Thread: Dns

    #1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2012
    Posts
    7
    Rep Power
    0

    Dns names resolution


    Hello,

    Thank you for reading my post.

    I'm working in a mixed Linux/Windows environment.
    I've a Debian server "S" acting as a DHCP server, DNS server and Samba server and some (client) Windows machines (mostly).
    All these machines belong to the same LAN, to the same name domain and to the same Samba domain.

    - Machines either get their IP address via DHCP or have a statically assigned IP address.
    - For each statically assigned IP addresses, there is a record (hostname, IP) and the reverse record in the appropriate DNS zone files.
    - For DHCP assigned addresses, the DNS zone files are dynamically updated by the DHCP server.
    - Every machine is part of the Samba domain and has been added to "smbpasswd".

    Now, my problem is the following: I suddenly realized I do not properly understand how names are resolved. Here is why:

    - On Windows machines and for static IP addresses, I used to set the DNS name server as "S" in the network interface configuration.
    - For dynamically allocated IP addresses, it was also set that way in "dhcpd.conf" by means of the "ddns-domainname", "ddns-rev-domainname"... attributes.

    Now, on one machine, none of the DNS servers is set as "S" in the network interface and yet names resolution is working "properly".
    On this machine, I can do a "nslookup":

    Code:
    cmd.exe> nslookup <another_machine_name_in_the_domain>
    Server:  dns-abo-static-a.wanadoo.fr
    Address:  80.10.246.2
    
    *** dns-abo-static-a.wanadoo.fr can't find <another_machine_name_in_the_domain>: Non-existent domain
    (a message which I understand...)
    and yet, I can ping the name <another_machine_name_in_the_domain>
    and access all the shares on that <another_machine_name_in_the_domain>.

    If I do the same thing on a machine for which I've the DNS server set as "S", here is what I get:

    Code:
    cmd.exe> nslookup <another_machine_name_in_the_domain>
    Server:  S.my.domain.name
    Address:  x.y.z.w1
    
    Name:    <another_machine_name_in_the_domain>.my.domain.name
    Address:  x.y.z.w2
    So, in the first case, I do not understand how names are actually resolved.

    I have no such "strange behavior" with Linux machines in my network. It looks like it is a Windows related problem.

    I also read complex litterature about WINS which hasn't helped me a lot:
    http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/NetworkBrowsing.html#id2580162

    Can you advise a procedure for troubleshooting this or explain the mechanism actually at stake?
    Best regards.
    Last edited by Léa Massiot; September 17th, 2012 at 06:52 AM. Reason: Sent by mistake by pressing the Ok key the first time (including the title) :/
  2. #2
  3. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2011
    Posts
    289
    Rep Power
    45
    I assume that S.my.domain.name is your private DNS server, and
    dns-abo-static-a.wanadoo.fr is a public DNS server. Machines that use the private DNS server will be able to get private translations, and public requests will be forwarded to the public server for translation.

    The problem machine has a public server as the default DNS server, and the public server knows nothing about your private domain.

    J.A. Coutts
  4. #3
  5. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2012
    Posts
    7
    Rep Power
    0
    Hello and thank you for your answer.

    @J.A. Coutts
    You assume right and I totally agree with the process you are describing.
    Yet, I'm still observing a weird behavior which I can't explain. Here is another experiment I led.

    1) I stopped the "Samba" server on "S".

    2) I stopped the "bind" DNS server "S".

    3) There is no other domain controller or DNS server on the private network.

    4) I configured a Windows machine "M2"'s Ethernet network interface in the following way:
    a) I set its IP statically: x.y.z.w3 (netmask: 255.255.255.0 ; gateway: x.y.z.1)
    b) I chose: "Use the following DNS server addresses": 80.10.246.129 (which is one of my ISP's DNS IP addresses, a public IP).
    c) In the "Advanced" -> "WINS" tab, I unchecked "Enable LMHOSTS lookup" and chose "Disable NetBIOS over TCP/IP".

    5) Now, there is that other "evil" machine on my network, which is also a Windows machine ("M1").
    Its IP address is x.y.z.w1.
    Even after steps 1) to 4), I can still ping "M1" by its name (ping M1) meaning the name is being resolved somehow...
    Note that I can't access any shares on this machine anymore.

    6) Also note that I can't ping any other machine by their name on the private network!

    To sum up, the only problem that remains is: why is this machine "M1" still pinguable by its name after all the things I deactivated on "M2"?
    Do you have any idea what entity could be resolving that name on the network?
    And how can I find out what's happening? Are there any useful tools you could advise me?

    I hope I'm not too messy. Thank you for helping and best regards.

    Nota: also note that when the WINS option is set as "Disable NetBIOS over TCP/IP", I can't access machines in the domain.
    If I re-enable it ("Enable NetBIOS over TCP/IP"), I can access machines in the domain again.
  6. #4
  7. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2012
    Posts
    7
    Rep Power
    0
    About my last nota:
    This is the "Computer Browser Service" which cannot operate without the use of NetBIOS over TCP/IP (NetBT).

    ***

    I'm observing something else:
    I can see with "Wireshark" that this "M1" machine is sending lots of broadcast messages whereas other machines don't.
    In particular, I observed "NBNS" queries: "Name query NB <a_machine_name>".
    That machine "<a_machine_name>" was turned off.
    I turned it on.
    After this, there were no broadcast messages anymore...

    Does this mean something?
    I'm just pointing this out because "M1" seems to be behaving differently than the other machines on the network.
    So it might have some kind of service running which I do not manage to identify...

    Thank you and best regards.
  8. #5
  9. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2011
    Posts
    289
    Rep Power
    45
    There are 2 different processes at work (maybe 3). One is DNS and it's cache. The other is network browsing, which maintains it's own cache called the ARP table. The local network communicates using machine names and the MAC address of each network card. When a card joins the network, it advertises it's presence using NetBIOS broadcasts, and each machine maintains a record of active machines and their associated IP addresses in it's ARP table. The results of that can be seen using the ARP -a command. You will notice that one of the static addresses is the broadcast address, which is defined using the Subnet Mask. All machines must use the same Subnet Mask and NetBios if they are to use the Network Browser. One of the machines on the network will assume the role of Master Browser.

    This is where it can get a little complicated. Starting with Windows Vista, Microsoft introduced something called Linked Layer Topology to browse the network, and these 2 technologies do not work together.

    One way around all these difficulties is to use domain names and DNS for all machines, and forget about network browsing by machine name. This necessitates using the local DNS as the default on all machines.

    J.A. Coutts
  10. #6
  11. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2012
    Posts
    7
    Rep Power
    0
    Hello and thank for your answer and explanations

    There are 2 different processes at work (maybe 3). One is DNS and it's cache.
    What cache are you referring to?
    A cache on the DNS server ("S")?
    A cache on the client machines (like "M1", "M2"...)?

    The other is network browsing, which maintains it's own cache called the ARP table.
    I'm not sure I'm following this: as far as I know (and to try not to mix up things too much), ARP has nothing to do with names (neither NetBIOS or DNS names). It's "only" quote: "a protocol used to associate a layer 3 (Network layer) address (such as an IP address) with a layer 2 (Data Link layer) address (MAC address)".
    I don't see what this has to do with domain name resolution .

    Doing a "arp -a", I could see the broadcast address: x.y.z.255 which type is indeed "static".

    When a card joins the network, it advertises it's presence using NetBIOS broadcasts
    With Wireshark, I could see that "M1", which IP address is x.y.z.w1,
    was broadcasting NBNS packets (using the broadcast address x.y.z.255).
    I got rid of some of these messages by:
    - suppressing a printer which used to be in the network neighborhood but which wasn't anymore,
    - adding a new printer and connecting directly to it (not via this shut down computer I mentioned in post #4 in this thread).

    I could also see packets which destination IP address was 224.0.0.252. From Wikipedia: 224.0.0.252 is the Link-local Multicast Name Resolution (LLMNR) address.
    I got rid of this by disabling the Link Local Multicast Name Resolution (LLMNR) protocol on both "M1" and "M2" by following this procedure:
    Code:
    cmd.exe> mmc gpedit.msc.
    -> "Local Computer Policy"
    -> "Computer Configuration"
    -> "Administrative Templates"
    -> "Network"
    -> "DNS Client"
    "Turn off Multicast Name Resolution"
    I enabled this.
    It's a lot more quiet now .

    One of the machines on the network will assume the role of Master Browser
    The Samba server on "S" is set as the "domain", "preferred" and "local" master in its configuration file "smb.conf".
    There is no other domain controller in the LAN.
    But again, not to get too much confused, this has nothing to do with domain names resolution, it has to do with the Windows capability or not to give me access to the machines in my domain, right?

    Ok. And apparently LLTD is even something else... I haven't disabled it for now. I don't know if I will.
    Code:
    cmd.exe> mmc gpedit.msc.
    -> "Local Computer Policy"
    -> "Computer Configuration"
    -> "Administrative Templates"
    -> "Network"
    -> "Link-Layer Topology Discovery"
    "Turn on Mapper I/O (LLTDIO) driver".
    Basically, disabling the LLMNR protocol on both M1 and M2 solved my problem (and also sweeping up a few things as explained before).

    Thanks all lot for giving me all these hints and best regards.
  12. #7
  13. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2011
    Posts
    289
    Rep Power
    45
    Glad to see you resolved your issues, but let me try to answer some of your questions.

    Both the DNS server and the individual machines have a cache to hold DNS resolutions. I was referring to the individual machines.

    Originally, local networks used NetBEUI, which inherently included NetBIOS. These days, most computers use NetBIOS over IP (except those using LLTD). Network browsing uses machine names and MAC addresses, whereas DNS uses domain names and IP addresses. The two are not synonymous. The ARP table is what allows NetBIOS to function using IP addresses. Communication on the local network is entirely by MAC address using the Ethernet protocol. My own Network monitor strips away the Ethernet headers because it intercepts the packets at layer 2. I suspect that Wireshark does the same. You are correct that the ARP table does not hold the machine names, but it is all part of the same process. The machine names can be seen using the "net view" command. These names are recovered from the Master Browser. Prior to Windows XP, every machine had the potential to be the Master Browser, and this indeed did cause conflict and a lot of extra network traffic.

    I am able to communicate on my home network with mixed technologies (NetBIOS/LLTD) by mapping and maintaining the connections that I need. There is however one Vista machine that I cannot communicate directly with because of security restrictions. That one uses UAC (User Access Control), and I have not been able to resolve that issue.

    J.A. Coutts
  14. #8
  15. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2012
    Posts
    7
    Rep Power
    0
    Hello and thank you for your answer.

    Both the DNS server and the individual machines have a cache to hold DNS resolutions. I was referring to the individual machines.
    On Windows machines, is this the cache that can be displayed using the following command?
    Code:
    cmd.exe> ipconfig /displaydns
    (And the command to flush it:
    cmd.exe> ipconfig /flushdns)

    These days, most computers use NetBIOS over IP (except those using LLTD).
    Well, LLTD is "Not configured" on my computer.
    The comment says: "If you disable or do not configure this policy setting, the default behavior of LLTDIO will apply.". Yet, I don't know what is the default behavior.
    If I go to:
    "Control Panel\All Control Panel Items\Network Map"
    I get:
    "Windows cannot discover any computer or device"
    If I enable LLTD I get the same result.

    Communication on the local network is entirely by MAC address using the Ethernet protocol.
    Ok. "Ethernet" refers to layer 1 and layer 2 only. It's neither about IP nor domain names... if I'm not mistaken...

    My own Network monitor strips away the Ethernet headers because it intercepts the packets at layer 2. I suspect that Wireshark does the same.
    No, I don't think that Wireshark strips away any headers...
    When taken out of the box (which is my case), Wireshark intercepts lots of things (if not everything): ARP, ICMP, UDP, TCP, BROWSER, DNS... network traffic without stripping anything... I guess.
    But maybe I didn't understand you remark...?
    What is your network monitor?

    Thank you and best regards.
  16. #9
  17. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2011
    Posts
    289
    Rep Power
    45
    Layer 1 is the physical layer, and layer 2 is the Data Link Layer. TCP is embedded inside IP which is embedded inside Ethernet, and each has it's own set of headers. The Ethernet card receives all traffic on the network, and if set into promiscuous mode will show all packets being transmitted on the network. Layer 2 organizes the data into frames and handles error control. The normal output only shows traffic destined for it's own MAC address. If your monitor does not show the headers for the Ethernet frames, then they have already been stripped, and in reality there is not a lot of useful information in the Ethernet headers. The Monitor that I use is one that I wrote, and is capable of setting the Ethernet card into promiscuous mode. All of the protocols that you mentioned are IP protocols.

    I can't comment on LTTD very much, except to say that it has been a real pain in the butt for me. I don't use any of the extended functionality that it provides.

    I believe the DNS cache that you have identified was added with XP. It has done a lot to reduce traffic to DNS servers, but it can be a pain when trying to troubleshoot DNS problems. Some utilities such as Nslookup bypass the cache.

    J.A. Coutts
  18. #10
  19. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2012
    Posts
    7
    Rep Power
    0
    Hello.

    Thanks to your explanations it's much clearer to me now.
    I don't plan to use LLTD either and I agree with you all these "gadgets" make it harder for us to troubleshoot DNS problems.

    Thank you very much for these useful and detailed comments.
    Best regards.

IMN logo majestic logo threadwatch logo seochat tools logo