How to stop typing ipconfig /registerdns?

[XP is driving me crazy!]

Sorry if I am posting in the wrong newsgroup - I looked for a
*.winxp.dns newsgroup, but I couldn't find one. If you think this post
should go to a more appropriate forum please let me know. (I have
posted my problem a few days ago in
microsoft.public.windowsxp.network_web, but no one there could help
me). So, here goes:

My Windows XP computer looses its ability to resolve internet
hostnames shortly after I logon (sometimes even as soon as I logon).

The connection is restored (for that logon session only) if I type
"ipconfig /registerdns".

This cannot be the long term solution. I want the same convenience
that my Windows 2000 and Linux computers give me when accessing the
internet.

How do I get rid of the need to type "ipconfig /registerdns" again and
again just to gain access (i.e. working name resolving) to the
internet?

What's wrong in my XP's configuration?

Some information about my system:
- SP1, all latest security and critical fixes.
- Connected to the internet through a hardware firewall (on to a cable
modem).
- Norton Anti Virus installed.
- ZoneAlarm also installed.
- DHCP service is up and running (Automatic!)
- Checked "Enable NetBIOS over TCP/IP" TCP/IP (Properties > Advanced
button > WINS tab)
- Checking/unchecking "Register this connection's addresses in DNS" in
the "Advanced TCP/IP Settings" Dialog gox (DNS tab) doesn't seem to
make a difference as far as this problem is concerned.
- The "Change Primary DNS suffix when domain membership changes" box
(in Computer Name Changes) is UNCHECKED (I tried checking it, too, but
it didn't solve the problem and according to what I've read, the
unchecked option is the correct setting in a home computer that
doesn't belong to a domain).


Here is the output of ipconfig /all:

Windows IP Configuration
Host Name . . . . . . . . . . . . : mypc
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : VIA PCI 10/100Mb Fast Ethernet
Adapter
Physical Address. . . . . . . . . : 00-40-36-BC-42-BF
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.0.4
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.1
DNS Servers . . . . . . . . . . . : 68.168.96.162
68.168.96.165
205.166.226.38
65.102.83.43

Please help!

Thank you,
Driven Crazy by XP

 

[Dmitry Korolyov]

From your description, it sounds like a firewall issue, and should not be
fixed by re-registering machine hostnames.

Your TCP/IP configuration does not seem right to me. Your computer has an ip
address from a private address range, and is using some public DNS servers.
This means the following: DNS traffic (UDP port 53, and probably TCP port
53) could be filtered at two places: your personal ZoneAlarm firewall, and
your corporate firewall (the device which provides NAT/Proxy and allows you
to connect to the internet while having IP address from the private range).

Start the console and type "nslookup", post output here. We'll try to see
what's blocking your traffic.

 

[John Coutts]

Just a few tips. I see that you are operating behind a NAT router with a static
IP address. That is good. I also see you operating with 4 DNS servers. That is
bad. Anything more than 2 is overkill, as the current one has to time out
before the next one is used. Most NAT routers are capable of forwarding DNS
requests. When operating behind a NAT router, I find it best to operate with
only the router as DNS (it has to go through there anyway and get translated).
This works if you are not using Active Directory.

Using a NetMask of 255.255.255.0 is again overkill. I doubt that you have a 256
node network. Program the Netmask on all network equipment to something a
little more reasonable (255.255.255.224 - 32 nodes or 255.255.255.240 - 16
nodes).

When troubleshooting an Internet connection, do not rely on Internet Explorer.
It uses a built in cache and can be deceptive. Go to the command mode and use
the ping command instead (eg. ping www.adelphia.net). It uses a fresh request
each time. Then get rid of the unnecessary services that XP has running. For
more tips see:

http://www.yellowhead.com/xpcfg1.htm

J.A. Coutts
Systems Engineer
MantaNet/TravPro
************* REPLY SEPARATER ***************

 

[XP is driving me crazy!]

From your description, it sounds like a firewall issue, and should not be
fixed by re-registering machine hostnames.

Dmitry, first let me thank you for your reply. I was about to give up
as this newsgroup was my last resort (I reserached *hundreds* of
postings on the subject using google, but none were helpful to my
case).

Second, I think you just solved my problem: As I was logging in to
type "nslookup" and post the output as you suggested, I tried one last
time to fire up my browser and see if the problem occurs immediately.
I then noticed ZoneAlarm prompting me for the following:

Generic Host Process for Win32 Services
C:\WINDOWS\system32\svchost.exe
version 5.1.2600

(I could swear it has already been given access to the internet, but
apparently this was not what ZoneAlarm thought)

I clicked "Yes" for letting svchost.exe access the internet and... the
problem seems to have disappeared!

I could have stopped here, say "Thank You" (again) and disappear.

But you sound like a very knowledgeable and experienced person and I
am a pretty curious guy who likes to understand what's happening. So,
perhaps we could clarify a few more things?

OK. Here goes...

Your TCP/IP configuration does not seem right to me. Your computer has an ip
address from a private address range, and is using some public DNS servers.

What's wrong with that? I am a home user connected to the internet
through a cable ISP. I have a small LAN at home (W2K, Linux and now
WXP). The W2K and the Linux PCs work flawlessly using this
configuration. The WXP has just started to work, thanks to you. Can
you explain more about the problem of a private address PC using a
public DNS server?

This means the following: DNS traffic (UDP port 53, and probably TCP port
53) could be filtered at two places: your personal ZoneAlarm firewall, and
your corporate firewall (the device which provides NAT/Proxy and allows you
to connect to the internet while having IP address from the private range).

I am actually a home user, I don't have a corporate firewall. But if I
understand correctly your intention, you are absolutely right: My
firewall explicitly allows both UDP and TCP port 53 traffic - but only
to the first nameservers listed in my original post (the ones provided
by my ISP).

My ZoneAlarm firewall is the free version, so it doesn't have
per-port/per-address filtering - only per-program. So, I believe the
only one that could be blocking DNS traffic to the 3rd and 4th listed
nameservers is my hardware firewall (please correct me if you notice
any mistake here).

You may be wondering why I placed 4 nameservers in my PCs' DNS
configuration. The reason is that my ISPs nameservers are not very
reliable and tend to change their IP addresses without notice. So I
thought I am somehow doing good by adding 2 more free public
nameservers that I know will always be there. Silly me - I forgot to
enable traffic to those two in my hardware firewall...

Start the console and type "nslookup", post output here. We'll try to see
what's blocking your traffic.

Are you still interested in the nslookup output? Please note that
interestingly enough, when the applications (browser, ping, email
client) failed to resolve hostnames on the internet, nslookup
continued resolving names without any problem...


Thank you so much again!
Driven Crazy by XP
(or maybe it's not XP, after all?)

 

[Dmitry Korolyov]

From the network configuration you provided, it seems that the device with
192.168.0.1 address is providing NAT functionality to your home network. I
believe its your cable modem. I also believe that it has some firewall
functionality as well. If that is correct, you may even disable ZoneAlarm -
to evade some hard-to-troubleshoot problems caused by it blocking network
traffic. Of course, you'll need to verify your hardware firewall
configuration.

Using external dns servers from within your network is possible, just not as
safe as it could possible be, and not the best solution in terms of
perfomance. If you have at least two computers in you home network, you can
configure one of them as a DNS server, point all your machines on that DNS
server - and achieve some caching as well as security (since you'll need to
allow DNS traffic only from that server on your NAT/proxy - cable modem in
your case, not from entire network).

 

[John Coutts]

I am actually a home user, I don't have a corporate firewall. But if I
understand correctly your intention, you are absolutely right: My
firewall explicitly allows both UDP and TCP port 53 traffic - but only
to the first nameservers listed in my original post (the ones provided
by my ISP).

My ZoneAlarm firewall is the free version, so it doesn't have
per-port/per-address filtering - only per-program. So, I believe the
only one that could be blocking DNS traffic to the 3rd and 4th listed
nameservers is my hardware firewall (please correct me if you notice
any mistake here).

You may be wondering why I placed 4 nameservers in my PCs' DNS
configuration. The reason is that my ISPs nameservers are not very
reliable and tend to change their IP addresses without notice. So I
thought I am somehow doing good by adding 2 more free public
nameservers that I know will always be there. Silly me - I forgot to
enable traffic to those two in my hardware firewall...



Are you still interested in the nslookup output? Please note that
interestingly enough, when the applications (browser, ping, email
client) failed to resolve hostnames on the internet, nslookup
continued resolving names without any problem...


Thank you so much again!
Driven Crazy by XP
(or maybe it's not XP, after all?)

****************** REPLY SEPARATER *******************
You do have a firewall! When used properly, a NAT router is an effective
firewall. A NAT router works by mapping IP and port numbers to it's own set of
numbers. That way it knows where to send a particular packet when it is
returned from the Internet.

Let's say you make a DNS request on UDP port 1030 to port 53 on a remote DNS
server. The NAT router will map your private IP address to the public IP
address on your router, and UDP port 1030 to say 40030. When a response comes
back from the DNS server to port 40030, The NAT router recognizes that the
request actually came from your private IP and port 1030 and routes it
accordingly.

Because it can only respond to requests that are generated from behind the NAT
router, it has no way of routing requests from the outside world unless you
specifically tell it where those requests should go. For example, I have
several clients that run pcAnywhere behind a NAT router. I have to program the
router to direct any requests on the pcAnywhere ports to a particular private
IP address on the local network.

Running Zone Alarm in addition to a NAT router is again overkill. My experience
is that clients don't have a clue whether or not they should allow access on a
particular port when a message pops up, so they go ahead anyway. The external
NAT router doesn't allow you to do that, as it takes a little more effort and
knowledge to program the router.

J.A. Coutts
Systems Engineer
MantaNet/TravPro

 

[XP is driving me crazy!]

I don't know for sure, but I strongly suspect that "server" means that the
service opens a port in listening mode. This is the part you want to keep to a
minimum, as every open listening port is a potential backdoor to your computer
(as evidenced in the latest RPC problem).

From ZoneAlram's Help:

A program acts as a server when it "listens" for connection requests
from other computers. Several common types of applications, such as
chat programs, e-mail clients, and Internet Call Waiting programs, may
need to act as servers to operate properly. However, some hacker
programs act as servers to listen for instructions from their
creators. ZoneAlarm prevents programs on your computer from acting as
servers unless you grant server permission.

So, you are correct - and this gets me worried: what on earth requires
listening on my PC? (I have already used XP Anti-Spy 3.72 to disable
all the spyware and backdoors that Microsoft decided to place on my PC
without my concent.)

BTW, I typed tasklist /svc at the command line and here the relevant
lines about svchost.exe:

Image Name PID Services
============ ====== =============================================
svchost.exe 888 RpcSs
svchost.exe 980 AudioSrv, Browser, CryptSvc, Dhcp, dmserver,
EventSystem, FastUserSwitchingCompatibility,
helpsvc, lanmanserver, lanmanworkstation,
Netman, Nla, RasMan, Schedule, seclogon,
SENS, ShellHWDetection, srservice, TapiSrv,
TermService, Themes, TrkWks, uploadmgr,
winmgmt, WmdmPmSp, WZCSVC
svchost.exe 1104 Dnscache
svchost.exe 1160 LmHosts, RemoteRegistry, SSDPSRV, WebClient

Any guess what could have caused the DNS problem described in my
original posting?

DNS uses an available UDP port on your machine to make a request to port 53 on
the DNS server. You should not be running a DNS server.

How do I know whether I am running a DNS server on my XP or not?

Thanks,
Driven Crazy by XP

 

[XP is driving me crazy!]

From the network configuration you provided, it seems that the device with
192.168.0.1 address is providing NAT functionality to your home network. I
believe its your cable modem. I also believe that it has some firewall
functionality as well.

You are correct.

If that is correct, you may even disable ZoneAlarm -

I am not using ZoneAlarm for packet filtering. My hardware firewall
does it very well. I am using ZoneAlarm for APPLICATION filtering.
That is, I install a program that is not supposed to access the
internt and all of a sudden it tries to send "something" "somewhere"
on a legitimate port (allowed by my firewall). Who is going to block
it? Please explain, since I may have not understood your advice.

Using external dns servers from within your network is possible, just not as
safe as it could possible be,

Why is it not safe?

perfomance. If you have at least two computers in you home network, you can
configure one of them as a DNS server, point all your machines on that DNS
server - and achieve some caching as well as security (since you'll need to
allow DNS traffic only from that server on your NAT/proxy - cable modem in
your case, not from entire network).

Thanks for the tip. I will do that.

Driven Crazy by XP

 

[XP is driving me crazy!]

From the description of the problem, it sounds as if
the DNS client cache is getting incorrect entries.
Try stopping the DNS client service on the machine and test.
If the problem doesn't return, something is returning incorrect info
in the additional records section of DNS responces.

Well... I think I am zeroing-in on the problem: I just discovered an
important piece of information regarding why ZoneAlarm reports
svchost.exe as a server. The source IP that allegedly triggered
svchost.exe's listener is 68.168.96.162 !!!

Does that ring a bell? That's right - if you look at my original
posting, you'll see that it is the primary DNS server provided to me
by my ISP.

So, the big question that I have now is: Why on earth would my ISP's
DNS server initiate a connection with my svchost.exe? Is it possible
that my XP PC is acting as a DNS server unbeknownst to me? If so, how
do I turn it off?

You might want to use a network sniffer to see if that is the case.
You can the netcap.exe utiltiy found in the support\tools directory
of the XP CD to run a network trace while DNS queries are made.
This may shed some light on the problem.

Thanks for the tip. I didn't know about the existence of netcap.exe. I
will certainly try it.

Thank you!
Driven Crazy by XP

 

[Dmitry Korolyov]

One way how it could be not safe: imagine someone takes over an external DNS
server and starts responding to requests with fake or just incorrect data.

 

[XP is driving me crazy!]

At the Command prompt, type netstat -ano after a fresh start. This will tell
you which ports are in the listening mode, and a DNS server will have UDP port
53 and TCP port 53 open. The PID on the right hand side tells you the process

John, I just tried that and this is what I received:

Proto Local Address Foreign Address State PID
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 888
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING 980
TCP 0.0.0.0:1034 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:1041 0.0.0.0:0 LISTENING 1276
TCP 0.0.0.0:5000 0.0.0.0:0 LISTENING 1172
TCP 0.0.0.0:38292 0.0.0.0:0 LISTENING 216
TCP 127.0.0.1:1040 0.0.0.0:0 LISTENING 1276
TCP 127.0.0.1:1040 127.0.0.1:1041 ESTABLISHED 1276
TCP 127.0.0.1:1041 127.0.0.1:1040 ESTABLISHED 1276
TCP 192.168.0.4:139 0.0.0.0:0 LISTENING 4
TCP 192.168.0.4:1047 192.168.0.1:139 TIME_WAIT 0
TCP 192.168.0.4:1050 192.168.0.1:139 TIME_WAIT 0
TCP 192.168.0.4:1060 192.168.0.1:139 TIME_WAIT 0
TCP 192.168.0.4:1062 192.168.0.3:139 TIME_WAIT 0
UDP 0.0.0.0:161 *:* 1444
UDP 0.0.0.0:445 *:* 4
UDP 0.0.0.0:500 *:* 720
UDP 0.0.0.0:1026 *:* 1444
UDP 0.0.0.0:1027 *:* 1444
UDP 0.0.0.0:1053 *:* 1100
UDP 0.0.0.0:1054 *:* 1100
UDP 0.0.0.0:2968 *:* 1628
UDP 0.0.0.0:3289 *:* 1444
UDP 0.0.0.0:38037 *:* 216
UDP 127.0.0.1:1055 *:* 952
UDP 127.0.0.1:1900 *:* 1172
UDP 192.168.0.4:137 *:* 4
UDP 192.168.0.4:138 *:* 4
UDP 192.168.0.4:1900 *:* 1172


Now... according to this, I have no DNS server running (no port 53
**at all*, neither listening no anything else!). So, now I am even
more baffled: I **know** I had to give svchost.exe server rights
because of requests from my ISP's DNS server on port 53. If I didn't
do that, I wouldn't have been able to post this very message I am
currently writing.

Any idea that can solve the mystery?

(and I haven't asked any question yet about those numerous connections
listed above which I have no clue where they are coming from...)

Thanks!
Driven Crazy by XP

 

[Ace Fekay [MVP]]

In

(e-mail address removed) (John Coutts) wrote in message


John, I just tried that and this is what I received:

Proto Local Address Foreign Address State PID
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 888
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING 980
TCP 0.0.0.0:1034 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:1041 0.0.0.0:0 LISTENING 1276
TCP 0.0.0.0:5000 0.0.0.0:0 LISTENING 1172
TCP 0.0.0.0:38292 0.0.0.0:0 LISTENING 216
TCP 127.0.0.1:1040 0.0.0.0:0 LISTENING 1276
TCP 127.0.0.1:1040 127.0.0.1:1041 ESTABLISHED 1276
TCP 127.0.0.1:1041 127.0.0.1:1040 ESTABLISHED 1276
TCP 192.168.0.4:139 0.0.0.0:0 LISTENING 4
TCP 192.168.0.4:1047 192.168.0.1:139 TIME_WAIT 0
TCP 192.168.0.4:1050 192.168.0.1:139 TIME_WAIT 0
TCP 192.168.0.4:1060 192.168.0.1:139 TIME_WAIT 0
TCP 192.168.0.4:1062 192.168.0.3:139 TIME_WAIT 0
UDP 0.0.0.0:161 *:* 1444
UDP 0.0.0.0:445 *:* 4
UDP 0.0.0.0:500 *:* 720
UDP 0.0.0.0:1026 *:* 1444
UDP 0.0.0.0:1027 *:* 1444
UDP 0.0.0.0:1053 *:* 1100
UDP 0.0.0.0:1054 *:* 1100
UDP 0.0.0.0:2968 *:* 1628
UDP 0.0.0.0:3289 *:* 1444
UDP 0.0.0.0:38037 *:* 216
UDP 127.0.0.1:1055 *:* 952
UDP 127.0.0.1:1900 *:* 1172
UDP 192.168.0.4:137 *:* 4
UDP 192.168.0.4:138 *:* 4
UDP 192.168.0.4:1900 *:* 1172


Now... according to this, I have no DNS server running (no port 53
**at all*, neither listening no anything else!). So, now I am even
more baffled: I **know** I had to give svchost.exe server rights
because of requests from my ISP's DNS server on port 53. If I didn't
do that, I wouldn't have been able to post this very message I am
currently writing.

Any idea that can solve the mystery?

(and I haven't asked any question yet about those numerous connections
listed above which I have no clue where they are coming from...)

Thanks!
Driven Crazy by XP

Goto www.foundstone.com and download (free) a tool called FPORT. Run that in
a command prompt and it will tell you every port the machine is listening on
and it will also tell you the exact executable that is doing the listening.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[XP is driving me crazy!]

Goto www.foundstone.com and download (free) a tool called FPORT. Run that in
a command prompt and it will tell you every port the machine is listening on
and it will also tell you the exact executable that is doing the listening.

Thanks, Ace! I did that and received the following:

id Process Port Proto Path
888 svchost -> 135 TCP C:\WINDOWS\system32\svchost.exe
4 System -> 139 TCP
4 System -> 445 TCP
980 svchost -> 1025 TCP C:\WINDOWS\System32\svchost.exe
0 System -> 1031 TCP
0 System -> 1032 TCP
4 System -> 1036 TCP
0 System -> 1039 TCP
0 System -> 1041 TCP
0 System -> 1044 TCP
0 System -> 1046 TCP
0 System -> 1048 TCP
0 System -> 1049 TCP
1120 -> 5000 TCP
2212 MsgSys -> 38292 TCP C:\WINDOWS\System32\MsgSys.EXE

0 System -> 137 UDP
0 System -> 138 UDP
888 svchost -> 161 UDP C:\WINDOWS\system32\svchost.exe
4 System -> 445 UDP
980 svchost -> 500 UDP C:\WINDOWS\System32\svchost.exe
4 System -> 1026 UDP
1120 -> 1027 UDP
0 System -> 1900 UDP
2212 MsgSys -> 2968 UDP C:\WINDOWS\System32\MsgSys.EXE
0 System -> 3289 UDP
4 System -> 38037 UDP

Anything wrong or suspicious that you can see there?

Thanks,
Driven Crazy by XP

 

[Ace Fekay [MVP]]

Great tool! Sometimes, it's hard to distinguish between what is good and not
with the output.

The two that I see that I'm not sure about are:

Under TCP:

1120 -> 5000 TCP

0 System -> 3289 UDP

I would have to research them. You can try Google.com and iana.net and
lookup ports to find their services.

The MsgSYS one is Norton AV.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory