in Chicago I get that weird extension.

 

But its weird because the 192.168.1.X network is in the same building and using the same DNS but it does not get the sta.prod-empresarial.com.mx extension.

The thing is that 201.x.x.x is not suppose to be a private network. Someone should have never used that as a private network.

And correct me if Im wrong, but if you want 3 sepearte local networks, why not use submasking? 255.255.0.0 would have make it easier.

[cire88]

I'm taking over someone else work. I have a plan to consolidate the three networks into one. There is no reason not to use only one IP scheme since there all owned by the same company now. Once the approval for new equipment is done which might take a few months I plan to combine them. For now I trying to make shortcuts to get certain corporate application working and still keep there network running until I get the new equipment. I never seen a network always reporting sta.prod-empresarial.com.mx on tracert or wireshark.

 

 

--------------------------------------------------------------------

192.168.1.10

255.255.255.0

192.168.1.1

 

10.40.X.X  Coporate domain controller

192.168.1.100 Domain controller

----------------------------------------------------------------

201.100.100.43

255.255.255.0

201.100.100.1

 

10.40.X.X

201.100.100.155 Domain Controller

---------------------------------------------------------------

 

I had to place the 10.40.X.X DNS fist to get the corporate apps working correctly.

 

 

192 network looks fine with no odd extention when I tracert and the 201 looks like a mess. 201 had a few wurms that I had to clean up so seeing anything weird on the network has me bugged out.

 

Thank for yall help too. I think im figuring it out.

[trek]

as the posters mentioned above, the reason you are getting those rDNS pointers is because you are using a public ip range for that 201.100.100.0 network. Whoever was managing your network before and chose that range and not a private one is a complete idiot.

[+BudMan MVC]

"192 network looks fine with no odd extention when I tracert and the 201 looks like a mess."

 

From this statement I take it you did not read my posts, or they just went a over your head?

 

You would not see anything for 192.168.x.x networks unless you have setup a reverse zone for that in your dns.  Normally any "corp" network would have reverse setup, AD dns should do it automatically, etc.  This allows you to just query for an IP and get the computername, router name, printer name, etc..

 

Example

C:\>nslookup 192.168.2.50  
Server:  pfsense.local.lan
Address:  192.168.1.253    
                           
Name:    brother.local.lan
Address:  192.168.2.50   

 

That is my printer - I call it brother because that is the brand name, the reason you would not get those names if your local dns does not have the reverse zones setup is that they are private IP space (rfc1918), 10.x.x.x, 192.168.x..x, 172.16-31.x.x and no there is no reverse zones for these on the public internet because they can not be used on the public internet.

 

If you don't want to see the "weird" names then just do a -d in your tracert and it won't do the reverse lookup on each IP in the trace - you will notice traces are much faster that way ;)

 

C:\>tracert                                                            
                                                                       
Usage: tracert [-d] [-h maximum_hops] [-j host-list] [-w timeout]      
               [-R] [-S srcaddr] [-4] [-6] target_name                 
                                                                       
Options:                                                               
    -d                 Do not resolve addresses to hostnames.          
    -h maximum_hops    Maximum number of hops to search for target.    
    -j host-list       Loose source route along host-list (IPv4-only).
    -w timeout         Wait timeout milliseconds for each reply.       
    -R                 Trace round-trip path (IPv6-only).              
    -S srcaddr         Source address to use (IPv6-only).              
    -4                 Force using IPv4.                               
    -6                 Force using IPv6.     

 

"I had to place the 10.40.X.X DNS fist to get the corporate apps working correctly."

 

Does not mean you won't have the issue again..  If your machine are members of AD (active directory) then the ONLY dns they should point to is your "corp" one - pointing to your local linksys router is not going to resolve your AD stuff, and putting theirs first in the list does not mean windows will always query that one first.  If your machine is a member of a domain, the ONLY dns you should point to is that!                      

[Defiant]

I have to agree with the other posters above me that the OP does not seem to understand the original network "admin" installed the network using public (and issued elsewhere) IPs. They are live on the internet and as such have that rDNS record. You need to change them to non-public IPs are again others above have said.

 

You can subnet what you have if you understand how to or use whatever new IPs from the rfc1918 that you fancy using to suit your existing schema. The strangeness you see is nothing to people who'd been in the field a long time ... All the gear no idea comes to mind,