Irresolute

Windows 8.1, on my network at least, has a big problem with names. The most noticeable effect is that web browsers frequently cannot resolve site addresses. On the command-line the same problem affects ping, but not nslookup. In the immediate aftermath of running ipconfig/flushdns everything works, but only for a few seconds.

The problem gets worse the more complex the name is: I have seen no problems with names which are simple A or AAAA records. Most of the failures I have noticed are CNAMEs for CNAMEs for CNAMEs for CNAMEs for A records for CDNs. I thought that perhaps my DNS server was not sending comprehensive answers (ie all results down to an address) in this scenario so I downloaded ISC dig to check; I can see nothing wrong in the responses when I get a response.

If I use dig -4 ... I get an immediate response with a reported query time of 16msec. If I use dig -6 ... I get no response. If I use dig ... I get a response after several seconds from my local IPv4 DNS server with a reported query time of 16msec. I therefore assumed that my local IPv6 nameserver was broken.

At this point I began disabling parts of the Windows networking stack which I don’t think I need: the ISATAP and Teredo adapters were first against the wall. In the immediate aftermath of killing either one the problem was less severe, but I suspect this is because any network change does the equivalent of ipconfig/flushdns as the problem soon resurfaces.

However: dig -6 ... @2001:... with its global address (as listed in the DNS servers list in ipconfig/all) works, as does dig -6 ... @fe80:... with its link-local address. This shifted my working assumption to the premise that Windows is not using the correct address for my IPv6 nameserver, although I could not see how because it shows correctly in ipconfig/all.

I then noticed that I had a virtual Ethernet interface used to give the Windows Phone “emulator” a connection to the Internet. That had three non-existent IPv6 addresses listed as its DNS servers, so I conjectured that they were being used for name resolution, failing, and on more-complex names a retry limit was being hit. I disabled IPv6 on that adapter, which cleared the bad DNS server records from my list but had no effect on the problem I am trying to solve.

At this point I am pretty-much stumped: there are only two name servers listed by ipconfig/all across all interfaces, and both of them work (for all valid addresses) when explicitly used with dig ... @.... I do not understand why dig -6 ... with no explicit server fails to connect to any server: as far as I can see it has a choice of one, and that one works.

Leave a Reply

  • (will not be published)

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>