Advertise on Bikeforums.net



User Tag List

Page 1 of 2 12 LastLast
Results 1 to 25 of 26

Thread: DNS Woes...

  1. #1
    T-Shirt Guy ehidle's Avatar
    Join Date
    Jul 2008
    Location
    Lansdale, PA
    My Bikes
    2005 Fuji Team Issue, 2007 Fuji SL-1
    Posts
    464
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    DNS Woes...

    Okay, so I have these two machines hanging off of an access point which is connected via WDS to another access point, which is then connected to a wired LAN, router, and out to the series of tubes...

    One of the two machines works just fine... but the other can't do DNS lookups. It doesn't matter what IP address I stuff into the workstation, or which DNS servers I tell it to use. If it attempts a DNS lookup at all, it fails.

    It looks as if the DNS transaction is making it through the router. In this case, the misbehaving workstation has ip 192.168.2.31.


    Router Internal Interface:
    14:18:58.078610 192.168.2.31.1060 > $DNS_SERVER.domain: 5+ A? cnn.com. (25)
    14:18:58.095962 $DNS_SERVER.domain > 192.168.2.31.1060: 5 4/0/0 A 157.166.224.25, A[|domain] (DF) [tos 0x40]
    14:19:00.065339 192.168.2.31.1061 > $DNS_SERVER.domain: 6+ A? cnn.com. (25)
    14:19:00.082952 $DNS_SERVER.domain > 192.168.2.31.1061: 6 4/0/0 A 157.166.224.26, A[|domain] (DF) [tos 0x40]

    Router External Interface:
    14:18:58.078657 $EXTERNAL_IP.1060 > $DNS_SERVER.domain: 5+ A? cnn.com. (25)
    14:18:58.095935 $DNS_SERVER.domain > $EXTERNAL_IP.1060: 5 4/0/0 A 157.166.224.25, A[|domain] (DF) [tos 0x40]
    14:19:00.065396 $EXTERNAL_IP.1061 > $DNS_SERVER.domain: 6+ A? cnn.com. (25)
    14:19:00.082907 $DNS_SERVER.domain > $EXTERNAL_IP.1061: 6 4/0/0 A 157.166.224.26, A[|domain] (DF) [tos 0x40]


    Windows Firewall is OFF, and there are no other firewall programs installed. You can see the DNS answer being sent from the router to the workstation in red.

    So... what gives? Either the answer packet just isn't getting sent over the wireless link (but all other traffic is), or the workstation is receiving the answer and not understanding it, or possibly something else?

    If I tell the browser to use the on-site squid proxy, everything works fine because the proxy does the DNS lookup. Every other machine on the network is working just fine, which leads me to believe the problem lies with this machine. It's brand new, just built the other day.

    It's bizarre, so I'm hoping one of you sysadmins here will have seen something like this in your travels.
    Yellow + Blue Jerseys!

    Get your Cranky T-Shirt!
    Men's
    and Women's designs available

  2. #2
    Senior Member hos13's Avatar
    Join Date
    Mar 2007
    Location
    552 LATA
    My Bikes
    2007 Mercier Sperns (I'm a shill) and a 99 Diamondback Invert
    Posts
    778
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I had a virus not too long ago that would not allow me to do a DNS lookup. Have you run "mrt" and check the machine for viruses?
    "Don't give up, don't ever give up" jimmyv

  3. #3
    T-Shirt Guy ehidle's Avatar
    Join Date
    Jul 2008
    Location
    Lansdale, PA
    My Bikes
    2005 Fuji Team Issue, 2007 Fuji SL-1
    Posts
    464
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I doubt it has a virus. It's a brand new machine that had AV installed before it was ever on a network.
    Yellow + Blue Jerseys!

    Get your Cranky T-Shirt!
    Men's
    and Women's designs available

  4. #4
    call me T.J.
    Join Date
    Jul 2008
    My Bikes
    trek 820
    Posts
    361
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    have you tried performing a manual query using nslookup? (use the "server x.x.x.x" command to specify a particular DNS server once you're in the client)

  5. #5
    T-Shirt Guy ehidle's Avatar
    Join Date
    Jul 2008
    Location
    Lansdale, PA
    My Bikes
    2005 Fuji Team Issue, 2007 Fuji SL-1
    Posts
    464
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by tjwarren View Post
    have you tried performing a manual query using nslookup? (use the "server x.x.x.x" command to specify a particular DNS server once you're in the client)
    Yep. It doesn't matter what server I send it to.
    Yellow + Blue Jerseys!

    Get your Cranky T-Shirt!
    Men's
    and Women's designs available

  6. #6
    Senior Member hos13's Avatar
    Join Date
    Mar 2007
    Location
    552 LATA
    My Bikes
    2007 Mercier Sperns (I'm a shill) and a 99 Diamondback Invert
    Posts
    778
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    On older window machines we would just re-install TCP/IP, not sure if that is necessary anymore.


    Try putting wireshark on the machine that is having problems and see if your getting are response from the DNS server.
    "Don't give up, don't ever give up" jimmyv

  7. #7
    T-Shirt Guy ehidle's Avatar
    Join Date
    Jul 2008
    Location
    Lansdale, PA
    My Bikes
    2005 Fuji Team Issue, 2007 Fuji SL-1
    Posts
    464
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by hos13 View Post
    On older window machines we would just re-install TCP/IP, not sure if that is necessary anymore.


    Try putting wireshark on the machine that is having problems and see if your getting are response from the DNS server.
    Yeah I tried these too. For some reason I cannot uninstall TCP/IP on this adapter, and Winpcap can't put it in promiscuous mode.

    I also tried reinstalling the NIC driver for the WLAN card, but no luck there, either. It's baffling.
    Yellow + Blue Jerseys!

    Get your Cranky T-Shirt!
    Men's
    and Women's designs available

  8. #8
    Senior Member GraysonPeddie's Avatar
    Join Date
    Jul 2009
    Location
    Tallahassee, FL 32304, USA
    My Bikes
    Trek Pure Trike (recently bought)
    Posts
    353
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Computer <-> Access Point <-> Access Point <-> router <-> Internet... Am I getting this right?

    Series of tubes... Do you mean it is sent through either cable modem, DSL, fiber (FIOS, U-Verse), etc.?

    Are your two access points are in the same subnet? What I mean is, your access point's IP address must be within the subnet:

    (network.network.network).host
    Code:
    Subnet(255.255.255.0)
    {
        Router.IP = 192.168.1.1
        Router.Subnet = 255.255.255.0
        Router.ConnectsTo(Internet)
    
        AccessPoint1.IP = 192.168.1.2
        AccessPoint1.Subnet = 255.255.255.0
        AccessPoint1.ConnectsTo(Router)
    
        AccessPoint2.IP = 192.168.1.3
        AccessPoint2.Subnet = 255.255.255.0
        AccessPoint2.ConnectsTo(AccessPoint1)
    **
    Did you specify a DNS server in any of the access points?

  9. #9
    T-Shirt Guy ehidle's Avatar
    Join Date
    Jul 2008
    Location
    Lansdale, PA
    My Bikes
    2005 Fuji Team Issue, 2007 Fuji SL-1
    Posts
    464
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    The Series of Tubes was a Ted Stevens joke hehe..

    Computers 1 and 2 <--> AP/WDS <---~~~---> AP/WDS <=====> Router <==//==> Cable Modem

    The network is flat, and it's a WDS WLAN so the APs do not route (they are not even capable of routing). Keep in mind that Computer 1 works just fine, but Computer 2 cannot resolve hostnames.

    Addresses and DNS server IPs are handed out by the router (which is a Linux box).
    Yellow + Blue Jerseys!

    Get your Cranky T-Shirt!
    Men's
    and Women's designs available

  10. #10
    T-Shirt Guy ehidle's Avatar
    Join Date
    Jul 2008
    Location
    Lansdale, PA
    My Bikes
    2005 Fuji Team Issue, 2007 Fuji SL-1
    Posts
    464
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    So, I decided to crawl up into the attic and bring the AP down and plug the finicky computer into its 10/100 port directly - and DNS seems to work fine over the PC's LAN interface.

    Interesting indeed.
    Yellow + Blue Jerseys!

    Get your Cranky T-Shirt!
    Men's
    and Women's designs available

  11. #11
    call me T.J.
    Join Date
    Jul 2008
    My Bikes
    trek 820
    Posts
    361
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    So you've tried nslookup and got... nothing? No response from on any host from any server?

    Is DNS the only service affected? Can you ping? Access a web-page by ip? Telnet?


    What happens if you manually assign an IP address (an address that's different from the one DHCP is assigning)? Perhaps there are some strange routing/firewall rules in place. (try another address, and then try giving PC1's address to PC2).

  12. #12
    T-Shirt Guy ehidle's Avatar
    Join Date
    Jul 2008
    Location
    Lansdale, PA
    My Bikes
    2005 Fuji Team Issue, 2007 Fuji SL-1
    Posts
    464
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by tjwarren View Post
    So you've tried nslookup and got... nothing? No response from on any host from any server?

    Is DNS the only service affected? Can you ping? Access a web-page by ip? Telnet?


    What happens if you manually assign an IP address (an address that's different from the one DHCP is assigning)? Perhaps there are some strange routing/firewall rules in place. (try another address, and then try giving PC1's address to PC2).
    Nothing at all. It's weird, I know. Everything works _except_ DNS. What's really strange is that DNS works on the LAN interface, but not the wireless interface. I own the firewall and router rules, and there's nothing there that would interfere with DNS.

    It's doubly weird that WireShark can't bind to the wireless interface. It almost says "I've been rooted," but this machine was never on a public network - ever. It just doesn't make sense.

    There aren't a whole lot of configuration options for the WLAN card, either, and certainly none that would call out "hey, I'll kill DNS if I'm not set right."
    Yellow + Blue Jerseys!

    Get your Cranky T-Shirt!
    Men's
    and Women's designs available

  13. #13
    call me T.J.
    Join Date
    Jul 2008
    My Bikes
    trek 820
    Posts
    361
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    It's very strange that everything would work except for UDP 53.

    Are DNS requests going out? Or just not coming back in?

    Have you tried swapping the IP addresses?


    What does wireshark say when you try to bind to the wireless adapter? And you say that you "cannot uninstall TCP/IP on this adapter" -- what does that mean? Are you getting any error messages? Or does it just simply not work?

  14. #14
    T-Shirt Guy ehidle's Avatar
    Join Date
    Jul 2008
    Location
    Lansdale, PA
    My Bikes
    2005 Fuji Team Issue, 2007 Fuji SL-1
    Posts
    464
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by tjwarren View Post
    It's very strange that everything would work except for UDP 53.

    Are DNS requests going out? Or just not coming back in?

    Have you tried swapping the IP addresses?


    What does wireshark say when you try to bind to the wireless adapter? And you say that you "cannot uninstall TCP/IP on this adapter" -- what does that mean? Are you getting any error messages? Or does it just simply not work?
    Ok, to clarify:

    If you look at the packet traces, the DNS replies are for sure leaving the router for the machine.

    Wireshark returns an error saying it cannot put the wireless interface into promiscuous mode (which usually only happens if some other process has the interface in promiscuous mode already - hello rootkit - but again, it doesn't make sense).. but also, wireshark ships with the beta WinPCap, so that's another possible issue there. But, at the end of the day, I don't know how far the DNS reply is making it up the stack of the machine.

    "Cannot uninstall" in this case means the "Uninstall" button isn't available (grayed out) when the TCP/IP protocol is selected. I did do an uninstall and reinstall of the entire WLAN NIC driver, but that didn't help, either.

    It doesn't matter what IP address I give to this box.

    I'm going to go sleep on it... maybe something will hit me in my dreams...
    Yellow + Blue Jerseys!

    Get your Cranky T-Shirt!
    Men's
    and Women's designs available

  15. #15
    Senior Member
    Join Date
    Aug 2006
    Posts
    998
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I've seen some third party firewall stuff block 53. Also, if on Vista, check the advanced firewall settings for any screwy deny lists (start->run->wf.msc).

  16. #16
    call me T.J.
    Join Date
    Jul 2008
    My Bikes
    trek 820
    Posts
    361
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by ehidle View Post
    DNS replies are for sure leaving the router for the machine.
    DNS 'replies': so, requests are getting out but responses are not getting in?

    Quote Originally Posted by ehidle View Post
    Wireshark returns an error saying it cannot put the wireless interface into promiscuous mode
    Can I get the error message?

    Have you tried WinDump (Windows port of tcpdump) instead of WireShark?

    Quote Originally Posted by ehidle View Post
    "Cannot uninstall" in this case means the "Uninstall" button isn't available (grayed out) when the TCP/IP protocol is selected. I did do an uninstall and reinstall of the entire WLAN NIC driver, but that didn't help, either.
    For the uninstall/reinstall: did you do this through Device Manager, or did the driver have an uninstall utility? When doing it with Device Manager, did you reboot before you reinstalled the driver?

    Does your account have local admin rights?


    SysInternals has a rootkit scanner, called RootKitRevealer. It looks like Sophos also has one, though I haven't used it.



    Perhaps the NIC is faulty; do you have a spare? Is this a desktop machine? Can you simply run a cable up into your attic?

  17. #17
    T-Shirt Guy ehidle's Avatar
    Join Date
    Jul 2008
    Location
    Lansdale, PA
    My Bikes
    2005 Fuji Team Issue, 2007 Fuji SL-1
    Posts
    464
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by tjwarren View Post
    DNS 'replies': so, requests are getting out but responses are not getting in?
    Yes, if you examine the packet trace in my OP, you can see that the request goes out (two actually), and the two replies come back through the router and go out to the requesting machine, but they never make it up the stack.

    The machine just times out doing an nslookup

    Quote Originally Posted by tjwarren View Post

    Have you tried WinDump (Windows port of tcpdump) instead of WireShark?
    Nope, haven't heard of it, but I'll give it a try. I've always liked tcpdump.

    Quote Originally Posted by tjwarren View Post

    For the uninstall/reinstall: did you do this through Device Manager, or did the driver have an uninstall utility? When doing it with Device Manager, did you reboot before you reinstalled the driver?
    Device Manager, and yeah, I rebooted.

    Quote Originally Posted by tjwarren View Post
    Does your account have local admin rights?
    Of course.

    Quote Originally Posted by tjwarren View Post

    SysInternals has a rootkit scanner, called RootKitRevealer. It looks like Sophos also has one, though I haven't used it.
    I'll humor the proposition, but I would think a root kit would have encapsulated DNS requests on all interfaces, and probably have done other things like modify the hosts file. Avast didn't find anything on the machine, and Avast is exceedingly good at finding rootkits.

    Quote Originally Posted by tjwarren View Post
    Perhaps the NIC is faulty; do you have a spare? Is this a desktop machine? Can you simply run a cable up into your attic?
    That's possible, I guess, but I don't know why a faulty NIC would only fail at receiving DNS replies. Everything else seems to work just fine. I suppose I *could* run a cable to the attic, but that's not really fixing the problem. :-/
    Yellow + Blue Jerseys!

    Get your Cranky T-Shirt!
    Men's
    and Women's designs available

  18. #18
    T-Shirt Guy ehidle's Avatar
    Join Date
    Jul 2008
    Location
    Lansdale, PA
    My Bikes
    2005 Fuji Team Issue, 2007 Fuji SL-1
    Posts
    464
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by mlts22 View Post
    I've seen some third party firewall stuff block 53. Also, if on Vista, check the advanced firewall settings for any screwy deny lists (start->run->wf.msc).
    It's an XP box and there's no third party firewall on it...

    I wish it were that simple hehe...
    Yellow + Blue Jerseys!

    Get your Cranky T-Shirt!
    Men's
    and Women's designs available

  19. #19
    T-Shirt Guy ehidle's Avatar
    Join Date
    Jul 2008
    Location
    Lansdale, PA
    My Bikes
    2005 Fuji Team Issue, 2007 Fuji SL-1
    Posts
    464
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    update: RootKitRevealer found nothing to be worried about
    Yellow + Blue Jerseys!

    Get your Cranky T-Shirt!
    Men's
    and Women's designs available

  20. #20
    call me T.J.
    Join Date
    Jul 2008
    My Bikes
    trek 820
    Posts
    361
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I don't think a rootkit is especially likely, but you mentioned it a few times so I figured I'd pass you some links.


    Does DNS from the working PC give a packet trace similar to the one given in your original post? Perhaps the AP is offering DNS services (which PC1 is using), but not passing DNS replies (which PC2 is expecting)?


    No, running a cable isn't an ideal solution, but you've already determined that it will work. How much time are you willing to invest in this?


    As to uninstalling TCP/IP, some further digging reveals:

    From Petri (and KB299357):
    In Windows XP, the TCP/IP stack is considered a core component of the operating system; therefore, it is not possible to uninstall TCP/IP in Windows XP.
    . . .
    In Windows XP, a reset command is available in the IP context of the NetShell utility: netsh int ip reset resetlog.txt

  21. #21
    call me T.J.
    Join Date
    Jul 2008
    My Bikes
    trek 820
    Posts
    361
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Also, are there any pertinent errors in your Event Viewer?

  22. #22
    call me T.J.
    Join Date
    Jul 2008
    My Bikes
    trek 820
    Posts
    361
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    If the netsh reset doesn't work, I see several recommendations for WinSockXPFix. I have not used it, however.

  23. #23
    T-Shirt Guy ehidle's Avatar
    Join Date
    Jul 2008
    Location
    Lansdale, PA
    My Bikes
    2005 Fuji Team Issue, 2007 Fuji SL-1
    Posts
    464
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hey tjwarren, thanks a million for the help. The WinSockXPFix did the trick, even though it had some unintended consequences. The weirdness continues.

    So, DNS lookups are working now, but the machine cannot communicate with any other machine on the local subnet over the wireless adapter (but OK on the wired adapter). One thing the fix seemed to do is turn on TCP/IP filtering and set everything to Permit Only. I cleared all that out, but there still seems to be an issue communicating on the local net.

    Windows is very non-intuitive to a traditional linux user, so I definitely appreciate your pointers thus far.

    *oh and I checked the event viewer, and aside from some errors from the video driver, there's nothing interesting..

    edit: I take it back. It seems to have un-fixed itself and now it's doing the same crap again. UGH. Something really funky is going on here. I might just flatten it and start over. Heh...
    Last edited by ehidle; 07-21-09 at 11:37 AM.
    Yellow + Blue Jerseys!

    Get your Cranky T-Shirt!
    Men's
    and Women's designs available

  24. #24
    Senior Member GraysonPeddie's Avatar
    Join Date
    Jul 2009
    Location
    Tallahassee, FL 32304, USA
    My Bikes
    Trek Pure Trike (recently bought)
    Posts
    353
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Can't you do a clean reinstall of Windows in the wireless computer? This is only a last resort once you back up all your data.

    If you have plenty of hard disk space in your Linux box, you might want to setup a Samba server, create a folder to share, and backup all your files in there.

    I do a lot of networking in my part, but I'm afraid I'm running out of ideas and solutions to your DNS woes... I do know how to setup BIND9 and dhcp3-server in a Linux box, including setting up Linux box as a router, but I do use Webmin to do the routing part. I might be thinking that the AP is causing a problem, but I'm not sure what is causing it (even if it's acting as a "wireless" switch, aka access point)...

  25. #25
    derailleurs are overrated bigbenaugust's Avatar
    Join Date
    Feb 2005
    Location
    KIGX
    My Bikes
    2009 Motobecane Fantom CX, 2011 Windsor Shetland mini-velo, 2012 Motobecane Fantom Cross Uno SSCX
    Posts
    1,691
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by ehidle View Post

    edit: I take it back. It seems to have un-fixed itself and now it's doing the same crap again. UGH. Something really funky is going on here. I might just flatten it and start over. Heh...
    I say we take off and nuke the entire machine from orbit. It's the only way to be sure.
    --Ben
    Carrboro Bike Coalition - putting the "bike" in "CARrboro" :)
    2011 Motobecane Fantom Cross Uno, 2009 Motobecane Fantom CX
    Previously: 2000 Trek 4500 (2000-2003), 2003 Novara Randonee (2003-2006), 2003 Giant Rainier (2003-2008), 2005 Xootr Swift (2005-2007), 2007 Nashbar 1x9 (2007-2011), 2011 Windsor Shetland (2011-2014)
    Current Linux Usage (by machine): Arch: I Debian: II openSUSE: I

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •