ping, ssh, ... uses different IP than one resolved by nslookup, host,

Question

After new install of Ubuntu15.10 my commands(ping, ssh, ...) are using different IP address than one resolved by nslookup, host, dig, ... How could this happen?

user@ubuntu-15-10:~$ nslookup foobar.com
 Server:        127.0.1.1
 Address:   127.0.1.1#53

 Non-authoritative answer:
 foobar.com canonical name = foobar.homeip.net.
 Name:  foobar.homeip.net
 Address: 12.34.56.78

user@ubuntu-15-10:~$ host foobar.com
 foobar.com is an alias for foobar.homeip.net.
 foobar.homeip.net has address 12.34.56.78

user@ubuntu-15-10:~$ ping foobar.com
 PING foobar.com (192.168.1.3) 56(84) bytes of data.
 64 bytes from foobar.localdomain.home (192.168.1.3): icmp_seq=1 ttl=64 time=0.245 ms
 64 bytes from foobar.localdomain.home (192.168.1.3): icmp_seq=2 ttl=64 time=0.285 ms
 64 bytes from foobar.localdomain.home (192.168.1.3): icmp_seq=3 ttl=64 time=0.269 ms
 ^C
 --- foobar.com ping statistics ---
 3 packets transmitted, 3 received, 0% packet loss, time 2000ms
 rtt min/avg/max/mdev = 0.245/0.266/0.285/0.021 ms

user@ubuntu-15-10:~$

My /etc/resolv.conf

# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 127.0.1.1
search localdomain.home

My /etc/nsswitch.conf

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat
group:          compat
shadow:         compat

hosts:          files mdns4_minimal [NOTFOUND=return] wins dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

No entry for foobar.com in /etc/hosts

Anyone any idea?

Answer 1

I found a fix myslef after some investigation... Problem was in /etc/nsswitch.conf: at "hosts" line: "dns" entry should be before "wins" entry... I don't understand what's behind, however now it works like expected

Answer 2

Sorry, the server configured is some strange fake server, probably at your own machine. The server address [127.0.1.1] is normally reserved for localhost interfaces (this is strange, as the localhost address is actually 127.0.0.1, and not 127.0.1.1)

The most probably cause you are receiving different responses is that nslookup(1) is a BIND utility to test dns access (it only uses dns lookups) and ping(1) uses the gethostbyname(3) library routine (which considers all possibilities configured in /etc/nsswitch.conf file for information on how to proceed, in this case, being the dns part the last resort)

On other side, the actual address of host foobar.com is not that one (see below).

Finally, the address foobar.com resolved by ping(1) as shown in your output is one private address (not the actual one, see RFC-1918), you cannot find that host over internet.

The most probable thing is that you have not asked for dns resolution to any official internet nameserver, so everything is a matter of local dns configuration.

Possible causes of the difference:

• mdns4_minimal is some fake program that doesn't ask the actual nameserver.
• dns is the last option in the /etc/nsswitch.conf, so official DNS protocol goes last (when all other protocols have failed)
• your dns is not listening in address 127.0.1.1 and you have some ssh port redirection or tunnel to someother nameserver giving the wrong answers. The address 127.0.1.1 is normally used by the tap* network device when used for example to configure openvpn(1) client connections.
• You have not shown the nameserver config files running at your machine. Perhaps the origin of the address you get is there. Look for named(8) config files and search for the domain foobar.com in those config files.

None of the addresses you shown is a real internet address (127.0.0.0/8, 10.0.0.0/8, 172.16-31.0.0/16, 192.168.0-255.0/24 and 169.254.0.0/16 are all reserved internet addresses for one or other reason, and you won't see any of these addresses appearing on packets coming from internet) The reasons are diverse, but the fact is that all your traffic is local in your private network and nothing, except perhaps the nameserver running at your machine has internet access.

Sorry but with the information you provide, this is the only I can argue to try to solve your error.

Something you can do is the following (to get a clean dns resolution):

• configure dns after files in /etc/nsswitch.conf. This will give dns priority before that mdns4_minimal and wins resolution)
• configure nameserver <ip> with the actual addresses of your nameservers (They should be communicated to you by your internet provider. If you don't know what to put there, just try nameserver 8.8.8.8 which means use the google nameserver to solve addresses. Fortunately, it is open to everybody)

These steps will make dns resolution to overpass your local nameserver completely and you'll get something like

$ nslookup foobar.com
Server:     46.183.73.1
Address:    46.183.73.1#53

Non-authoritative answer:
Name:   foobar.com
Address: 69.89.31.56

$ ping foobar.com
PING foobar.com (69.89.31.56): 56 data bytes
64 bytes from 69.89.31.56: icmp_seq=0 ttl=50 time=173.196 ms
64 bytes from 69.89.31.56: icmp_seq=1 ttl=50 time=175.091 ms
64 bytes from 69.89.31.56: icmp_seq=2 ttl=50 time=208.612 ms
64 bytes from 69.89.31.56: icmp_seq=3 ttl=50 time=177.145 ms
^C
--- foobar.com ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 173.196/183.511/208.612/14.559 ms
$ _

If you have installed ubuntu and didn't configure internet connection at installation, the most probable cause is that it has configured dns locally with a fake database that allows you to make experiments, before configuring it for real internet access.