Re: DNS page error with Windows Update

From: Robert Aldwinckle (robald_at_techemail.com)
Date: 02/28/04 

Date: Sat, 28 Feb 2004 03:56:54 -0500

> Pinging www.microsoft.com resolves on www2.microsoft.akadns.net
> 207.46.144.188 or 207.46.245.214 and times out.
>
> nslookup www.microsoft.com gives
> name : www2.microsoft.akadns.net
> Addresses: 207.46.144.222, 207.46.156.220, 207.46.156.252,
> 207.46.245.92, 207.46.245.156, 207.46.249.252, 207.46.250.222,
> 207.46.250.252
> Aliases: www.microsoft.com, www.microsoft.akadns.net

Rod,

There is an inconsistency in those two results which makes
me suspicious that you haven't cleaned out your HOSTS file
even though you think you have. Otherwise how would ping
be getting a different address than the DNS is returning?
(Assuming that those two displays were taken at roughly
the same time?)

Actually I suppose one alternate possibility is that the secondary
DNS address might have been used by the lookup for the ping
and the secondary DNS has a different set of aliases than the
first. You could check that possibility by forcing nslookup to use
the secondary DNS address (either via the command line's
second argument or with various of nslookup's interactive commands)

If you do have HOSTS entries they may show up with these commands:

    ipconfig /displaydns >displaydns.txt
    notepad displaydns.txt

Are there any signs of those addresses in there?
Is localhost in there?

(Perhaps after a reboot. I don't know when the HOSTS entries
are reloaded into dnscache after you have flushed them.
However, I seem to recall seeing on the fly changes I made
to HOSTS there; so it may be quite dynamic. In fact, maybe
flushing would ironically be a way of loading the HOSTS entries.
Can you experiment please? I don't use HOSTS myself any longer.)

As an alternative you could temporarily dispense with both
the dnscache and HOSTS:

    net stop dnscache

and rename HOSTS

There is a known Trojan called (I think) QHosts which supposedly
hides the HOSTS file in a different directory. You say you tried checking
for malware. Have you tried investigating this particular problem?

Do a Google search about this FAQ please, often referenced
on IE6 Browser NG, if nowhere else.

I just searched for Subject: Qhosts in my IE6.Browser cache
Here's an extract from a post by siljaline for some links:

http://software.brown.edu/dist/w-cleanqhosts.html
http://securityresponse.symantec.com/avcenter/venc/data/trojan.qhosts.html

HTH

Robert 

---
"RodrYguez" <rodryguez@free.pq> wrote in message
news:pn5u305ffgokjlts9or4q8fqkq4tk2nu17@4ax.com...
> Hi,
>
> I have been scratching my head on it since the 12th of February. This
> is really odd. New elements have occured, please read to the end.
>
> I'm using Win XP Pro SP1.
>
> I can't connect on any address beginning with www.microsoft.com at
> all, but all other websites are ok.
>
> When trying to access to www.microsoft.com (and all its derivated
> forms), i get a DNS page error, but i can access support.microsoft.com
> and every other websites. Also http://windowsupdate.microsoft.com
> works but
> http://www.microsoft.com/isapi/redir.dll?prd=ie&clcid=0x040c&pver=6.0&ar=ienews&os=N6
> doesn't work.
>
> Norton Antivirus, Trojan remover, AdAware, PestPatrol and Spybot (all
> with the very last definitions) and even the Mydoom Worm Removal Tool
> Version 3.0 made by Microsoft did not spot anything at all. No
> infection is detected.
>
> The HOSTS file is clean (only has 127.0.0.1 localhost), renaming it to
> OLDHOSTS doesn't solve anything
>
> Pinging www.microsoft.com resolves on www2.microsoft.akadns.net
> 207.46.144.188 or 207.46.245.214 and times out.
>
> nslookup www.microsoft.com gives
> name :  www2.microsoft.akadns.net
> Addresses:  207.46.144.222, 207.46.156.220, 207.46.156.252,
> 207.46.245.92, 207.46.245.156, 207.46.249.252, 207.46.250.222,
> 207.46.250.252
> Aliases:  www.microsoft.com, www.microsoft.akadns.net
>
> Cache has been severally flushed without any success.
> Internet Explorer Temporary Internet Files folder has been emptied as
> well.
>
> Registry settings under HKLM\Software\Microsoft\Internet Explorer
> have been compared with another computer and are strictly the same.
>
>
>
>
> Now i have tried the following test : if i use a *direct connection*
> via  A4proxy hearing 127.0.0.1 on port 8080, everything works ok.
> So what is this damn huge mystery ?
>
> The most odd thing is this : the connection to adresses beginning with
> www.microsoft.com seems to work *randomly* depending on the opened
> window of IE ! Let me explain : If you open, for example, 15 windows
> of IE, and try to connect to www.microsoft.com within every one, one
> window will always be able to connect (you could try connecting as
> much as you want, it works) while all others won't.
>
> Please help.
>
> Thanks,
> Rod