ping returns wrong address

Meshman333 used Ask the Experts™
I'm still having a time with this...  

C:\Users\twilson>nslookup data1


C:\Users\twilson>ping data1

Pinging [] with 32 bytes of data:
Reply from bytes=32 time=27ms TTL=121
Reply from bytes=32 time=27ms TTL=121

This is driving me crazy.  If I can do an nslookup on this address why do I get the IP of when I ping it?  If I ping DATA2 (which doesn't exist) it returns the same strange address yet there are other servers on the network I can ping and lookup just fine.  The DNS servers are set for our internal DNS servers which are pingable and working from what I can tell.

Why do I keep getting this address from ping when nslookup gives me something different?

Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Is there an @ or  * entry in DNS?
What happens if you tracert or pathping to

Oh and check your
C:\windows\system32\drivers\etc\hosts file to make sure there isn't a static map to that device.

Also, what does route -print show you?
Todd GerbertIT Consultant
Top Expert 2010
Aside from the hosts file already mentioned, are you certain that the only DNS servers in your computers configuration are internal Active Directory servers (i.e. you don't have your internal DNS servers plus a DNS server provided by your ISP)?
When you use nslookup it always queries the first DNS server listed.
When an application, like ping, needs to resolved a name it might use any one of the DNS servers that have been configured (Windows won't necessarily always start at the top of the list and work it's way down) - and if one them is your ISP's server it might be returning the IP address of a search page instead of responding with host unknown.  And once your system has "successfully" resolved data1 to that IP address it'll remember that address and won't attempt to query any DNS server for that name again (until the time-to-live for that DNS record has expired, anyway).
Try running the command ipconfig /flushdns - any change?
OWASP Proactive Controls

Learn the most important control and control categories that every architect and developer should include in their projects.


I left to solve another problem for a half hour and now everything resolves fine.  I can't say the issue is resolved because this happens on an off every day.  Bear with me as I play with this some more.  When I see this behavior again I'll try the things mentioned here.  

What I do know is our root domain ( is not owned by us.  That weird IP that's being returned is the address of some other server on the Internet.  I know, it's a total screwup but that's how I found it (it wasn't me!!).  I'd think this has something to do with it but the behavior here is that any unresolved request seems to get forwarded to the forest root.  What I'm trying to resolve at the moment is why those requests (like ping) aren't being sent to the host specified.

I'll continue to poke around our DNS and will be back.Thanks!
Most likely there is another server registering with DNS using that domain, probably an un-flushed DNS entry. You will need to contact the DNS admins and explain the issue, they will be able to track it down and delete the offending stub if they are competent.
Top Expert 2012
Could be a wildcard record in DNS. Or DNS Suffixes causing the issue since it is appending the domain suffix


"Try running the command ipconfig /flushdns - any change?"

It fixes the problem every time but re-occurs at a later time.

I think I found it.  2 NS records in our DNS that refer to servers now offline and demoted.  I'll assume the problems is solved.  Thanks a lot to all...

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial