I'm in the process of removing an old DNS server from our network and have been logging queries in order to update machines to point to our current DNS servers however I'm having the hardest time with two boxes. One is running Redhat and the other HP-Unix and both are doing the same thing.

After resolv.conf has been updated with new DNS settings (and no references to DNS in ifcfg file), these two boxes still query the old DNS server from time to time and I can't figure out what's causing this. Is there another place I could look for DNS configurations? I've restarted the network service on the Redhat box but that didn't correct the problem.

Where could I look next?

Each interface can have their own DNS configuration.

Oh I understand however these only have 1 interface each.

The existing connection could still use old DNS configuration. If TCP connection, tcpkill can clean up these connection.

Would these persist even if I've run service network restart?

Are you running nscd on those 2 boxes?

Had to search what that was and it appears that it is running on at least one of the boxes.

Check /etc/nscd.conf for anything relevant and then do a `service ncsd restart`. Personally, I'd turn that service off completely (all run levels) and permanently.

Ran the command but it still talked to the old DC last night. Same time every night! I don't want to disable it because I'm not sure if the service is needed by the processes on the box (this is a very old box that's been passed down through generations of IT...) and I don't know enough about Linux to figure it out (hence me being here!)

Would restarting the service accomplish the same as 'nscd -i hosts' ? I found that command to clear the caches but haven't run it yet.

You can run that command without worry. Also, nscd provides no critical service of it's own. It is safe to turn it off, if you choose.

Another possibility is that you have a nameserver running and it is using the old DNS server as a forwarder. Try `netstat -lnvp` and see if anything is listening on port 53. bind (named) is common. If so, it's config file is usually found at /etc/named.conf. Look for a line.

Thanks MikeDeltaBrown. I ran the command and will wait for tonight to see if it happens again.

Also, no nameserver running so I'm hoping it was just the cache.

Unless you have set a nonstandard "time to live" on your old DNS server, you must wait a considerable amount of time (typically 1-7 days) for remote users' cached DNS records to expire.

Ehh it's still talking to the box at the same time every day... I think I need to talk to the one guy who runs stuff on it to see what's going on at that time and maybe trace back from there.

Unless anyone else has any more ideas?

Since it happens at the same time you might want to check cron jobs: `crontab -l`

What version of Red Hat?
What is in /etc/resolv.conf (IOW, are the contents changing, or static?)?
Also, are you performing a 'service network restart' or using stop/start? Has this persisted after a reboot?

You may need to add 'PEERDNS=no' to your ifcfg files for it to stop picking up on random DNS servers-depending on your version of RH.