nslookup IS working; ping -4 name.com NOT working
The most obvious symptom of this problem is that nslookup IS working, while ping -4 name.com is NOT working.
That's because nslookup contains its own DNS client, and so does not use the Windows one.
ping when given a name, uses the Windows DNS Client to translate name -> number.
So if nslookup can translate, then lots of things work: networking hardware, NIC adapter driver, internet connectivity to the DNS servers, and successfully accessing the servers to do a translation. That's a lot!
However, ping -4 name.com fails, so if all that other stuff is working, it's the Windows DNS client software itself that is implicated.
Note i did ping -4 to isolate to IPv4 excluding IPv6 influences.
displaydns fails
That's why the best symptom to describe the actual problem is that
ipconfig /displaydns
reports:
Could not display the DNS Resolver Cache.
But DNS client is running
Reading forums, the most probable reason for this symptom is the DNS Client (aka dnscache) service is not running; however for us it is.
We did
net stop dnscache
net start dnscache
sc query dnscache
and it is on.
It's Not DNS suffix
Another possibility is that there are DNS suffixes in use. However going into network and sharing center -> change adapter settings -> Wireless Network Connection -> Properties -> Internet Protocol Version 4 Properties -> Advanced -> DNS tab, we have:
[CHECKED] Append primary and connection specific DNS suffixes
- [CHECKED] Append parent suffixes of the primary DNS suffix
[UNchecked] Append these DNS suffixes
(and the list box is empty)
DNS suffix for this connection:
[CHECKED] Register this connection's addresses in DNS
[UNchecked] Use this connection's DNS suffix in DNS registration.
However, i'm not sure if any of this matters cuz we can't get to goolge.com, ie a FQDN.
More info
We disabled IPv6 for now for debug. So everything reported in here is with IPv6 off.
nslookup works reliably, on google.com and everything else.
However,
ping -4 google.com
says
Ping request could not find host google.com
And browsing says DNS error.
Now, I have learned that nslookup has its own DNS client, separate from Windows. Which would lead me to believe that nslookup's DNS client is fine, and Windows is corrupted somehow.
Indeed, we can browse google and other sites via IP address fine, just not by name.
ping by IP address works fine. As does tracert by IP address.
Not DirectAccess
The problem does not appear to be DirectAccess :
netsh dns show state
reports (among other things)
Network Location Behavior Never use Direct Access settings
Direct Access Settings Not Configured
Wireshark
A Wireshark capture during nslookup shows name queries.
However a capture doing ping showed no such queries. In fact, no activity at all (other than background). That suggests that the Windows DNS client is not even trying to go out to the internet and translate the name, which would be consistent with its inability to displaydns.
Other notes
The c:\windows\system32\drivers\etc\hosts is empty (only comments).
The problem happens when the DNS server is set to the university's; or when set to google's 8.8.8.8 and/or 8.8.4.4 and/or OpenDNS's 208.67.222.222 and/or 208.67.220.220. Which makes sense given that Wireshark reports that Windows isn't even sending the name query.
The problem happened after a heat crash. However, being able to browse by IP rules hardware problems, except perhaps for HDD corruption. However chkdsk did not report any bad sectors, and sfc did not find any corruption.
We have also uninstalled the Network Adapter in Device Manager and let it re-install automatically. Also checked for updates for this adapter on windows. There weren't any.
The crash means a reboot, so maybe it was a bad windows update. However, there were several reboots before this one and after the most recent windows update.
We've run for rootkit is Malwarebytes Anti-Malware, also their Malwarebytes Anti-Rootkit beta, TDSSKiller, and Comodo Cleaning Essentials (CCE, but it appears not to be updated).
Have not tried in safe mode with networking yet.
We are mostly using a university router, however the problem also happens when connected to smartphone's hotspot.
ipconfig reports 5 Tunnel Adapters, but they all report "Media Disconnected". 2 of them look university specific.
ipconfig and device manager both report a Microsoft Virtual WiFi Miniport Adapter. What is this and could it be the problem?
The problem is identical after many reboots of the PC.
It's a laptop, and most of this was done with the wireless connection, but the wired connection appeared to have the same behavior.
Summary
So, it appears Windows DNS client is corrupted or at least malfunctioning in some way, but I'm not sure how to figure out why.
(BTW, i'm writing this on another computer)
Edit:
@Kris wanted to see ipconfig /all
C:\Users\[username]>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : <<<====NOTE NO HOST NAME
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : ed*****.***l.edu
Wireless LAN adapter Wireless Network Connection 2:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Virtual WiFi Miniport Adapter
Physical Address. . . . . . . . . : xx-xx-xx-xx-xx-xx
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Wireless LAN adapter Wireless Network Connection:
Connection-specific DNS Suffix . : ed*****.***l.edu
Description . . . . . . . . . . . : Broadcom 802.11n Network Adapter
Physical Address. . . . . . . . . : xx-xx-xx-xx-xx-xx
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 10.131.2.**(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.128.0
Lease Obtained. . . . . . . . . . : Monday, April 27, 2015 11:32:13 AM
Lease Expires . . . . . . . . . . : Monday, April 27, 2015 11:47:13 AM
Default Gateway . . . . . . . . . : 10.131.0.1
DHCP Server . . . . . . . . . . . : 132.236.56.249
DNS Servers . . . . . . . . . . . : 192.35.82.50
128.253.180.2
132.236.56.250
NetBIOS over Tcpip. . . . . . . . : Enabled
Ethernet adapter Local Area Connection:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : r****.****l.edu
Description . . . . . . . . . . . : Broadcom NetLink (TM) Gigabit Ethernet
Physical Address. . . . . . . . . : xx-xx-xx-xx-xx-xx
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter Reusable ISATAP Interface {CBE4B55D-63C6-460A-82CF-7076427CD2AF}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter isatap.e****.****l.edu:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter Local Area Connection* 9:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter isatap.{270C639B-82A2-4AE7-B886-D40DAA7EF798}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #4
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter isatap.r****.****l.edu:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #5
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Edit 2:
Tried
netsh int ip set dns "wireless network connection" static 8.8.4.4
net winsock reset
and reboot and did not change anything.
Tried this excellent site (thanks @Kris) Windows 7: Services – Restore Default Services in Windows 7 and downloaded their DNS_Client.reg (and named it .reg.txt for safety) and compared that to the existing registry entry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Dnscache but sadly, they were the same.
Best Answer
We found the answer on edugeek.com and used it as a guide. Our explicit actions are explained below.
The answer on EduGeek is first introduced in post 13 by shoeib who says they got it from that thread, but I see nothing in that thread up to that point that would even hint at that answer.
Post 20 by fencecat42 goes into more detail.
Specifically,
In registry key:
The following "values" (as MS confusingly terms them, each of which can have "data") are missing
All three were missing on both fencecat42's and our system.
Now, kudos (well, almost ;) @Kris because there was evidence of this problem in the
ipconfig /allthat they asked me to post. Notice in my posted output there is noHost Name. This is one and the sameHostnamefrom the registry.I am hesitant to edit the registry, because one stray keystroke could make your system unbootable, in which case hopefully you have made a system restore or made a copy of your registry (my favorite ways are ERUNT and Tweaking.com Windows Repair All-In-One (which includes a registry save tool) (I found out about these tools at techsupportalert.com))
So to set the
Hostname, we simply went into Control Panel -> System. (Often the "Change Settings" link is not visible in the first screen; you have to scroll down. This step requires UAC authorization. After setting it you have to reboot.)This action sets both the
HostnameandNV Hostname"values" in the registry.We could not find a non-regedit way of editing the
Domain"value". (Maybenetdombut we didn't have this on this Windows 7 Home Premium system.) So we used the registry to setDomainto an empty value. We usedregedit, navigated to theTcpip/Parameterskey, right click -> New -> String Value. That creates a new "value" and sets you up to type its name, changing the default new name. Then we did not have to create an actual "data" for this "value" (again pardon MS's counter-intuitive terms). Just created it and left its "data" uninitialized.Note: we tried networking after setting JUST the Hostname's. Did not work. the
Domain(even empty) was required. We did not try with Domain created (and empty) but without creating and setting the Hostname's. But I think that's an interesting experiment.Reflections
First,
I don't remember now, but I suspect we tried Microsoft's "How to reset TCP/IP by using the NetShell utility" which is
(or whatever path and filename you want for the log file).
And that MS page says this:
Perhaps, this reinstall process overwrites those registry keys, and fails to write the Hostname's and Domain? Maybe?
If so, then what really worked for us is doing the MS ip reset, THEN setting those registry keys.
Second,
Our problem appeared after rebooting after a crash due to heat. Hard to connect that event to the problem. One possibility is that the heat crashed a small number of blocks of the disk and one of those block happened to be holding part of the Tcpip registry key values. Unlikely, but I guess possible.
Or, if that re-installing TCP/IP was necessary, that the disk blocks corrupted the TCP/IP service, and we had to re-install it and then fix it up after.
Third,
This is quite an interesting result. What this means is that the Windows DNS Client looks for either
Domainor 2 or all 3 of these "values" in the registry. And if it finds it (them), it's fine. If it doesn't find them, specifically if it does not find theDomain, it errors out and simply fails. No error report [1].I think we can conclude from this evidence that this is a bug in the Windows DNS Client. We can prove this because it works with an empty Domain value, that means the software can't really be using it, which means why would it require it to exist (even empty) to function properly? That's a bug.
[1]Fourth,
There might have been an error report, but not in the Event Viewer in the common places (under the hierarchy: Event Viewer (Local) -> Windows -> Application, and System). There are other logs, many not turned on by default, that might have had some output, especially
but also possibly
Fifth,
After MANY hours surfing this problem, it seems this problem is usually hard to debug and is something "weird".
For example in this post at spiceworks, the problem was an expired certificate in a DNS server.
Poster "Galen in Laguna" at spiceworks suggested a way to completely uninstall the TCP/IP stack in Windows 7 and let Windows reinstall it. I suspect that would have worked in our case, because it would have restored the
Tcpipregistry key. (But see the MS post above.)Poster ILS at spiceworks suggested that the
afd.sysdriver might have a Trojan or be corrupted in some way, and suggested how to replace it. (afdstands for "Ancillary function driver" for Winsock.)This superuser post Why is 'ping' unable to resolve a name when 'nslookup' works fine? where the question had 35 upvotes and the best answer 27, is a good reference. There, people reported "other solutions for them" including:
Also, people report this problem can be caused by "rootkits". I would suggest anyone struggling with this problem to run a few rootkit scanner/removers. bleepingcomputer.com is a good place to get advice. Or read Gizmo's Best Free Rootkit Scanner/Remover at techsupportalert.com
Sixth,
There's evidence in forums that this problem goes unsolved most often.
One of those posters, "Galen in Laguna", at spiceworks said that's what they usually have to do.
That same superuser post Why is 'ping' unable to resolve a name when 'nslookup' works fine? where the question had 35 upvotes and the best answer 27, the best answer author said, "Some sites also recommend uninstalling and reinstalling SP3 in this case."
And, This poor superuser who tried everything, got no answer, and after 18 days had to repair install
Seventh,
Helpful hint if this does not solve your problem: When searching the internet for Windows DNS problems, be aware that a lot of posts are talking about a Windows server functioning as a DNS server. Our issue was that we had a plain old PC connected via a router to the internet and our DNS client software was not working. Sometimes reading posts I missed that distinction.
Eighth,
Another helpful hint if you go searching: many problems of this sort we found posted had attributes we did NOT have:
I hope our answer helps someone else.