Why does ping name resolution differ from DNS? Uncover the hidden causes

Name resolution is a critical component of network management, allowing systems to translate human-friendly domain names into IP addresses. However, discrepancies between tools like ping and DNS can lead to confusion and potential monitoring inaccuracies.

This article explores why these discrepancies occur and provides guidance on troubleshooting and resolving these issues.

How ping and DNS differ in name resolution: Common causes of discrepancies

Most people know their hosts via DNS names (e.g. server1.lax.company.com) rather than IP addresses (192.168.3.45), and so enter them into their monitoring systems as DNS names. Thus, there is a strong requirement that name resolution works as expected in order to make sure that the monitoring system is, in fact, monitoring what the user expects it to be.

Sometimes, we get support requests about how the LogicMonitor collector is resolving a DNS name to an IP address incorrectly, but the DNS is all set up as it should be, so something is wrong with the collector. However, the issue is simply in the interactions of how hosts resolve names, which is not always the same as how DNS resolves names.

The confusion lies in the fact that the tools people often use to validate their name resolution setup – host and nslookup – only use the name resolution system. They talk to the name servers listed in /etc/resolv.conf (or passed to them by their Active Directory configuration), and ask the name servers about what a particular host resolves as.

However, Windows and Linux do not just use the DNS system. They have other sources of resolving names – the /etc/hosts file on linux,WindowsSystem32driversetchosts on Windows, NIS, NetBIOS name resolution, caching systems like nscd – none of which are consulted by host or nslookup, but any of which may return conflicting information that the operating system may use.

As a simple example, you can see below that there is a local entry defining the address of foo.com to be 10.1.1.1:

 [[email protected]:~]$ cat /etc/hosts
 127.0.0.1 logicmonitor.com logicmonitor.com.localdomain logicmonitor.com4 logicmonitor.com4.localdomain4
 ::1 logicmonitor.com logicmonitor.com.localdomain logicmonitor.com6 logicmonitor.com6.localdomain6
 10.1.1.1 foo.com

While the ping program uses the locally configured address:

[[email protected]:~]$ ping foo.com
PING foo.com (10.1.1.1) 56(84) bytes of data.
^C
--- foo.com ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1725ms

The host and nslookup programs do not:

[[email protected]:~]$ host foo.com
 foo.com has address 23.21.224.150
 foo.com has address 23.21.179.138
 foo.com mail is handled by 1000 0.0.0.0.
 [[email protected]:~]$ nslookup foo.com
 Server: 216.52.126.1
 Address: 216.52.126.1#53
Non-authoritative answer:
 Name: foo.com
 Address: 23.21.224.150

Comparison of Ping vs DNS Name Resolution

Ping and DNS resolve names differently due to the varied sources they consult. Below is a comparison of these tools:

Troubleshooting steps for resolving name resolution discrepancies

If you encounter discrepancies between how the ping command resolves a DNS name and the expected DNS results, follow these steps to pinpoint and resolve the issue:

1. Check Local Hosts Files
   First, inspect the local hosts file on your system (/etc/hosts on Linux or C:\Windows\System32\drivers\etc\hosts on Windows). Entries in these files can override DNS settings, causing ping to resolve a name differently than tools like nslookup or host. Look for any entries that may be directing traffic to an unexpected IP address.
2. Flush DNS and Name Service Caches
   Caching can often be the culprit behind outdated or incorrect name resolution. Use commands such as ipconfig /flushdns on Windows or sudo systemd-resolve –flush-caches on Linux to clear DNS caches. Additionally, if you’re using a name service cache daemon like nscd, restart it with sudo systemctl restart nscd to ensure it’s not serving stale data.
3. Review Name Resolution Order
   On Linux systems, the order of name resolution is determined by the nsswitch.conf file. This file specifies which services to query (e.g., DNS, files, NIS) and in what order. Misconfigurations here can lead to unexpected results. Ensure the file is set up correctly and reflects the desired order of resolution.
4. Compare Results with Nslookup or Host
   Use nslookup or host to query your DNS server names directly. This will show you the IP address that DNS servers are returning for a given hostname. Compare these results with what ping is showing. If nslookup provides the correct IP address while ping does not, you’ve confirmed that the issue lies outside of DNS, likely due to local overrides or caching.
5. Examine Network Configuration and Overrides
   Network settings, including VPNs, proxy configurations, or split DNS setups, can affect name resolution. Check your network settings and look for any rules or overrides that could be directing your queries differently based on your network context.

By systematically reviewing these factors, you can identify the root cause of name resolution discrepancies and ensure your monitoring and diagnostic tools are functioning as expected. Always keep in mind the source each tool is using, and adjust configurations as needed to maintain consistent and reliable name resolution across your systems.

Take control of your network monitoring with LogicMonitor

So the moral of the story? Know where the tool you are using is getting its information from. If it is nslookup or host, it is only querying the Domain Name system. The operating system (ping, telnet, etc) may well be using other sources of information.

Don’t let name resolution discrepancies compromise your network performance. LogicMonitor provides comprehensive insights into your network’s health, helping you pinpoint and resolve issues swiftly. With advanced monitoring tools that factor in all name resolution sources, LogicMonitor ensures that your monitoring data reflects the true state of your network.