I am monitoring when some of my VMs go offline using Endpoint Manager and when they do go offline I receive an email. In that email it shows the network information of the machine that isn’t online and I am seeing an incorrect DNS entry. After the server comes back online and I check the DNS it is then correct. Below is what the Endpoint Manager emails show as the network info
Connectivity Metrics
Local IP Address: 192.168.0.131
External IP Address: N/A
Gateway IP Address: 192.168.0.1
Ping to Gateway: false
Last Communication Time: N/A
Subnet: 255.255.255.0
Subdomain: mydomain.itsm-us1.comodo.com
DNS Server Addresses: Primary DNS: 10.1.1.190 Secondary DNS: 10.1.1.191 <----- (should be 192.168.0.50, 192.168.0.51 which is what ipconfig currently reports)
My question is, where does the Endpoint Manager pull this information from? I’d like to figure this out so I can tell if this is a possible virus that is changing the DNS or some sort of proxy that is being used somewhere.
Itarian sent me the command used to pull the network info from a windows machine.
wmic.exe path win32_NetworkAdapterConfiguration get
This pulls in network hardware info and the data must then be parses in code to pull out the information (in this case the DNS info). Unfortunately they have not taken into account that there may be old network devices which have been physically removed but were not uninstalled that are hidden and have not been manually removed. In my case it was VMs who’s NIC mac address had been changed so the OS thinks it was a new card. The network that is being shown in the Itarian web gui is from one such removed network card and not the current attached card. It was confusing as the IP address and subnet were the same however the DNS was different so it wasn’t immediately aparent to me that the NIC shown in the web gui was not the correct/active NIC.