Wireshark-users: Re: [Wireshark-users] DNS Working but can't connect to anything

From: "Frank Bulk" <frnkblk@xxxxxxxxx>
Date: Sun, 25 Jan 2009 15:35:02 -0600

You might want to see if Microsoft’s latest netmon, which can record IP transactions on a per-process basis, shows where things are getting stuck with Window’s PING.

 

Frank

 

From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of staedtlerx
Sent: Sunday, January 25, 2009 2:59 PM
To: hlug090104@xxxxxxxxxxxxxx; Community support list for Wireshark
Subject: Re: [Wireshark-users] DNS Working but can't connect to anything

 

I'm on Windows but I downloaded dig for Windows. It shows that I can reach my DNS and get an answer. All my interfaces (including the working one) point to my gateway (192.168.0.1) for DNS.

$ ./dig.exe @192.168.0.1 google.com
socket.c:1589: completeio_send: 192.168.0.1#53: The request was aborted.

socket.c:1591: unable to convert errno to isc_result: 1235: The request was aborted.
; <<>> DiG 9.3.2 <<>> @192.168.0.1 google.com
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1901
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 4, ADDITIONAL: 2

;; QUESTION SECTION:
;google.com.                    IN      A

;; ANSWER SECTION:
google.com.             90      IN      A       72.14.205.100
google.com.             90      IN      A       74.125.45.100
google.com.             90      IN      A       209.85.171.100

;; AUTHORITY SECTION:
google.com.             101620  IN      NS      ns4.google.com.
google.com.             101620  IN      NS      ns2.google.com.
google.com.             101620  IN      NS      ns3.google.com.
google.com.             101620  IN      NS      ns1.google.com.

;; ADDITIONAL SECTION:
ns1.google.com.         327350  IN      A       216.239.32.10
ns3.google.com.         296060  IN      A       216.239.36.10

;; Query time: 31 msec
;; SERVER: 192.168.0.1#53(192.168.0.1)
;; WHEN: Sun Jan 25 15:52:00 2009
;; MSG SIZE  rcvd: 180


On Sun, Jan 25, 2009 at 3:27 PM, Rik <hlug090104@xxxxxxxxxxxxxx> wrote:


On Sun, 2009-01-25 at 15:04 -0500, staedtlerx wrote:
> Hello All,
>
> I thank you ahead of time if you read all this - I'm having a very
> strange network problem and someone recommended Wireshark for
> debugging it - and it's quite amazing! It's provided some insight but
> I am not that familiar with low-level TCP/IP stuff so I don't know
> what to make of it all. I was hoping someone could provide some more
> insight or any hints for further debugging.
>
> I am using a Sony Vaio Laptop with Windows XP SP2. It has internal
> WiFi, which works fine; Goes on the internet, etc. I'm sending this
> email with it right now. I have 4 other ways of connecting the laptop
> to the internet: 2 PCMCIA wifi cards and 2 wired ethernet connections.
> These 4 other connections all behave exactly the same: They *appear*
> to not have DNS (more on that later) and and they cannot access any
> remove server by hostname. They CAN access any remote server by IP
> address e.g. can browse to http://74.125.45.100 but not
> http://google.com. However, they CAN access remote server by name if I
> put an entry in my hosts file. This would lead most people to believe
> that my DNS is not working correctly. I also get "Ping request could
> not find host" when trying to ping a hostname. Again, would make you
> think DNS was not working. However, the problem is not that simple.
> All 5 connections have the same gateway, dns, etc - yet the internal
> wifi works and the 4 others don't. I've tried every sort of winsock
> reset, reinstalling, dns cache clearing, etc. I've tried driver
> upgrades, downgrades, etc. I've tried everything in safe mode. I've
> tried connecting my laptop to my cable modem directly and I've also
> tried through my Wifi router. The problem definitely lies within my
> Windows software - not hardware, router, firewall, or ISP. The monkey
> wrench is that I have the one internal wifi connection thats works!
>
> Now, more on the part about *appearing* not to have DNS: I figured
> something, somewhere, was messing with my DNS (lord knows why on only
> 4/5 connections). This is when I got Wireshark for some deeper
> insight. Snooping with Wireshark, I can see that hostnames actually DO
> resolve to their IP. I can see a response from my gateway with the IP
> address then I get an ICMP failure "Destination Unreachable":
>
> 192.168.0.2 -> 192.168.0.1 - DNS Standard query A google.com
> 192.168.0.1 -> 192.168.0.2 - DNS Standard query response A
> 72.14.205.100 A 74.125.45.100 A 209.85.171.100
> 192.168.0.2 -> 192.168.0.1 - ICMP Destination unreachable (Port
> unreachable)
>
> Stange thing is that when pining, it shows no sign of the hostname
> ever getting resolved:
>
> c:\>ping google.com
> Ping request could not find host google.com. Please check the name and
> try again.
>
>
> When pinging from the WORKING connection, instead of the ICMP failure,
> I get:
>
> 192.168.0.2 -> 192.168.0.1 - DNS Standard query A google.com
> 192.168.0.1 -> 192.168.0.2 - DNS Standard query response A
> 72.14.205.100 A 74.125.45.100 A 209.85.171.100
> 192.168.0.2 -> 72.14.205.100 - ICMP Echo (ping) request
> etc
>
>
> I'm looking for insight into what "Destination unreachable" means
> exactly, where the message from (laptop or remote host), and leads on
> more research.
> ANY insight would be most helpful. However, please skip over the basic
> "ipconfig" debugging please - I've been going through that for over a
> week.
>
> Thank you!
>

> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>              mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe

I'm no DNS expert but clearly this is a DNS issue. Just because one
device is able to resolve names you can't be sure how it is doing so.
It may be that it's looking to a different resolver/name server or has
the common results like 'google' cached.

Enough of the helpless stuff that you probably already know. I would
look to see what name servers you are using; Assuming Linux;

less /etc/resolv.conf
and look to see what the defined name servers:

nameserver 4.2.2.2
nameserver 4.2.2.3
#Check yours are here

TRY
dig a google.com
#assuming you have dig installed

If this resolves then check your OS is not using something like Netmanager (Netmangler spit) and messing with your settings.
It may also be worth checking any DHCP config files to see if they are using *different* name servers.

With dig installed and doing this:
dig @4.2.2.2 google.com
You should get some sane response but remember the results will be cached.
This neat trick will force DNS lookups against non existent domains:

dig @4.2.2.2 $RANDOM.$RANDOM.com
avoiding any cached results and testing DNS (this with a Verizon server in the USA)

DNS uses both TCP and UDP, with UDP being the usual method for speed and lighness. Make sure you are not blocking UDP traffic at the firewall.
As it's connectionless you will need to allow it back in too. Outbound it will target destination port 53. Often it can get *out* but the answers
can't get back.

In summary: nail down if you are;
Looking at the right resolver (/etc/resolv.conf)
Can get *any* response from other DNS servers (network issue) using dig @4.2.2.2 google.com

I'm sure an expert will be along soon to clear this up for you.

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe