Name resolution is used on networks to resolve names to IP addresses. You and I use names and words to communicate, but computers use numbers.
If I ask you the IP address of
bing.com, you probably don't know it. However, if I ask you the name of
Microsoft's online search engine, you probably know the name Bing.com,
and that's all you need to know. When you enter Bing.com into a web
browser, it is resolved to an IP address and the IP address is used for
connectivity.
There are seven methods of
resolving names. Three are used primarily, with hostnames used on the
Internet and internal networks. Three are found on internal Microsoft
networks using NetBIOS names.
Hostnames and NetBIOS names
can also be resolved using a seventh method: broadcasts. Broadcasts are
usually used as a last resort to help minimize broadcast traffic on a
network. The client broadcasts the name onto the network, and if the
host with that name is on the network, it will respond with the IP
address. Remember though, broadcasts do not cross routers, so the
broadcast name resolution method is good only for the same subnet.
Name resolution methods are tied to two types of names:
Hostnames
A host name
can be up to 255 characters in length and is the only type of name used
on the Internet. When a hostname is combined with a domain name, it
becomes a fully qualified domain name (FQDN). For example, a Windows 7
PC named Client1 in the domain wiley.com has an FQDN of Client1.wiley.com. Hostnames are primarily resolved by DNS servers.
NetBIOS
names A NetBIOS name
has 15 readable characters, with the 16th byte identifying a service
running on the system. The use of NetBIOS names has been significantly
reduced in networks in favor of hostnames, but they are still being used
by older applications. Since NetBIOS names are not supported in IPv6,
this usage will eventually disappear. NetBIOS names are primarily
resolved by WINS servers.
1. Hostname Resolution Methods
While DNS is the primary
method used to resolve hostnames, it's not the only method. There are
three primary methods used to resolve hostnames:
DNS
DNS servers answer
queries for name resolution of hostnames. When queried with a name, the
DNS server returns the IP address. DNS servers are typically configured
with addresses of other DNS servers. If the queried DNS server does not
know the IP address, it will forward the name resolution request to
other DNS servers to determine the IP address. This forwarding occurs on
internal networks and on the Internet.
|
You can easily check which DNS server is assigned to a client with the IPConfig /All command.
|
|
Hosts file
The Hosts file is located in the %windir%\System32\Drivers\etc
folder. Entries in the Hosts file are automatically placed into the
host cache. Malware sometimes modifies the Hosts file to prevent a
client from accessing specific websites. For example, a bogus entry
could be placed in the file for Microsoft's update site, and the client
would no longer be able to get updates.
Host cache
Once a name is resolved by DNS, the result is placed in the host cache
(also called the DNS cache, which is a little misleading because this
cache also holds entries from the Hosts file). You can view the host
cache with the IPConfig /DisplayDNS command.
|
You can remove host cache entries from cache using the IPConfig /FlushDNS
command. This will remove all entries that were cached from a DNS
query, but it will not remove entries placed in cache from the Hosts
file.
|
|
Enter the following command to resolve a name using DNS: Ping msn.com
The first line should be something like this: Pinging msn.com [207.68.172.246] with 32 bytes of data:
The IP address verifies
that name resolution is working. It's very likely that msn.com will
block the ping, so it will result in Request Timed Out errors. However,
you can still use this method to verify name resolution with DNS. Enter the following command to view the host cache entries: IPConfig /displayDNS
You'll see that the address of msn.com is included in this result with other data from the answering DNS server. Time To Live indicates how long (in seconds) the entry will remain in cache. ----------------------------------------
Record Name . . . . . : msn.com
Record Type . . . . . : 1
Time To Live . . . . : 247
Data Length . . . . . : 4
Section . . . . . . . : Answer
A (Host) Record . . . : 207.68.172.246
Enter the following command to clear the host cache of all DNS entries: IPConfig /flushDNS
Enter the following command to view the host cache entries again: IPConfig /displayDNS
You'll see that the address of msn.com is no longer shown. The only entries showing are those derived from the Hosts file. Enter the following command to open the Hosts file: notepad %windir%\System32\Drivers\etc\hosts
Scroll to the bottom of the Hosts file, and add the following entry: 192.168.1.77 msn.com
Press Ctrl+S to save the file. Enter the following command to view the host cache entries again: IPConfig /displayDNS
You'll see that the address of msn.com is now in cache. Even if you enter the IPConfig /FlushDNS command, the entry will remain in cache. Enter the following command to try to ping msn.com: Ping msn.com
The first line should be something like this: Pinging msn.com [192.168.1.77] with 32 bytes of data:
Notice that this is not the valid address of msn.com,
but instead it reflects the entry you entered in the Hosts file. With
this entry in the Hosts file, the client will never be able to access
the actual msn.com site. Delete the msn.com entry in the Hosts file, and save the Hosts file in its original configuration.
|
2. NetBIOS Name Resolution Methods
NetBIOS names can be
resolved using three methods. These methods are different from the
primary methods used to resolve hostnames. However, if a hostname can't
be resolved using the primary hostname resolution methods, you can
attempt the NetBIOS name resolution methods.
These are the primary methods used to resolve NetBIOS names:
WINS
WINS servers will
answer name resolution queries for NetBIOS names. When queried with a
name, the WINS server returns the IP address. Whereas DNS servers can be
configured to query other DNS servers to resolve a name, WINS servers
cannot query other WINS servers.
LMHosts file
The LMHosts file is located in the %windir%\System32\Drivers\etc folder.
NetBIOS cache
Once a name is resolved by WINS, the result is placed in the NetBIOS cache. You can view the NetBIOS cache with the NBTStat /c command.
The use of NetBIOS names in networks is significantly reduced today.
3. Using NSLookup
Although the IPConfig and Ping
commands can very often be useful when troubleshooting name resolution
issues, there are times when you'll want to query the DNS server
directly to get detailed information. The NSLookup tool is a command-prompt utility that you can use to get specific information from a DNS server.
NOTE
NSLookup uses the DNS
server IP address that is either manually assigned to the network
adapter or received by the DHCP server. Because of this, you don't have
to identify the IP address of the DNS server when using NSLookup.
As an example, you may want to check to see if DNS can resolve the name of a file server (FS1) to an IP address. Listing 1 shows how the NSLookup
command can be used. The line numbers are shown for explanation
purposes. Line 1 is the command, and lines 2–6 show the results.
Example 1. Using NSLookup
1 C:\>nslookup fs1
2 Server: dc1.wiley.com
3 Address: 192.168.1.10
4
5 Name: fs1.Wiley.com
6 Address: 192.168.1.21
|
Lines 2 and 3 identify the DNS
server (by name and IP address), resolving the name. The client knows
the IP address of the DNS server and uses a reverse lookup to identify
the name of the DNS server. Lines 5 and 6 provide the result of the
query. This shows definitively that the DNS server (hosted on DC1) can
resolve the server named FS1 to an IP address of 192.168.1.21.
If the DNS server did not have a record for the name and couldn't resolve it, you'd see something like Listing 2.
Example 2. Verifying a DNS record doesn't exist with NSLookup
1 C:\>nslookup fs25
2 Server: dc1.wiley.com
3 Address: 192.168.1.10
4
5 *** dc1.wiley.com can't find fs25: Non-existent domain
|
Notice that lines 2 and 3 stay the
same because the same DNS server is providing the answer. However,
these first two lines are dependent on the DNS server having a reverse
lookup zone and a PTR record for the DNS server in the zone. Because
reverse lookup zones are optional, you often won't see them.
As an example, Listing 3 shows what you'll see if the DNS server (DC1) doesn't have a PTR record in DNS.
Example 3. Using NSLookup without a PTR record
1 C:\>nslookup fs1
2 Server: Unknown
3 Address: 192.168.1.10
4
5 Name: fs1.Wiley.com
6 Address: 192.168.1.21
|
Line 2 shows that the DNS
server couldn't be identified (because the PTR record is deleted).
However, it's important to note that FS1 is still successfully resolved.
If the DNS server doesn't have a
reverse lookup zone, it will still work, though the result looks like
something is drastically wrong. Listing 4 shows the result when the reverse lookup zone doesn't exist.
Example 4. Using NSLookup without a reverse lookup zone
1 C:\>nslookup fs1
2 DNS request timed out.
3 timeout was 2 seconds.
4 Server: UnKnown
5 Address: 192.168.1.10
6
7 Name: fs1.Wiley.com
8 Address: 192.168.1.21
|
When looking at lines 2 and 3,
you may think that DNS isn't responding, but all this is saying is that
it timed out when it tried to do a reverse lookup of 192.168.1.10 to
determine the name.
Note that lines 7 and 8
still provide the result of the name resolution request. In other words,
even though you see the message stating "DNS request timed out," the
DNS server still resolved the hostname to an IP address.
What if the DNS server is
not responding at all? This could happen if the DNS server is down or
the DNS service is not running on the server. Listing 5 shows the result when NSLookup is used to query a server with the DNS service stopped.
Example 5. Using NSLookup with an unreachable DNS server
1 C:\>nslookup fs1
2 DNS request timed out.
3 timeout was 2 seconds.
4 Server: UnKnown
5 Address: 192.168.1.10
6
7 DNS request timed out.
8 timeout was 2 seconds.
9 DNS request timed out.
10 timeout was 2 seconds.
11 *** Request to UnKnown timed-out
|
Line 5 shows the IP address
that the client is using as the DNS server. The rest of the information
indicates the DNS server is not responding at all. At this point, you
should check that this is a valid IP address for the DNS server and
verify that it is operational.
