dig fails but ping works

I admit I'm fumbling in the dark but please advice...

Why can I ping a hostname that doesn't resolve to anything, e.g.
notl337.net, but the echos are coming from my DNS server? (This
happens regardless of hostname as long as it's unresolved.) However,
if I try to look up the hostname using 'dig' or 'host', I get no
answer.

I think I understand that ping works differently from dig in the sense
that ping uses gethostbyname() but I really don't see why that would
give different behaviours. And please don't rant about ping not being
a tool for hostname lookups, at least I know that much.

Can someone explain? I've tried to RTFM but haven't found anything
yet.

Thanks!
p

On 5 Dec 2003 09:38:31 -0800, piggy <(E-Mail Removed)> wrote:
>I admit I'm fumbling in the dark but please advice...
>
>Why can I ping a hostname that doesn't resolve to anything, e.g.
>notl337.net, but the echos are coming from my DNS server? (This
>happens regardless of hostname as long as it's unresolved.) However,
>if I try to look up the hostname using 'dig' or 'host', I get no
>answer.

you really haven't posted enough information to get a good response, and in
that spirit i will suggest you read
man resolv.conf and man hosts

good luck!

peace,
cj


--
================================================== =============================
Christopher Jon Miller Drink and dance and laugh and lie
Parallel Systems Engineer Love, the reeling midnight through
For tomorrow we shall die!
(But, alas, we never do.)
-- Dorothy Parker, "The Flaw in Paganism"
================================================== =============================

(E-Mail Removed) (piggy) writes:

> Why can I ping a hostname that doesn't resolve to anything, e.g.
> notl337.net, but the echos are coming from my DNS server? (This
> happens regardless of hostname as long as it's unresolved.) However,
> if I try to look up the hostname using 'dig' or 'host', I get no
> answer.

You're contradicting yourself: you say that the name doesn't resolve,
yet you say that you can ping it. If you can ping the name then
it must be resolving somehow. Perhaps the real question is: "How
is the name resolving when it doesn't appear to be in DNS?"

What are your exact ping and dig commands, and what's the output
of each? Please use real names and IP addresses if possible --
don't modify the output in any way.

A non-existent name could resolve if your DNS server has a wildcard
A record, but that should show up with dig or host.

> I think I understand that ping works differently from dig in the sense
> that ping uses gethostbyname() but I really don't see why that would
> give different behaviours. And please don't rant about ping not being
> a tool for hostname lookups, at least I know that much.

A difference in behavior could be explained by the fact that dig
makes DNS queries, while gethostbyname() might use other name
resolution services (hosts file, NIS, etc.) in addition to or instead
of DNS. What does "grep hosts /etc/nsswitch.conf" show?

Without more information it's hard to say what's happening. Please
provide more details.

--
Michael Fuhr
http://www.fuhr.org/~mfuhr/

(E-Mail Removed) (Michael Fuhr) wrote in message news:<3fd10fa0$(E-Mail Removed)>...
[snip]
> You're contradicting yourself: you say that the name doesn't resolve,
> yet you say that you can ping it.

Exactly.

> If you can ping the name then
> it must be resolving somehow. Perhaps the real question is: "How
> is the name resolving when it doesn't appear to be in DNS?"

This was what I meant to ask but didn't phrase it that well.

> What are your exact ping and dig commands, and what's the output
> of each? Please use real names and IP addresses if possible --
> don't modify the output in any way.

[vittra:~]$ ping notl337.net
PING notl337.net.lateral.net (195.224.94.181): 56 octets data
64 octets from 195.224.94.181: icmp_seq=0 ttl=253 time=2.1 ms
64 octets from 195.224.94.181: icmp_seq=1 ttl=254 time=0.4 ms
64 octets from 195.224.94.181: icmp_seq=2 ttl=254 time=0.4 ms
64 octets from 195.224.94.181: icmp_seq=3 ttl=254 time=0.4 ms

--- notl337.net.lateral.net ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 0.4/0.8/2.1 ms
[vittra:~]$ dig notl337.net

; <<>> DiG 9.1.3 <<>> notl337.net
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 43741
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;notl337.net. IN A

;; AUTHORITY SECTION:
net. 10789 IN SOA a.gtld-servers.net.
nstld.verisign-grs.com. 2003120701 1800 900 604800 86400

;; Query time: 33 msec
;; SERVER: 195.224.94.179#53(195.224.94.179)
;; WHEN: Mon Dec 8 12:31:43 2003
;; MSG SIZE rcvd: 102


> A non-existent name could resolve if your DNS server has a wildcard
> A record, but that should show up with dig or host.

But this happens for *any* domain, so where would this wildcard A
record be? The notl337.net example above is a hostname for a domain
that doesn't exist. I get the same strangeness with other hosts which
use the same DNS server so it seems like a problem with the DNS server
but I'm not sure what or why or how.

[snip]
> What does "grep hosts /etc/nsswitch.conf" show?

[vittra:~]$ grep hosts /etc/nsswitch.conf
hosts: files dns

Thanks for the reply. I would appreciate any further help! :-)

P

(E-Mail Removed) (piggy) writes:

> > If you can ping the name then
> > it must be resolving somehow. Perhaps the real question is: "How
> > is the name resolving when it doesn't appear to be in DNS?"
>
> This was what I meant to ask but didn't phrase it that well.
>
> > What are your exact ping and dig commands, and what's the output
> > of each? Please use real names and IP addresses if possible --
> > don't modify the output in any way.
>
> [vittra:~]$ ping notl337.net
> PING notl337.net.lateral.net (195.224.94.181): 56 octets data

There's the answer: you're not pinging notl337.net, you're pinging
notl337.net.lateral.net; your resolver's search algorithm has found
a name that resolves. Typical resolver behavior is to try variations
of a name until one resolves or until it runs out of variations.
The search algorithm allows you to use short names like foo and
foo.subdomain instead of having to use foo.example.com and
foo.subdomain.example.com.

> [vittra:~]$ dig notl337.net
>
> ; <<>> DiG 9.1.3 <<>> notl337.net
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 43741
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

The nameserver returns NXDOMAIN (name doesn't exist) for notl337.net,
so your resolver tries something else. It's common for resolvers
to try "name.yourdomain" next, so you end up with notl337.net.lateral.net.

> > A non-existent name could resolve if your DNS server has a wildcard
> > A record, but that should show up with dig or host.
>
> But this happens for *any* domain, so where would this wildcard A
> record be? The notl337.net example above is a hostname for a domain
> that doesn't exist. I get the same strangeness with other hosts which
> use the same DNS server so it seems like a problem with the DNS server
> but I'm not sure what or why or how.

The wildcard A record is in the lateral.net zone:

% dig qxbdcjozblceafhj.lateral.net

; <<>> DiG 9.2.3 <<>> qxbdcjozblceafhj.lateral.net
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61442
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1

;; QUESTION SECTION:
;qxbdcjozblceafhj.lateral.net. IN A

;; ANSWER SECTION:
qxbdcjozblceafhj.lateral.net. 3600 IN A 195.224.94.181

One way to avoid the resolver's search algorithm is to fully-qualify
names by appending a dot:

% ping notl337.net.
ping: unknown host notl337.net.

Hope this helps.

--
Michael Fuhr
http://www.fuhr.org/~mfuhr/

(E-Mail Removed) (Michael Fuhr) wrote in message news:<3fd10fa0$(E-Mail Removed)>...
[snip]
> A non-existent name could resolve if your DNS server has a wildcard
> A record, but that should show up with dig or host.
>
[snip]

I've fixed this problem now. It turned out that in /etc/resolv.conf,
we had

nameserver <ip1>
nameserver <ip2>
search lateral.net

And on our DNS server, we had this wildcard for the domain
lateral.net:
* A 195.224.94.181

The last line of resolv.conf in combination with the wildcard must be
the culprit, because I no longer can ping unresolved hostnames. (BTW I
didn't put that wildcard in there - honest! ;-)

Thanks for all the help!
P