There are various references (such as DNS can't resolve hostname; nslookup can or https://web.archive.org/web/20160525082756/http://homepage.ntlworld.com/jonathan.deboynepollard/FGA/nslookup-flaws.html or https://web.archive.org/web/20121113214415/http://cbfive.com/blog/post/PING-vs-NSLookup.aspx) that state the following or something similar, but don't give suggestions for alternatives to use:
The reason ping can't resolve the hostname but nslookup can is because nslookup a low-level tool that bypasses the Windows DNS client. It uses whatever DNS server you tell it to (the first one by default), and does the query on the fly.
My question is, how can I manually test the DNS Client to check an SRV record? Is there a way to see the DNS information it tries to use? I can't put Wireshark on every servers in every environment, so I am looking for another way to troubleshoot. I presume the answer is "no", otherwise why would we use nslookup (flawed as it is). Obviously I can't use ping for an SRV record.
Edited with updated findings: The UDP queries are too long, so DNS response with the truncate flag gets sent to the client, so a TCP query needs to be made. The next packet after the TCP DNS query is (from TargetDNS to client): "TCP segment of a reassembled PDU" (which looks like it contains response info), and then is different depending on the scenario:
- Nslookup query - with the nslookup query there is actually a DNS response packet with the information
- ApplicationX (which I believe uses Windows DNS Client) - Windows DNS client query, there is no DNS response packet (i.e. like the other TCP packet has been lost)
- There is nothing in the DNS cache (ipconfig /displaydns) or on the Client DNS server cache for the SRV record (not even a negative).
It proves, unsurprisingly, the DNS client and nslookup get different results but exactly what are they doing differently (discounting hosts, lmhosts, appending DNS search suffixes, etc)? They are using the same DNS servers (as evidenced by Wireshark). How can I narrow down where the fault lies?