Ping returns the wrong name; nslookup OK

I have a webserver with two IP addresses - one is a NAT and the other is
an external address. My internal dns server has the internal ip address
for the host, and the external dns A record is hosted in the cloud
(externally).

On a Windows 2003 Server (latest patches) - ping www.myhost.com returns
the external address, whereas nslookup www.wananga.com returns the
internal address (as in 129.0.1.240).

I have two dns entries loaded in network adapter - ipconfig /all shows

Windows IP Configuration

Host Name . . . . . . . . . . . . : kaitiaki
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : twor-otaki.ac.nz

Ethernet adapter Wananga LAN:

Connection-specific DNS Suffix . : twor-otaki.ac.nz
Description . . . . . . . . . . . : HP NC7781 Gigabit Server Adapter #2
Physical Address. . . . . . . . . : 00-0F-20-97-23-8F
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 129.0.1.232
Subnet Mask . . . . . . . . . . . : 255.255.252.0
Default Gateway . . . . . . . . . : 129.0.1.1
DNS Servers . . . . . . . . . . . : 129.0.1.251
129.0.1.252
Primary WINS Server . . . . . . . : 129.0.1.251
Secondary WINS Server . . . . . . : 129.0.1.252

Nslookup shows -

C:\>nslookup www.wananga.com
Server: tumatauenga.lan.twor-otaki.ac.nz
Address: 129.0.1.251

Name: www.wananga.com
Address: 129.0.1.240


But ping shows -

C:\>ping www.wananga.com

Pinging www.wananga.com [122.56.6.244] with 32 bytes of data:

Request timed out.
Request timed out.

"Phil Tuttiett" <[email protected]> wrote in message
news:%[email protected]...
>I have a webserver with two IP addresses - one is a NAT and the other is an
>external address. My internal dns server has the internal ip address for
>the host, and the external dns A record is hosted in the cloud
>(externally).
>
> On a Windows 2003 Server (latest patches) - ping www.myhost.com returns
> the external address, whereas nslookup www.wananga.com returns the
> internal address (as in 129.0.1.240).
>
> I have two dns entries loaded in network adapter - ipconfig /all shows
>
> Windows IP Configuration
>
> Host Name . . . . . . . . . . . . : kaitiaki
> Primary Dns Suffix . . . . . . . :
> Node Type . . . . . . . . . . . . : Hybrid
> IP Routing Enabled. . . . . . . . : No
> WINS Proxy Enabled. . . . . . . . : No
> DNS Suffix Search List. . . . . . : twor-otaki.ac.nz
>
> Ethernet adapter Wananga LAN:
>
> Connection-specific DNS Suffix . : twor-otaki.ac.nz
> Description . . . . . . . . . . . : HP NC7781 Gigabit Server Adapter #2
> Physical Address. . . . . . . . . : 00-0F-20-97-23-8F
> DHCP Enabled. . . . . . . . . . . : No
> IP Address. . . . . . . . . . . . : 129.0.1.232
> Subnet Mask . . . . . . . . . . . : 255.255.252.0
> Default Gateway . . . . . . . . . : 129.0.1.1
> DNS Servers . . . . . . . . . . . : 129.0.1.251
> 129.0.1.252
> Primary WINS Server . . . . . . . : 129.0.1.251
> Secondary WINS Server . . . . . . : 129.0.1.252
>
> Nslookup shows -
>
> C:\>nslookup www.wananga.com
> Server: tumatauenga.lan.twor-otaki.ac.nz
> Address: 129.0.1.251
>
> Name: www.wananga.com
> Address: 129.0.1.240
>
>
> But ping shows -
>
> C:\>ping www.wananga.com
>
> Pinging www.wananga.com [122.56.6.244] with 32 bytes of data:
>
> Request timed out.
> Request timed out.



Does a ping from another machine give the same results?
Is there a HOSTS file on the machine you are pinging from with a www entry
and the external IP?

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MCT, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA Messaging
Microsoft Certified Trainer

For urgent issues, please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.

Ace Fekay [MCT] wrote:
> "Phil Tuttiett" <[email protected]> wrote in message
> news:%[email protected]...
>> I have a webserver with two IP addresses - one is a NAT and the other
>> is an external address. My internal dns server has the internal ip
>> address for the host, and the external dns A record is hosted in the
>> cloud (externally).
>>
>> On a Windows 2003 Server (latest patches) - ping www.myhost.com
>> returns the external address, whereas nslookup www.wananga.com returns
>> the internal address (as in 129.0.1.240).
>>
>> I have two dns entries loaded in network adapter - ipconfig /all shows
>>
>> Windows IP Configuration
>>
>> Host Name . . . . . . . . . . . . : kaitiaki
>> Primary Dns Suffix . . . . . . . :
>> Node Type . . . . . . . . . . . . : Hybrid
>> IP Routing Enabled. . . . . . . . : No
>> WINS Proxy Enabled. . . . . . . . : No
>> DNS Suffix Search List. . . . . . : twor-otaki.ac.nz
>>
>> Ethernet adapter Wananga LAN:
>>
>> Connection-specific DNS Suffix . : twor-otaki.ac.nz
>> Description . . . . . . . . . . . : HP NC7781 Gigabit Server
>> Adapter #2
>> Physical Address. . . . . . . . . : 00-0F-20-97-23-8F
>> DHCP Enabled. . . . . . . . . . . : No
>> IP Address. . . . . . . . . . . . : 129.0.1.232
>> Subnet Mask . . . . . . . . . . . : 255.255.252.0
>> Default Gateway . . . . . . . . . : 129.0.1.1
>> DNS Servers . . . . . . . . . . . : 129.0.1.251
>> 129.0.1.252
>> Primary WINS Server . . . . . . . : 129.0.1.251
>> Secondary WINS Server . . . . . . : 129.0.1.252
>>
>> Nslookup shows -
>>
>> C:\>nslookup www.wananga.com
>> Server: tumatauenga.lan.twor-otaki.ac.nz
>> Address: 129.0.1.251
>>
>> Name: www.wananga.com
>> Address: 129.0.1.240
>>
>>
>> But ping shows -
>>
>> C:\>ping www.wananga.com
>>
>> Pinging www.wananga.com [122.56.6.244] with 32 bytes of data:
>>
>> Request timed out.
>> Request timed out.
>
>
>
> Does a ping from another machine give the same results?
> Is there a HOSTS file on the machine you are pinging from with a www
> entry and the external IP?
>
Ping from another machine gives the correct result.
There isn't a hosts table entry - I've had to add one to force the
internal IP to resolve correctly.

"Phil Tuttiett" <[email protected]> wrote in message
news:[email protected]...
> Ace Fekay [MCT] wrote:
>> "Phil Tuttiett" <[email protected]> wrote in message
>> news:%[email protected]...
>>> I have a webserver with two IP addresses - one is a NAT and the other is
>>> an external address. My internal dns server has the internal ip address
>>> for the host, and the external dns A record is hosted in the cloud
>>> (externally).
>>>
>>> On a Windows 2003 Server (latest patches) - ping www.myhost.com returns
>>> the external address, whereas nslookup www.wananga.com returns the
>>> internal address (as in 129.0.1.240).
>>>
>>> I have two dns entries loaded in network adapter - ipconfig /all shows
>>>
>>> Windows IP Configuration
>>>
>>> Host Name . . . . . . . . . . . . : kaitiaki
>>> Primary Dns Suffix . . . . . . . :
>>> Node Type . . . . . . . . . . . . : Hybrid
>>> IP Routing Enabled. . . . . . . . : No
>>> WINS Proxy Enabled. . . . . . . . : No
>>> DNS Suffix Search List. . . . . . : twor-otaki.ac.nz
>>>
>>> Ethernet adapter Wananga LAN:
>>>
>>> Connection-specific DNS Suffix . : twor-otaki.ac.nz
>>> Description . . . . . . . . . . . : HP NC7781 Gigabit Server Adapter
>>> #2
>>> Physical Address. . . . . . . . . : 00-0F-20-97-23-8F
>>> DHCP Enabled. . . . . . . . . . . : No
>>> IP Address. . . . . . . . . . . . : 129.0.1.232
>>> Subnet Mask . . . . . . . . . . . : 255.255.252.0
>>> Default Gateway . . . . . . . . . : 129.0.1.1
>>> DNS Servers . . . . . . . . . . . : 129.0.1.251
>>> 129.0.1.252
>>> Primary WINS Server . . . . . . . : 129.0.1.251
>>> Secondary WINS Server . . . . . . : 129.0.1.252
>>>
>>> Nslookup shows -
>>>
>>> C:\>nslookup www.wananga.com
>>> Server: tumatauenga.lan.twor-otaki.ac.nz
>>> Address: 129.0.1.251
>>>
>>> Name: www.wananga.com
>>> Address: 129.0.1.240
>>>
>>>
>>> But ping shows -
>>>
>>> C:\>ping www.wananga.com
>>>
>>> Pinging www.wananga.com [122.56.6.244] with 32 bytes of data:
>>>
>>> Request timed out.
>>> Request timed out.
>>
>>
>>
>> Does a ping from another machine give the same results?
>> Is there a HOSTS file on the machine you are pinging from with a www
>> entry and the external IP?
>>
> Ping from another machine gives the correct result.
> There isn't a hosts table entry - I've had to add one to force the
> internal IP to resolve correctly.


That's odd. Something's up with the resolver service, unless it got hijacked
with a DNS malware product. I was also thinking the hosts file location got
hijacked, but since you mentioned you put an entry in there to force it,
apparently that's not the case.

Have you run a spyware scan? Try Adaware, then afterwards, run Malwarebytes
(both free). Look in Add/Remove for anything you don't recognize, as well as
Services for a service that doesn't look familiar.

Ace

Ace

Ace Fekay [MCT] wrote:
> "Phil Tuttiett" <[email protected]> wrote in message
> news:[email protected]...
>> Ace Fekay [MCT] wrote:
>>> "Phil Tuttiett" <[email protected]> wrote in message
>>> news:%[email protected]...
>>>> I have a webserver with two IP addresses - one is a NAT and the
>>>> other is an external address. My internal dns server has the
>>>> internal ip address for the host, and the external dns A record is
>>>> hosted in the cloud (externally).
>>>>
>>>> On a Windows 2003 Server (latest patches) - ping www.myhost.com
>>>> returns the external address, whereas nslookup www.wananga.com
>>>> returns the internal address (as in 129.0.1.240).
>>>>
>>>> I have two dns entries loaded in network adapter - ipconfig /all shows
>>>>
>>>> Windows IP Configuration
>>>>
>>>> Host Name . . . . . . . . . . . . : kaitiaki
>>>> Primary Dns Suffix . . . . . . . :
>>>> Node Type . . . . . . . . . . . . : Hybrid
>>>> IP Routing Enabled. . . . . . . . : No
>>>> WINS Proxy Enabled. . . . . . . . : No
>>>> DNS Suffix Search List. . . . . . : twor-otaki.ac.nz
>>>>
>>>> Ethernet adapter Wananga LAN:
>>>>
>>>> Connection-specific DNS Suffix . : twor-otaki.ac.nz
>>>> Description . . . . . . . . . . . : HP NC7781 Gigabit Server
>>>> Adapter #2
>>>> Physical Address. . . . . . . . . : 00-0F-20-97-23-8F
>>>> DHCP Enabled. . . . . . . . . . . : No
>>>> IP Address. . . . . . . . . . . . : 129.0.1.232
>>>> Subnet Mask . . . . . . . . . . . : 255.255.252.0
>>>> Default Gateway . . . . . . . . . : 129.0.1.1
>>>> DNS Servers . . . . . . . . . . . : 129.0.1.251
>>>> 129.0.1.252
>>>> Primary WINS Server . . . . . . . : 129.0.1.251
>>>> Secondary WINS Server . . . . . . : 129.0.1.252
>>>>
>>>> Nslookup shows -
>>>>
>>>> C:\>nslookup www.wananga.com
>>>> Server: tumatauenga.lan.twor-otaki.ac.nz
>>>> Address: 129.0.1.251
>>>>
>>>> Name: www.wananga.com
>>>> Address: 129.0.1.240
>>>>
>>>>
>>>> But ping shows -
>>>>
>>>> C:\>ping www.wananga.com
>>>>
>>>> Pinging www.wananga.com [122.56.6.244] with 32 bytes of data:
>>>>
>>>> Request timed out.
>>>> Request timed out.
>>>
>>>
>>>
>>> Does a ping from another machine give the same results?
>>> Is there a HOSTS file on the machine you are pinging from with a www
>>> entry and the external IP?
>>>
>> Ping from another machine gives the correct result.
>> There isn't a hosts table entry - I've had to add one to force the
>> internal IP to resolve correctly.
>
>
> That's odd. Something's up with the resolver service, unless it got
> hijacked with a DNS malware product. I was also thinking the hosts file
> location got hijacked, but since you mentioned you put an entry in there
> to force it, apparently that's not the case.
>
> Have you run a spyware scan? Try Adaware, then afterwards, run
> Malwarebytes (both free). Look in Add/Remove for anything you don't
> recognize, as well as Services for a service that doesn't look familiar.
>
> Ace
>
> Ace
Nope -no spyware.
Here's an interesting one...

The server also hosts a DNS server, but for a different external domain.
In discussion with a colleague in the office, I added a stub zone to a
primary on the main internal dns server, the re-tried the lookup again.

It now works correctly! I have removed the entries in the hosts table
and dns is now being correctly resolved.

So, it appears that if the server hosts a dns server, then the resolver
looks there first, regardless of the settings on the network card.

"Phil Tuttiett" <[email protected]> wrote in message
news:%[email protected]...
> Ace Fekay [MCT] wrote:
>> "Phil Tuttiett" <[email protected]> wrote in message
>> news:[email protected]...
>>> Ace Fekay [MCT] wrote:
>>>> "Phil Tuttiett" <[email protected]> wrote in message
>>>> news:%[email protected]...
>>>>> I have a webserver with two IP addresses - one is a NAT and the other
>>>>> is an external address. My internal dns server has the internal ip
>>>>> address for the host, and the external dns A record is hosted in the
>>>>> cloud (externally).
>>>>>
>>>>> On a Windows 2003 Server (latest patches) - ping www.myhost.com
>>>>> returns the external address, whereas nslookup www.wananga.com returns
>>>>> the internal address (as in 129.0.1.240).
>>>>>
>>>>> I have two dns entries loaded in network adapter - ipconfig /all shows
>>>>>
>>>>> Windows IP Configuration
>>>>>
>>>>> Host Name . . . . . . . . . . . . : kaitiaki
>>>>> Primary Dns Suffix . . . . . . . :
>>>>> Node Type . . . . . . . . . . . . : Hybrid
>>>>> IP Routing Enabled. . . . . . . . : No
>>>>> WINS Proxy Enabled. . . . . . . . : No
>>>>> DNS Suffix Search List. . . . . . : twor-otaki.ac.nz
>>>>>
>>>>> Ethernet adapter Wananga LAN:
>>>>>
>>>>> Connection-specific DNS Suffix . : twor-otaki.ac.nz
>>>>> Description . . . . . . . . . . . : HP NC7781 Gigabit Server
>>>>> Adapter #2
>>>>> Physical Address. . . . . . . . . : 00-0F-20-97-23-8F
>>>>> DHCP Enabled. . . . . . . . . . . : No
>>>>> IP Address. . . . . . . . . . . . : 129.0.1.232
>>>>> Subnet Mask . . . . . . . . . . . : 255.255.252.0
>>>>> Default Gateway . . . . . . . . . : 129.0.1.1
>>>>> DNS Servers . . . . . . . . . . . : 129.0.1.251
>>>>> 129.0.1.252
>>>>> Primary WINS Server . . . . . . . : 129.0.1.251
>>>>> Secondary WINS Server . . . . . . : 129.0.1.252
>>>>>
>>>>> Nslookup shows -
>>>>>
>>>>> C:\>nslookup www.wananga.com
>>>>> Server: tumatauenga.lan.twor-otaki.ac.nz
>>>>> Address: 129.0.1.251
>>>>>
>>>>> Name: www.wananga.com
>>>>> Address: 129.0.1.240
>>>>>
>>>>>
>>>>> But ping shows -
>>>>>
>>>>> C:\>ping www.wananga.com
>>>>>
>>>>> Pinging www.wananga.com [122.56.6.244] with 32 bytes of data:
>>>>>
>>>>> Request timed out.
>>>>> Request timed out.
>>>>
>>>>
>>>>
>>>> Does a ping from another machine give the same results?
>>>> Is there a HOSTS file on the machine you are pinging from with a www
>>>> entry and the external IP?
>>>>
>>> Ping from another machine gives the correct result.
>>> There isn't a hosts table entry - I've had to add one to force the
>>> internal IP to resolve correctly.
>>
>>
>> That's odd. Something's up with the resolver service, unless it got
>> hijacked with a DNS malware product. I was also thinking the hosts file
>> location got hijacked, but since you mentioned you put an entry in there
>> to force it, apparently that's not the case.
>>
>> Have you run a spyware scan? Try Adaware, then afterwards, run
>> Malwarebytes (both free). Look in Add/Remove for anything you don't
>> recognize, as well as Services for a service that doesn't look familiar.
>>
>> Ace
>>
>> Ace
> Nope -no spyware.
> Here's an interesting one...
>
> The server also hosts a DNS server, but for a different external domain.
> In discussion with a colleague in the office, I added a stub zone to a
> primary on the main internal dns server, the re-tried the lookup again.
>
> It now works correctly! I have removed the entries in the hosts table and
> dns is now being correctly resolved.
>
> So, it appears that if the server hosts a dns server, then the resolver
> looks there first, regardless of the settings on the network card.


Well, not true. I thought this was a client machine, not a server. Even if
it is a DNS server, or any service running on a machine, it will not use
itself unless you specifically type its own IP address as a DNS server in
it's own IP properties. You can opt to not use itself by simply specifying a
different DNS server in it's properties.

Apparently the DNS service itself didn't have a reference to the other
internal DNS server that hosts a copy of the internal zone, hence why it was
resolving the external address. Once you've made a reference to it (either
by a stub, conditional forwarder or secondary zone), then it can resolve it,
otherwise it would use it's general forwarder (assuming to the internet) or
the Root hints.

Ace