How does netstat get a hostname from IP while nslookup & nblookup fail every time?

domain-name-system netstat nslookup wins
17,268

Apparently nblookup does not work with reverse IP -> hostname lookups. I started capturing packets with MS Network Monitor to see how netstat was resolving the name and learned something new. Apparently it will revert to NetBIOS lookups if DNS fails.

Another important thing to note, I ran into trouble when troubleshooting this because my local machine is Windows 7. Another method Windows 7 uses is called LLMNR. So, if DNS fails it will try to perform a LLMNR lookup. LLMNR isn't available in Windows Server 2003.

Resolution order:

  1. DNS
    a. Resolver Cache (Hosts File + Cached DNS Queries) (ipconfig /displaydns)
    b. DNS Server Query (ipconfig /all to see DNS Servers that will be queried, nslookup to attempt queries)
  2. LLMNR (Windows Vista/7/8, Server 2008)
    a. LLMNR Cache
    b. LLMNR Multicast Query
  3. NetBIOS (Order and methods depend on NetBIOS Node Type -- find type by: ipconfig /all | findstr "Node Type"
    a. WINS Servers (h node, m node, p node)
    b. LMHosts File
    c. Broadcast (h node, m node, b node)

Here is a fantastic youtube video on the different resolution techniques: https://www.youtube.com/watch?v=gzqjeds8gDg and there is a great MSDN TechNet Article on name resolution, search for "Link-Local Multicast Name Resolution: The Cable Guy".

Share:
17,268

Related videos on Youtube

Nico M
Author by

Nico M

Updated on September 18, 2022

Comments

  • Nico M
    Nico M almost 2 years

    In Windows Server 2003, when I run netstat with no flags, it takes much longer than netstat -n to return results. I realize this is because it has to perform reverse lookups by IP address to get the corresponding hostname.

    There are some rows in the results that netstat seems to hiccup on and take longer than usual. As far as I can tell, these are all addresses where there is no IP to hostname mapping in our local DNS servers. No big deal. nslookup and nblookup both fail to find hostnames for the IPs in question as well, agreeing that this would be part of the slowness related to these records.

    However, in the netstat results, these records show the correct hostname. How is that possible? How is netstat able to discern the hostname for the connections with no reverse DNS or reverse WINS (is there such a thing) entries?

    I have tried flushing the local DNS cache and still get the same results. Edit: There are forward DNS entries for the hostnames in question. Is it possible the underlying connection is somehow able to "hold on" to the original name used to create the connections?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How do you run an nslookup on an iPhone?
Intermittent DNS failure
BIND DNS nslookup NXDOMAIN
DIG connection times out DNS
nslookup requests time out regardless of server - ping is fine
How does "nslookup -ls" work?
nslookup fails but ping succeeds for nonexistent domains
dig succeeds, nslookup fails (with dnsmasq as the server)
DNS lookups with/without recursion in NSLOOKUP
Windows Server 2008 R2 loses ability to connect to network share