|Dell Poweredge 2600|
Windows 2000 Server SP4
Functioning as PDC / DNS / AD server
Monitoring my firewall, I have noticed that my PDC/DNS/AD server was periodically making connections to strange destinations such as :
I created entries in c:\winnt\system32\drivers\etc\hosts redirecting those destinations to 127.0.0.0 which stops the connections to those addresses as I would expect, but for each one that I block it seems every few days my server attempts to connect to a new one. I am concerned that I may have a DNS hijacking situation.
Under the DNS applet > Forward Lookup Zones > mydomain.com I see :
Expected entries I see all of the computers in my domain with their respective IP addresses which I would expect :
COMPUTER1 Host 192.168.1.100
COMPUTER2 Host 192.168.1.101
COMPUTER3 Host 192.168.1.102
also entries such as these :
(same as parent folder) Host 192.168.1.10 PDC server
(same as parent folder) Host 192.168.1.20 Database server
(same as parent folder) Host 22.214.171.124 My external IP address
and two questionable entries :
(same as parent folder) Host 126.96.36.199 An unknown IP address
(same as parent folder) Host 188.8.131.52 An unknown IP address
If I delete these two unknown entries, they appear by themselves again in a few minutes.
Can anyone offer advice or insight?