nslookup returns the right IP, ping still goes to the wrong ip

windows vpn dns juniper

23,920

Solution 1

Couple of possible things.

Try a route print and make sure that you don't have any static route in place which could be causing this.

Are you sure that "ping hostname" is being resolved by DNS and not WINS? If you can fully wualify and get a good result, but get a fail on shortname, it may well be a bad WINS record. Check your wins server and remove/correct any wrong records. also run NBTSTAT -RR on your mahcine

Check and adjust your DNS search order (covered in comments already by the looks of it)

Check you dont have a rogue HOSTS / LMHOSTS entry on your machine.

Solution 2

There is a difference between name resolution by nslookup and name resolution by Windows networking API used by almost every app.

Standard name resolution process in Windows is in the following order:

Check against local computer's name
HOSTS file
DNS, local cache
DNS, DNS servers in the order of precedence
WINS servers
NetBIOS over TCP/IP (NetBT) broadcast

nslookup, however, is different in that:

It confines itself to registered DNS servers only.
It does not confine itself to full FQDN; it might find partial ones and then tell you that it has done so. Other apps may either assume hostname is a full FQDN or attempt to add Primary DNS Suffix (defined by SystemPropertiesComputerName.exe) and Connection-Specific DNS Suffixes before resolving.

You can use Wireshark (a free third-party diagnostics app) to find out from where ping resolves your hostname.

23,920

FlyinButrs

Updated on September 18, 2022

Comments

FlyinButrs over 1 year
Ok, so here's the setup. Laptop is connected to our company VPN (Juniper Network Connect 7.2.0). There are two DNS Search suffix's (domain1.com, domain2.local). From that laptop, while connected, nslookup polls the correct DNS server, returns the right IP. Pinging the IP works fine. Pinging the FQDN works fine. Pinging the unqualified domain name appears to be both using the hostname.domain.com suffix (even though that doesn't exist), and appears to be using the results from the local DNS server rather than the VPN DNS server.

More detail:

c:\> nslookup hostname
Server: hostname.domain2.local
Address: 10.0.0.10

Non-authoritative answer:
Name: hostname.domain2.local
Address: 10.0.0.10

c:\> nslookup hostname.domain2.local
Server: hostname.domain2.local
Address: 10.0.0.10

Non-authoritative answer:
Name: hostname.domain2.local
Address: 10.0.0.10

C:\> ping hostname

Pinging hostname.domain1.com [EXTERNAL/WRONG_IP] with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for EXTERNAL/WRONG_IP:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\> ping hostname.domain2.local

Pinging hostname.domain2.local [10.0.0.10] with 32 bytes of data:
Reply from 10.0.0.10: bytes=32 time=50ms TTL=128
Reply from 10.0.0.10: bytes=32 time=50ms TTL=128
Reply from 10.0.0.10: bytes=32 time=47ms TTL=128
Reply from 10.0.0.10: bytes=32 time=50ms TTL=128

Ping statistics for 10.0.0.10:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 47ms, Maximum = 50ms, Average = 49ms

So here's what I've tried so far:
1. ipconfig /flushdns
2. netsh int ip reset all
3. Verified that the network adapters are in the right priority order in the advanced settings
4. Verified that the TCP/IP routes are correct
5. Verified that the hostname isn't in the hosts file.
So... does anyone know why it still seems to be using the wrong DNS server?
- rtf almost 12 years
  
  Have you checked if a static route is configured? What do the A records look like? Take a look at the packets and figure out what server is resolving for the 'ping hostname'. You said VPN DNS, are you on a VPN? Are you split tunneling?
- Harry Johnston almost 12 years
  
  Please clarify, are you saying that the name hostname.domain1.com doesn't exist? What order do the suffixes appear in the DNS suffix search list (ipconfig /all)?
- Harry Johnston almost 12 years
  
  Is the hostname in question special in any way? For example, is it the NetBIOS name of the client, the domain, or perhaps one of the domain controllers?
- FlyinButrs almost 12 years
  
  @HarryJohnston, the hostname in question is one of the domain controllers for domain2. hostname.domain1.com doesn't exist, the IP it returns is the IP of the website for domain1.com. In ipconfig /all the DNS suffix search list is domain1, domain2. The laptop in question is a member of domain1, but is VPN'd into domain2, which is a trusted domain.
- FlyinButrs almost 12 years
  
  @r.tanner.f - No static routes, and yes, the laptop is connected to the VPN. I believe it's a split tunnel, but I'll check and get back to you. I haven't done a packet analysis yet, I'm trying to diagnose a problem on a user's machine remotely, so getting time to work on it has been tricky.
- Harry Johnston almost 12 years
  
  My guess is that this is something Windows is doing to try to cope with a trust from a domain in a public namespace to a domain in a private namespace. It would sort of make sense, if the client wasn't VPN'd in to the private network, and if domain1.com pointed to a domain controller (as Windows expects) rather than a web server. Basically the idea is that the DC from domain1.com would be expected to stand in for the DC from domain2.local. I suggest you work around the problem by adding an entry to the hosts file.
- nGX almost 9 years
  
  Can you post output from ipconfig /all Also how is routing handled per VPN settings? Does it route all traffic through VPN tunnel or only certain traffic to certain subnets?
- FlyinButrs almost 9 years
  
  @KPS - Sorry, this is a very old question, and the laptop, VPN, and company in question no longer exist.
- lev almost 9 years
  
  did you manage to resolve this? I'm having the same exact issue