Win2k3 Enterprise cannot resolve names

[nweaver]

If I ping www.google.com, it instantly (no wait as if connecting to DNS) says cannot find host.

if I do an nslookup, the default server that comes up resolves this just fine. I have had this issue in the past, and can't seem to figure out what's going on. Running SP1, imaged using Altiris (although had this happen a while back without an image)

DNS servers are valid, it can ping anything via IP.

 

[rasczak]

dns cache maybe? flush and reregister dns cache? or is that client side only?

 

[stash]

DNS servers are valid, it can ping anything via IP.

This doesn't mean a whole lot, unless you are doing ping -a.

Have you tried other DNS servers? 4.2.2.1 is a good test.

 

[Smilin]

the server that NSlookup defaults to and the one apps use may or may not be the same.

On your client (2003 server) set tcp/ip to use just a single DNS server.

ipconfig /flushdns
try a ping by FQDN.

nslookup
try a lookup of same name (use the full FQDN, not just the hostname).

If the machine was just freshly imaged, try removing the NIC from device manager and bouncing the box for a redetect. If you used sysprep this shouldn't really be necessary.

 

[nweaver]

flushing dns doesn't work


Removing NIC doesn't work


as an fyi, what I am doing is at command line typing "ping www.google.com" and it fails to resolve the name. I type "nslookup" and it goes to my DNS servers set by DHCP. I type "www.google.com" and it tells me the IP's. Pinging the actual IP of www.google.com works.
When we did a sniffer trace on this a while back, it did no actually even send any packets to resolve the name.

 

[Smilin]

k, if you are getting DNS via DHCP be sure to also check the other DNS servers you are assigned. If you get a failure on a DNS server the client will fail over to another one on the list. NSLookup may or may not be trying the same DNS server.

so do these commands:

nslookup
www.google.com
server ABC (the IP of one of your other DNS servers)
www.google.com
server XYZ (... repeat for any other DNS servers you may have).


However, if you do a flushdns then ping www.google.com you should see DNS lookups going out in a trace. If not then either your hostfile is getting a hit or your DNS client is not running.

run services.msc and be sure your DHCP client service is running (this is responsible for DNS client functionality even if you are not using DHCP).

 

[nweaver]

hostsfile is not getting hit (tried to add an entry to test if that was the problem) and it still won't ping via name

dns client IS running, restarted, no change

nslookup with all 4 servers (we only assign 2, but I checked all 4 and 4.2.2.1) and resolves fine there.

grabbing a quick sniff, as it's been a while since we did that...

just reimaged, same thing.

For grins, I swapped the cable with my laptop's (which is working fine) and same issue, so no L1 or L2

 

[nweaver]

just grabbed a trace.

ping www.google.com, no packets sent

ipconfig /flushdns no packets

nslookup www.google.com I see it doing a PTR request for the name server, and a standard query for www.google.com, and a response.

Any ideas?

putting anything in the hosts files doesn't work either

 

[Nothinman]

the server that NSlookup defaults to and the one apps use may or may not be the same.

That makes no sense at all, any app doing manual DNS queries should be considered broken except under extreme circumstances.

Too bad Windows doesn't have something like strace so you can see what ping is actually doing when it attempts to resolve those names.

 

[stash]

dns client IS running, restarted, no change

What about DHCP client?

 

[stash]

Too bad Windows doesn't have something like strace so you can see what ping is actually doing when it attempts to resolve those names

Er, you mean like the Debugger? http://www.microsoft.com/whdc/devtools/debugging/default.mspx

 

[nweaver]

dhcp client is running

 

[stash]

This might be a dumb question, is name resolution failing with your browser too? So far, it only seems like you are trying to ping a FQDN.

 

[nweaver]

yes, IE cannot get to windows update or google (haven't tried any others)

 

[Nothinman]

Er, you mean like the Debugger? http://www.microsoft.com/whdc/devtools/debugging/default.mspx

Not really, at least I couldn't find anything comparable to strace in there.

 

[Smilin]

Originally posted by: Nothinman

the server that NSlookup defaults to and the one apps use may or may not be the same.

That makes no sense at all, any app doing manual DNS queries should be considered broken except under extreme circumstances.

Too bad Windows doesn't have something like strace so you can see what ping is actually doing when it attempts to resolve those names.

It makes sense. Stew on it a bit. Think of the scenario where you have two DNS servers listed on your client and one is down. Ping would work fine. NSLookup may or may not without a 'server' command first.



More questions:
Is the box multihomed?
Are you using IPsec? Any IPSec lockdown messages in event log?
Are you using IPv6?
Restart both DHCP Client & DNS Client services. Any change?
Are you using NIC teaming software?
Was sysprep used during the imaging process?
Does the same problem happen in safemode with networking? MSConfig clean boot?


I'm looking through a stack of similar cases (internal KB). I haven't found one yet that wasn't caused by something third party, a dissimilar hardware restore (including imaging without sysprep), or corrupted tcp/ip registry entries.

This may be cruising towards needing some event logs and possibly debug logging.

 

[Smilin]

Originally posted by: Nothinman

Er, you mean like the Debugger? http://www.microsoft.com/whdc/devtools/debugging/default.mspx

Not really, at least I couldn't find anything comparable to strace in there.

What does strace do exactly?

 

[Smilin]

Originally posted by: Smilin

Originally posted by: Nothinman

Er, you mean like the Debugger? http://www.microsoft.com/whdc/devtools/debugging/default.mspx

Not really, at least I couldn't find anything comparable to strace in there.

What does strace do exactly?

k, looked fer maself.

Yea Windbg does the same thing you gotta know what you are doing though. Probably want to run liveKD to do it as well.

procmon and procexp might give the same useful info to the less experienced.

 

[nweaver]

safe mode with networking has the same issues


I have also tried running a SID changer


This was created using Altiris deployment solution software. It has a built in tool similar to sysprep that strips settings out.

 

[nweaver]

cleared event logs and rebooted, only error in app/system is W32 time (probably can't resolve the name)

any other ideas?

 

[Nothinman]

It makes sense. Stew on it a bit. Think of the scenario where you have two DNS servers listed on your client and one is down. Ping would work fine. NSLookup may or may not without a 'server' command first.

gethostbyname should work if 1 or more of those servers are working, otherwise what is the point of allowing you to list more than one? Implementing the DNS protocol in every app that wants to use it is stupid code duplication.

What does strace do exactly?

Runs the command and prints all of the syscalls that it makes, it makes it extremely easy to find out which files, hosts, etc something is using. For instance f there's a problem opening a file it'll show the open() call with the full path and flags and the return value so you can see what the kernel said it failed and not what the app interpreted the return value to mean. There's also ltrace for library calls, but usually strace is good enough.

If you want to see the strace output from ping look at http://why.dont.jablowme.net/ping-strace.txt

 

[bsobel]

Originally posted by: nweaver
cleared event logs and rebooted, only error in app/system is W32 time (probably can't resolve the name)

any other ideas?

The fact that your host file isn't working makes me think this has nothing to do with DNS and everything to do with winsock name providers (more specifically, that list being screwed up [e.g. malware or a prevoiusly incorrectly removed entry, or Altiris tried to 'help' and screwed it up]). Run a lsp repair tool, dollars to donuts thats the problem.

Bill

 

[RebateMonger]

I wonder what happens if you set up a DNS Server on that box and point the DNS Client to the new (internal) DNS Server?

 

[bsobel]

Originally posted by: RebateMonger
I wonder what happens if you set up a DNS Server on that box and point the DNS Client to the new (internal) DNS Server?

It can't be DNS, the hosts file is checked (by default) FIRST and if even that is failing something is wrong in the name provider stack.

 

[RebateMonger]

Originally posted by: bsobel
It can't be DNS, the hosts file is checked (by default) FIRST and if even that is failing something is wrong in the name provider stack.

Yeah, you are right.

Just for yuks, here's the Windows order for host name resolution:
1)HOSTS file
2)DNS
3)WINS
4)local broadcast
5)LMHOSTS file

And the order for Windows NetBIOS name resolution:
1)NetBIOS name cache in the client's memory
2)WINS
3)local broadcast
4)LMHOSTS file
5)HOSTS file
6)DNS

All stolen from UseNet, since I could never remember the order.