I have an internal IP Address (192.168.0.57) that every couple of days will get assigned to a machine which will then periodically lose it's connection to the network throughout the day.
The first machine that this happened to was running OSX and the rest have been Windows. Neither OS has detected an IP conflict.
When I ping the hostname of the machine I know it's been assigned to, it will give me back the IP in question. When I ping -a the IP, it gives me a completely different hostname.
I can't find any machine on the network that has the second hostname. Is this an issue with the DNS? What could cause this?
Best Answer
You may well have a "rogue DHCP Server" on the network. The observation that the machines have not detected an IP conflict does not rule a rogue out. See the wikipedia article that I just linked to for a list of tools that can be used to detect if a rogue is on the network or not. Likely some access point has been introduced with its DHCP server turned on.
When you ping for the hostname, the machine doing the pinging is likely using the DNS server that you have set up on the network so it's no surprise that the "official" or "desired" address will be returned. Other factors come to mind such as the timing of the DORA conversation as well as authorization, but I shall not go into minute detail here.
ping -a does a reverse lookup, of course. So the ARP tables of either the local PC or the switch have been "poisoned" to now look at the last PC to broadcast itself as having that IP which then ties it to that new PC's own MAC address.
Analyze all network traffic for DHCP conversations and then track the villain down with ARP tables and port mappings if you have to. Terminate with extreme prejudice.