Weird loopback problem

nobodythere

Hey, trying to get some files off download.microsoft.com. I can access the microsoft site fine but the download.microsoft.com URL is coming back as 127.0.0.1, so I can't connect to it.

I don't know if this is a DNS issue or what, there's no entry in my windows hosts file that would cause it.

Could somebody please ping download.microsoft.com and get the IP for me please?

Sam Vimes

the ip i get is 213.199.149.192 but if i load that it FF or IE i just get a blank page.

can you get to it through a proxy site like www.proxify.net?

Alun

I get the following ...

C:\...\desktop>nslookup
Default Server: dns1.cwm.dublin.eircom.net
Address: 213.94.190.194

> download.microsoft.com
Server: dns1.cwm.dublin.eircom.net
Address: 213.94.190.194

Non-authoritative answer:
Name: mscom-dlc.vo.llnwd.net
Addresses: 87.248.212.40, 87.248.212.50
Aliases: download.microsoft.com, download.microsoft.com.nsatc.net

>

Putting 127.0.0.1 in the HOSTS file is a ploy of a lot of trojans/viruses to stop you accessing microsft update and virus update sites. If you're absloutely 100% sure your HOSTS file is OK (double check it's not hosts.txt or some other misleading name you're cehcking) then I suppose it's possible they could also somehow poison your DNS cache or maybe even replace the DNS client service to achieve the same effect.

Start up a command prompt and use nslookup and try the same site, and see what happens. Do an 'ipconfig /flushdns' first to make sure the cache is empty. Also try temporarily stopping the DNS client ('net stop dnscache') to see if that helps.

Could you (or someone else) have accidentally blacklisted the site in a firewall or an ad blocker or something like that?

ethernet

Saw something similar yesterday. Windows Update wasn't working but it worked fine when I proxied. Also no relevant entries in etc\hosts that would affect it.

Alun

ethernet wrote: »

Saw something similar yesterday. Windows Update wasn't working but it worked fine when I proxied. Also no relevant entries in etc\hosts that would affect it.

Which could also possibly be explained some kind of local interference in the DNS lookup process caused by malware. Clearing the DNS cache, and temporarily disabling the DNS client might help to pinpoint if this is the case. It'd be highly improper for a DNS server to return the loopback address, even if the lookup failed, although OpenDNS does return the IP address of it's own site when a lookup fails instead of returning an error which can cause confusion to non-interactive processes that do DNS lookups rather than browsers.

Sam Vimes

Alun wrote: »

If you're absloutely 100% sure your HOSTS file is OK (double check it's not hosts.txt or some other misleading name you're cehcking)

good point. make sure it's the file C:\Windows\System32\drivers\etc\hosts and nothing else

Alun

Sam Vimes wrote: »

good point. make sure it's the file C:\Windows\System32\drivers\etc\hosts and nothing else

Yes, especially if you have the (default) option set to not display extensions in Explorer (one of the very first things I do on a new Windows install!).

nobodythere

There's some funky ass shizzznit going on here.

DNS request timed out.
    timeout was 2 seconds.
*** Can't find server name for address 85.255.112.157: Timed out
DNS request timed out.
    timeout was 2 seconds.
*** Can't find server name for address 85.255.112.183: Timed out
DNS request timed out.
    timeout was 2 seconds.
*** Can't find server name for address 85.255.112.157: Timed out
DNS request timed out.
    timeout was 2 seconds.
*** Can't find server name for address 85.255.112.183: Timed out
DNS request timed out.
    timeout was 2 seconds.
*** Can't find server name for address 85.255.112.157: Timed out
DNS request timed out.
    timeout was 2 seconds.
*** Can't find server name for address 85.255.112.183: Timed out
*** Default servers are not available
Default Server:  UnKnown
Address:  85.255.112.157

> download.microsoft.com
Server:  UnKnown
Address:  85.255.112.157

Non-authoritative answer:
Name:    download.microsoft.com
Address:  127.0.0.1

1. The problem seems to be limited to my laptop.
2. I am definitely looking at the right hosts file, and its default location hasn't been changed in the registry.

I might just go for a reinstall, it's been a while....

Alun

grasshopa wrote: »

There's some funky ass shizzznit going on here.

[code]
DNS request timed out.
timeout was 2 seconds.
*** Can't find server name for address 85.255.112.157: Timed out
DNS request timed out.
timeout was 2 seconds.
*** Can't find server name for address 85.255.112.183: Timed out

Are those supposed to be DNS servers? If so, Eircom's DNS server doesn't know about either of them, and neither of them are pingable from the Eircom network either!!!! What ISP are you with? Have you maybe configured static DNS addresses on the laptop at some time in the past?

C:\...\desktop>nslookup
Default Server: dns1.cwm.dublin.eircom.net
Address: 213.94.190.194

> 85.255.112.157
Server: dns1.cwm.dublin.eircom.net
Address: 213.94.190.194

*** dns1.cwm.dublin.eircom.net can't find 85.255.112.157: Server failed
> 85.255.112.183
Server: dns1.cwm.dublin.eircom.net
Address: 213.94.190.194

*** dns1.cwm.dublin.eircom.net can't find 85.255.112.183: Server failed
> ^C
C:\...\desktop>ping 85.255.112.183

Pinging 85.255.112.183 with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 85.255.112.183:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\...\desktop>ping 85.255.112.157

Pinging 85.255.112.157 with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 85.255.112.157:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\...\desktop>

Alun

grasshopa wrote: »

There's some funky ass shizzznit going on here.

Indeed ...

Did a DNS lookup on one the addresses you appear to be using as DNS servers ... I think your DNS server configuration has been hijacked somehow, presumably by some kind of malware, unless you happen to be with a Ukrainian ISP which I doubt somehow !!!!!!!!!!!! EDIT: Google those addresses, and you'll discover you're probably not the first. Seems that a trojan called Wareout might be the culprit.

% This is the RIPE Whois query server #3.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html
% Note: This output has been filtered.
% To receive output for a database update, use the "-B" flag.
% Information related to '85.255.112.0 - 85.255.127.255'
inetnum: 85.255.112.0 - 85.255.127.255
netname: UkrTeleGroup
descr: UkrTeleGroup Ltd.
admin-c: UA481-RIPE
tech-c: UA481-RIPE
country: UA
org: ORG-UL25-RIPE
status: ASSIGNED PI
mnt-by: RIPE-NCC-HM-PI-MNT
mnt-lower: RIPE-NCC-HM-PI-MNT
mnt-by: UKRTELE-MNT
mnt-routes: UKRTELE-MNT
mnt-domains: UKRTELE-MNT
source: RIPE # Filtered
organisation: ORG-UL25-RIPE
org-name: UkrTeleGroup Ltd.
org-type: LIR
address: UkrTeleGroup Ltd.
Mechnikova 58/5
65029 Odessa
Ukraine
phone: +380487311011
fax-no: +380487502499
mnt-ref: UKRTELE-MNT
mnt-ref: RIPE-NCC-HM-MNT
mnt-by: RIPE-NCC-HM-MNT
source: RIPE # Filtered
person: Andrew Sotov
address: Mechnikova 58/5 65029 Odessa
abuse-mailbox: abuse@ukrtelegroup.com.ua
phone: +380631508855
nic-hdl: UA481-RIPE
source: RIPE # Filtered

nobodythere

Bollox. Nice find. I'm with eircom and I have the same DNS servers as you according to my router.

I've been using a trimmed down version of XP that passes WGA (I have a license though!) so I think that's why it loops back on download.microsoft.com (to avoid validation).

Not bothered investigating I'm just gonna reinstall. Thanks for your help!