Multiple/Wrong IP Address Resolved

[Borvik]

We are having difficulties accessing a website and it has been determined that it is a DNS issue.

The client machines are resolving TWO ip addresses, where our domain controller (and DNS server) is resolving only one IP addresses (the correct address).

Here are the results of nslookup on both the domain controller and on a client:

Domain Controller:

>nslookup hostname
Server:  domain-controller-name
Address:  192.168.1.13

Non-authoritative answer:
Name:    hostname
Addresses:  IP_A

Client:

>nslookup hostname
Server:  domain-controller-name
Address:  192.168.1.13

Non-authoritative answer:
Name:    hostname
Addresses:  IP_B
          IP_A

IP_A is the correct IP address for this hostname.

Technically the clients have two DNS servers. One is the domain controller, the other is a SuSE Linux box - I have confirmed that BOTH show the nslookup results as the above domain controller results.

I have run "ipconfig /flushdns" and cleared the arp cache and I am still seeing the same results.

Any ideas?

 

[elgrandeperro]

The answer is Non-authoritative, which means it is getting it from the cache of the domain-controller-name (192.168.1.13).

Also, is the "hostname" fully qualified? set debug flag on nslookup to see what it actually being "found".

 

[Borvik]

I figured that is what "Non-authoritative" means - though I did run /flushdns there as well.

Yes "hostname" is fully qualified - I just don't want to show it or it's IP addresses.

I "set d2" and came up with some interesting results. It would appear that something is going on with an IPv6 response:

------------
Non-authoritative answer:
------------
SendRequest(), len 29
    HEADER:
        opcode = QUERY, id = 9, rcode = NOERROR
        header flags:  query, want recursion
        questions = 1,  answers = 0,  authority records = 0,  additional = 0

    QUESTIONS:
        hostname, type = AAAA, class = IN

------------
------------
Got answer (57 bytes):
    HEADER:
        opcode = QUERY, id = 9, rcode = NOERROR
        header flags:  response, want recursion, recursion avail.
        questions = 1,  answers = 1,  authority records = 0,  additional = 0

    QUESTIONS:
        hostname, type = AAAA, class = IN
    ANSWERS:
    ->  hostname
        type = AAAA, class = IN, dlen = 16
        AAAA IPv6 address = ::ffff:IP_B
        ttl = 9 (9 secs)

------------
Name:    hostname
Addresses:  IP_B
          IP_A

 

[Borvik]

This problem is really strange.

It all stemmed from the fact that we couldn't access a website.

I have since run the nslookup command on numerous PCs. My two PCs seem to be the only two that are reporting multiple IP addresses (looks like a botched AAAA - IPv6 - query). The rest of the machines all report the single correct IPv4 address.

This is where it gets confusing - all the XP machines work fine, while all the Vista machines fail. The Vista machines fail even though nslookup reports only the one correct IP address!

I do know it has something to do with the IPv6 lookups, as I disabled that in Firefox's about:config page - and I was then able to load the page (only in Firefox though).

Any ideas on what I can do to fix the problem?

 

[Borvik]

The IPv6 returned from the nslookup doesn't look (debug mode) doesn't appear to be a valid IPv6 address, and it is then being misinterpreted as an IPv4 address.

AAAA record result - ::ffff:###.##.###.###

The nslookup result then lists just the # sign part of that result as the result.

Could it be possible that the DNS server that hosts the address in question is incorrectly configured for IPv6?