Why is 'ping' unable to resolve a name when 'nslookup' works fine?

146

62

On my Windows XP workstation, I can find the machine I want to connect to in DNS with nslookup:

nslookup wolfman
Server: dns.company.com
Address: 192.168.1.38

Name: wolfman.company.com
Address: 192.168.1.178

But, when I try to connect to that machine, I get an error telling me that the machine can't be found (i.e., can't be looked up in DNS):

C:\> ping wolfman
Ping request could not find host wolfman. Please check the name and try again.

I am able to connect if I use the IP address directly:

C:\> ping 192.168.1.178

Pinging 192.168.1.178 with 32 bytes of data:

Reply from 192.168.1.178: bytes=32 time=41ms TTL=126
Reply from 192.168.1.178: bytes=32 time=41ms TTL=126
Reply from 192.168.1.178: bytes=32 time=44ms TTL=126
Reply from 192.168.1.178: bytes=32 time=38ms TTL=126

I could work around this by adding an entry to my hosts file, but I would rather find out why this is happening. The problem is transient, most of the day I can connect to the machine just fine.

How is this possible?

ETA: I left this out for brevity, but it was asked for:

C:\> ping wolfman.company.com
Ping request could not find host wolfman.company.com. Please check the name and try again.

ETA: Other applications get the same results. I only tried ping to simplify. telnet can't connect, Cygwin apps print a "unknown host wolfman" message.

Update: Using wireshark, I found that my workstation is not attempting a DNS lookup. It's just reporting the "could not find host" error message.

skiphoppy

Posted 2012-10-29T19:11:22.940

Reputation: 2 193

Is this only happening on this one computer? Can you visit websites through your web browser? Is this machine by any chance an Acer? Is this a brand new install on a machine? Was it recently updated? What Service Pack of XP are you running? I have had this happen before and re-installing SP3 fixed it. – Keith – 2012-11-20T18:28:57.620

Been banging my head against this issue so thought I would post a quick comment in case someone else has it. After trying all solutions posted on a Re-Installation of Windows 10 which had to be done due to power problems and inaccessible boot device I eventually found the computer name had somehow been unset - set this back and viola everything works.. – l0ft13 – 2015-11-19T08:49:30.570

I'm using windows 7 on GCE which isn't a fully support OS and noticed that hardcoding 169.254.169.254 and 8.8.8.8 as the secondary DNS fixes this problem. Leaving it to use DHCP to get the dns does add 169.154.169.254 but for whatever reason the OS still fails when using ping, telnet, browsers, etc. – sabujp – 2018-08-26T18:19:41.880

I know this is old but I've been experiencing the same on our network with Win7 and Win10 using AD. Can't restart the DNS client service - it's greyed out. Tried a flushdns to no avail. Then I disabled IPv6 on my client and all was happy in WindowsLandia. – Dacid Salin – 2018-12-19T01:14:03.090

You could add a default DNS suffix for .company.com. – billc.cn – 2012-10-29T20:25:03.340

@billc.cn I already have that DNS suffix. – skiphoppy – 2012-10-30T16:35:37.430

What I think's happening is that ping isn't looking up the FQDN of the host, unlike nslookup which uses the search domain parameter of a DHCP offer (or whatever you specify for a static IP configuration). Confirm this by doing what @SLaks has said and pinging the FQDN of the host :) – jackweirdy – 2012-11-19T17:57:09.883

1

Possible duplicate of: http://superuser.com/questions/220471/dns-resolution-issue-nslookup-works-but-web-ping-doesnt

– Der Hochstapler – 2012-11-19T17:57:37.867

What happens when you run ping -4 wolfman? – Der Hochstapler – 2012-11-19T18:00:05.053

Sorry, @jackweirdy, but I already did that, and the result is reported in the question. Also, today I saw this problem with another host, and that host was specified with the FQDN. – skiphoppy – 2012-11-19T19:10:54.647

What is the output of nslookup -all? – craig65535 – 2012-11-19T19:31:00.383

Also try ipconfig /flushdns and then ping again. – craig65535 – 2012-11-19T19:32:32.637

are you running these tests on wolfram or on another machine? – jackweirdy – 2012-11-19T19:58:54.137

@jackweirdly on another machine. – skiphoppy – 2012-11-20T16:34:39.097

Are you running WINS in your network? if so try running nbtstat -RR on the wolfman computer and nbtstat -R on the computer you are trying to connect from. – Winter Faulk – 2012-11-20T18:49:35.930

Answers

107

I believe that nslookup opens a winsock connection on the DNS port and issues a query, whereas ping uses the DNS Client service. You could try and stop this service and see whether this makes a difference.

Some commands that will reinitialize various network states :

Reset WINSOCK entries to installation defaults : netsh winsock reset catalog
Reset TCP/IP stack to installation defaults : netsh int ip reset reset.log
Flush DNS resolver cache : ipconfig /flushdns
Renew DNS client registration and refresh DHCP leases : ipconfig /registerdns
Flush routing table : route /f (reboot required)

harrymc

Posted 2012-10-29T19:11:22.940

Reputation: 306 093

I just set up a DNS server on my LAN, and I was trying to set up a VM to host a website. NSlookup worked for the hostname, but ping would fail. Flushing the DNS resolver cache worked for me! – Kirkland – 2015-01-31T21:20:03.090

I suspect that for a short name or internal name, the DNS Resolver asks for a quad A record (an IPv6 address). If it is not found on the internal DNS, it will be fowarded to the root servers where they'll return invalid name. The DNS server will cache the bad result. I suspect a MS DNS server would return the IPv4 address for the IPv6 address. Or will use the NetBIOS name. Workaround for me is to disable IPv6 internally. – The Dude – 2015-05-29T15:16:47.687

1What was missing for me in this answer was ipconfig /registerdns (I've elaborated in my answer below) – Mick Halsband – 2015-06-04T08:28:45.187

ipconfig /flushdns helped in my case. – Legends – 2016-04-22T21:52:41.633

This happens to me on periodic basis. I noticed this happens when the computer goes to sleep and comes back again. Could it be that the DNS/AD server is not properly configured? – gappani – 2017-04-20T11:13:43.887

use "route /f" with caution! It has just ruined my life!!! – Subliminal Hash – 2017-04-20T15:49:40.373

1I would bet Active Directory is probably active, but I do not know how to test. – skiphoppy – 2012-11-20T14:51:14.003

11I disabled the DNS Client service, and the problem appeared to go away! Not sure yet if it was a fluke. The problem didn't come back when I restarted the service. – skiphoppy – 2012-11-20T14:55:16.673

6Sometimes just stopping and restarting the service fixes DNS problems (don't ask me why). The question is how long this will last. Some unlucky people need to repeat it again and again. – harrymc – 2012-11-20T16:06:24.713

Yes, if that's the case, I want to know why! I am going to try this the next time the problem occurs. If it appears to fix it then, I'm going to drag in IT admins from the main corporate office and get them to tell me why. :) And you'll get the bounty if that appears to be the fix. – skiphoppy – 2012-11-20T16:36:10.323

1sfc /scannow in case the dns client service system files are corrupt subtly? I've also seen some people with similar problems caused by a virus. – Jon Kloske – 2012-11-26T05:27:05.537

33

Try ping with hostname followed by a dot. So instead of ping wolfman use ping wolfman.

That should get you resolving without having to do workarounds with hosts file, etc.

Senthil

Posted 2012-10-29T19:11:22.940

Reputation: 331

wow, this worked for me as well. My guess is that something expects a domain name which is not configured – user1190 – 2016-08-10T20:46:40.887

OK, this works ... why? – Daniel B. – 2016-09-08T02:00:00.487

3any suggestions why this is working and how to rather use locally names without trailing dots? – Ruberoid – 2017-03-06T20:01:07.787

Thanks - this worked for me but would also know why this would be working – Frank Fu – 2017-05-01T00:09:02.703

2

@Ruberoid Please see my answer for how to do this automatically.

– Frederik Aalund – 2017-10-09T11:54:11.497

17

Try ipconfig /displaydns and look for wolfman. If it's cached as "name does not exist" (possibly because of a previous intermittent failed lookup), you can flush the cache with ipconfig /flushdns.

nslookup doesn't use the cache, but rather queries the DNS server directly.

craig65535

Posted 2012-10-29T19:11:22.940

Reputation: 230

I tried: it's not cached. And clearing the cache doesn't fix the issue, either. – skiphoppy – 2012-11-20T14:46:14.923

Can you post the output of nslookup -all? Is novc listed? – craig65535 – 2012-11-20T18:22:19.507

14

Try adding . to the DNS suffixes for that connection. I.e, go to:

  1. Ethernet Status
  2. Click Properties
  3. Internet Protocol Version 4
  4. Click Properties
  5. Click Advanced
  6. Append these DNS suffices (in order)
  7. Add . as a suffix.

The same steps are illustrated in the following screenshot:

This should make ping wolfman work.

Explanation

nslookup wolfman (name server lookup: wolfman) sends the hostname (wolfman) to the DNS (domain name system) to obtain the corresponding IP address. This is the sole purpose of the nslookup command. This works already, so we have verified that the DNS works and that wolfman indeed corresponds to an IP address.

In contrast, ping wolfman needs to do two things:

  1. Get the IP that the hostname (wolfman) corresponds to.
  2. Send packets to the IP and listen for the response

On Windows (even recent versions such as Windows 10), the first step can easily fail. For the sake of backwards compatibility, Windows supports various methods of hostname resolution (hosts file, DNS, NetBIOS/WINS, LMHOST file).

Unfortunately, it seems that Windows' ping command doesn't always attempt a DNS lookup. I don't know the specific conditions that triggers this behaviour.

Fortunately, we can force Windows to do a DNS lookup by using a FQDN (fully qualified domain name). In practice, we do this by suffixing a . dot to the hostname: wolfman.. Try ping wolfman. and verify that it works.

The final step is to force Windows to append this dot itself. I've already shown how to do this in the beginning of this answer.

Frederik Aalund

Posted 2012-10-29T19:11:22.940

Reputation: 241

Just want to say that this turned out to be the factor that succeeded on a machine I was working on. Stupid though it seems. And not just for ping, but for other applications too. I'm not sure your explanation of what's tried when is quite right (but you acknowledge you're uncertain on that). But a big plus for mentioning that this failure can be easily diagnosed by attempting ping with the domain name with a dot suffix manually added. – gwideman – 2018-06-28T09:55:34.693

This doesn't make sense. You're positing that, "Windows' ping command doesn't always attempt a DNS lookup," but then recommend changing how DNS lookups are performed to solve that? It seems more likely that ping is performing a DNS lookup(s) but is doing them incorrectly, and that's why this fix works. – I say Reinstate Monica – 2019-01-14T13:57:08.000

@TwistyImpersonator I understand your confusion. The point is that Windows will attempt several methods of hostname resolution if given wolfman and a DNS lookup is (apparently) not a top priority among said methods. Now, if you use wolfman. instead, Windows will prioritize a DNS lookup over the other methods because wolfman. is a FQDN that (obviously) requires a DNS lookup.

– Frederik Aalund – 2019-01-14T14:24:00.947

So I think you're saying if ping got to the point of doing a DNS lookup in the course of its normal lookup workflow, it would work. However, ping should end up trying DNS if the other lookup methods don't return an answer, implying the reason ping fails on its own is because another method it's trying before DNS is returning an answer. That explanation doesn't fit the fact of ping not being able to find the host though. – I say Reinstate Monica – 2019-01-14T16:58:43.547

@TwistyImpersonator "So I think you're saying if ping got to the point of doing a DNS lookup in the course of its normal lookup workflow, it would work": Yes. "However, ping should end up trying DNS if the other lookup methods don't return an answer, implying the reason ping fails on its own is because another method it's trying before DNS is returning an answer": Apparently not. Maybe ping just gives up after trying a couple of methods. Maybe ping gives up after a timeout. Maybe ping never tries a DNS lookup because it thinks the hostname is not DNS-like. – Frederik Aalund – 2019-01-14T19:41:46.423

I have the exact same issue, I tried this solution and it doesn't work. ping router doesn't work, ping router. does work. When I do nslookup I can see Default Server: router with its address in the output. I have no problem on Linux but the issue is the same on all Windows 10 desktops. Also, if I do a nslookup with debug set to yes, I can see 2 answers for router, one being type = A and the other one being type = AAAA. The flags are identical but answers = 0 for the AAAA while answers = 1 for the A type. I don't know if that makes any sense. – dnLL – 2019-01-16T08:14:42.360

13

nslookup works different to other commands when resolving names/ip addresses on Windows.

The normal resolution method on Windows is as follows:

  1. The client checks to see if the name queried is its own.
  2. The client then searches a local Hosts file, a list of IP address and names stored on the local computer.
  3. Domain Name System (DNS) servers are queried.
  4. If the name is still not resolved, NetBIOS name resolution sequence is used as a backup. This order can be changed by configuring the NetBIOS node type of the client.

nslookup on the other hand is used for testing Domain Name Servers.

Bryan

Posted 2012-10-29T19:11:22.940

Reputation: 1 563

4Are there any settings that can move the NetBIOS query higher up in that list? I have the gut feeling that the NetBIOS lookup is involved somehow, but since the DNS query is definitely working I can't see how it would ever get to that step, if the sequence above is immutable. – skiphoppy – 2012-11-20T14:49:26.817

8

I've struggled with a similar issue and have tried the solution suggested by @harrymc. I found what eventually seems to (at least somewhat) work at the microsoft technet forum (nslookup works but nothing else has DNS on standalone Win7 PC)

Here's the quote:

... try to use the command below to flush and reset a client resolver cache for test.

ipconfig /flushdns

ipconfig /registerdns

Please refer to the link below for more details. http://jefferyland.wordpress.com/2011/07/28/quick-review-of-flushdns-registerdns-and-dns-queries/

So basically what was missing for me was ipconfig /registerdns

Mick Halsband

Posted 2012-10-29T19:11:22.940

Reputation: 531

1original answer by @harrymc now reflects the missing /registerdns command – Mick Halsband – 2015-06-29T10:35:28.017

I've been playing whack-a-mole with this issue on Win10 for about a year. When my laptop wakes up it can't find any corp servers, but external sites like microsoft.com do work. It seems to happen when changing WiFi networks (home/VPN vs office). flushdns solves the issue sometimes but not always. Today I tried the registerdns and that immediately corrected the problem. Tomorrow I'll try adding . to the end of a name (but ping already fails with FQDN for internal servers). It's very frustrating. And to top it off - if I wait a while the problem will resolve itself. – ripvlan – 2018-08-14T13:51:22.433

6

Just today we had the same issue, but the solution was different. So I thought, I'd add it for reference as this was the top most search result.

  • Problem: ping will not resolve a host name, but nslookup can. (Observed on 2 different Windows Server 2012 R2 hosts.)
  • Cause: (For each host) The host has more than one NIC connected and there are multiple default gateways configured.
  • Solution: (For each host) Remove default gateway from configuration of all NICs but one, so there reamains only one default gateway.

djlauk

Posted 2012-10-29T19:11:22.940

Reputation: 61

ah this did it for me. Perfect. – IAmTheSquidward – 2016-01-26T00:39:38.923

Short and simple – Frank Fu – 2018-03-12T11:37:41.747

5

Maybe wolfman.company.com is listed in C:\Windows\system32\drivers\etc\hosts ?

nslookup bypasses that file and always asks DNS, while ping and other tools first of all look up in "hosts" file, then in DNS.

Mikhail Kupchik

Posted 2012-10-29T19:11:22.940

Reputation: 2 381

Good thought! But I checked, and neither of the machines I've seen this issue with are listed in hosts. – skiphoppy – 2012-11-20T14:47:25.263

5

I had the same problem on a Windows 2012R2 (=8.1) system, and tried all the above suggestions, but none of them would fix it:
- Pinging the fully qualified name worked.
- Pinging the unqualified name did not.
- Both worked on several other systems, that had the same OS and apparently the same configuration.
- All the necessary suffix search strings were there.
(Note that some of the proposed fixes, like the workaround for the multi-label queries, are obviously irrelevant, as the unqualified name has only one part.)

Then I noticed that the target system I was trying to ping did NOT have an IPv6 address. So I tried "ping -4 unqualified_name", and bingo! this worked.
So for some reason, on this system only, ping only tried to resolve unqualified name->IPv6 address, and not unqualified name->IPv4.
For me the fix was to disable IPv6 completely as I don't need it at all. But I'd be really interested to find a more gentle way to tell ping (or presumably the DNS client service) to try resolving both IPv4 and IPv6 addresses.

Jean-François Larvoire

Posted 2012-10-29T19:11:22.940

Reputation: 51

3

I was trying to figure out why on one win 7 computer I can use ping server which works, and the other it can't resolve server. However both could ping server.lan which I didn't quite understand.

Turns out I had messed with some settings (DNS suffixes) to not have to use FQDNs while using the work VPN. I had to go add my local .lan to those suffixes in order to get both computers acting the same.

Go to Control Panel > Network and Internet > Network Connections and right click on your network connection and hit Properties. Click Internet Protocol Version 4 and hit the Properties button. Then the Advanced... button in this new window. Go to the DNS tab, this is where I had added a DNS suffix for my work but also needed one for my normal home connections.

Advanced TCP/IP Settings

eresonance

Posted 2012-10-29T19:11:22.940

Reputation: 203

I ran into a similar situation on a server with a static IP address. The first entry in the "Append these DNS suffixes" was blank AND the "DNS suffix for this connection" was blank. Other servers where it worked had the same blank "Append these DNS suffixes" BUT the "DNS suffix for this connection" populated. – Tim Lewis – 2016-04-07T17:29:42.010

2

I came across this issue as well. The "easiest" way to fix it for me was to simply add a . to the end of the hostname. However this is rather annoying. Most networks don't require this. I'd rather not have to tell everyone else on the network to do this when they need to access the same resource.

I was looking at the suggestion from Frederik Aalund as a possible solution and noticed that they suggested switching from the default "Append primary and connection specific DNS suffixes" option. This made me think maybe my network was simply slightly missconfigured.

Looking at my DD-WRT settings, the "LAN Domain" was left unset. Setting that to an arbitrary string seems to have fixed this issue for all clients on my network without having special configuration on each machine, the solution I wanted! :)

Cameron Tacklind

Posted 2012-10-29T19:11:22.940

Reputation: 211

1

I might be wrong on this because its based on my long-forgotten NT4 ressource-kit days.

As fare I can recall PING uses Netbios/WINS and DNS (in that order, at least if you don't specify a FQDN).

WINS is gone many year ago but you might still have Netbios enabled on your interface and PING therefore might use netbios that might not give you any result. Especially if traffic is passing a router somewhere.

Just disable Netbios and Ping will use DNS as first priority and append the registered DNS Surffic on the interface to your hostname.

MrCalvin

Posted 2012-10-29T19:11:22.940

Reputation: 180

1

Adding an entry in the file c:/windows/system32/drivers/etc/hosts might fix it.

Manoj Agarwal

Posted 2012-10-29T19:11:22.940

Reputation: 203

That will fix it, but it will not resolve his issue on that machine, but it will not help him on other machines. Remember Hosts > DNS Resolver > DNS Server > NetBIOS name. – The Dude – 2015-05-29T15:10:01.487

1

i have encountered this when we migrated to windows 7 from windows XP, the issue was related to a Windows 7 Multi Label DNS Query issue.

Allow DNS Suffix Appending to Unqualified Multi-Label Name Queries - see:

http://computerstepbystep.com/allow_dns_suffix_appending_to_unqualified_multi_label_name_queries.html

Hope this helps

Sony NS

Posted 2012-10-29T19:11:22.940

Reputation: 11

2

Welcome to Super User! Whilst this may theoretically answer the question, it would be preferable to include the essential parts of the answer here, and provide the link for reference.

– Canadian Luke – 2014-03-21T17:40:30.300

1

If on mac os x it might be an DNS Cache problem:

Dump the cache

sudo killall -HUP mDNSResponder
sudo dscacheutil -flushcache

Christian

Posted 2012-10-29T19:11:22.940

Reputation: 205

OP asks about Windows XP and question is tagged Windows. – P-L – 2017-10-20T15:38:43.430

Maybe it is helpful to others. I will leave it, the answer was here now for more than 3 years. Why delete now? – Christian – 2017-10-24T11:12:18.217

1

I'm picking this up because it bothered me the last year and maybe I found a workaround.

For me it seemed some dns-caching-system within the windows client is faulty. Windows 7 and 8.1 are affected by this... cannot say much about Windows XP anymore. ping doesn't resolve the name. it's not the icmp-part which is important but the name resolving part). nslookup is designed to query the nameserver and does exactly that and no windows name-hierarchy-resolving.

Restarting the dnscache service helped everytime. But since I disabled IPv6 on all client-interfaces the problem didn't occured anymore.

Cheers!

grim

Posted 2012-10-29T19:11:22.940

Reputation: 11

Disabling IPv6 may not be a viable solution for everybody (and it sounds anecdotal at best, anyway). Everything else you say seems to have been said already in this thread (e.g., harrymc’s comment “Sometimes just stopping and restarting the service fixes DNS problems”, two years ago). – G-Man Says 'Reinstate Monica' – 2014-11-03T15:31:37.180

0

In my case what solved this problem was to add the domain of the host I was trying to ping to a group policy option named "DNS Suffix Search List".

The procedure in short is this: Open gpedit.msc and navigate to Computer Configuration -> Administrative Templates -> Network -> DNS Client > DNS Suffix Search List, set it to "Enabled" and add the domain name to the list (the list is empty by default).

A more detailed description of these steps can be found here

ndemou

Posted 2012-10-29T19:11:22.940

Reputation: 491

0

None of the solutions here worked for me. What did work for me was reconnecting to my work's vpn using OpenVPN. Then after disconnecting everything continued to work.

I believe the issue was related to the power going out while my computer was connected with openVPN. The only way I figured this out was by using WireShark. I noticed that the destination IPs for all the queries were going to IPs on my work's internal network.

Bela

Posted 2012-10-29T19:11:22.940

Reputation: 101

0

Just had this issue on a Windows 7 client joined to a domain it turned out to be incorrect DirectAccess settings in the registry.

Try clearing the contents of the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DnsClient\DnsPolicyConfig

and then restarting the 'DNS Cache' service.

If that helps, look under Group Policy Management Console for two policies called 'DirectAccess Client Settings' and 'DirectAccess Server Settings'. Check if they are configured correctly or even needed in your scenario. They are sometimes created automatically with certain settings for the Routing and Remote Access role on a server and this was the cause of the issue on our part.

http://virot.eu/manually-remove-direct-access-from-a-client/

Minkus

Posted 2012-10-29T19:11:22.940

Reputation: 86

0

I have just had this problem, and found something quite peculiar, and managed to fix it Lol

Basically, if you have any entries in your hosts file, that are the same as the IP your ping is trying to resolve to, it will fail.

For example, if in your DNS, you have a record for www.example.com - 10.0.0.20, but then you have an entry in your client's hosts file, 10.0.0.20 somethingelse.com, you will not be able to ping www.example.com

Strange huh

Just Lucky Really

Posted 2012-10-29T19:11:22.940

Reputation: 926

0

I had the same problem and turns out another machine had the same IP address, and that was causing it.

Changed IP back to DHCP and everything was working fine.

Klaus

Posted 2012-10-29T19:11:22.940

Reputation: 21

nslookup worked because it doesn't need to communicate with the other host. ping does need to communicate and obviously breaks. – ndemou – 2019-02-13T17:02:34.593

@ndemou: That explanation doesn't make any sense.  Yes, it is ping's job to try to communicate with the other host, but the first step in that process is to get the other host's IP address.  If it *gets* the other host's IP address, it tells you so; if it then cannot communicate with the other host, it ultimately reports "100% loss".  But, in the question, ping is failing even to get an address.  (Try ping bbbbbbb.com and ping bbbbbb.com for comparison.) – Scott – 2019-02-13T17:57:44.910

You are right @Scott. I was editing Klaus' answer and while reading his description of the problem I forgot that this questions particular problem with ping is that it doesn't resolve. Can't be sure but I would bet now that Klaus was just not getting replies. – ndemou – 2019-02-14T07:37:57.767

-1

ping uses the ICMP protocol, specifically the 'Echo Request' and 'Echo Reply'.

many networks disable ICMP utilities in order to prevent attacks or basic network scanning. I've found many routers you purchase come with a setting to disable ping and like utilities enabled by default.

you can find more about ICMP here:

http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol

Johnnie

Posted 2012-10-29T19:11:22.940

Reputation: 262

9Yes, but before using ICMP, the domain has to be resolved to an IP address as usual. So this is not the issue here. – Michael – 2012-11-23T02:25:50.930

Asked: 2012-10-29T19:11:22.940

Viewed: 276 559 times

Active: 2019-10-22T12:41:38.413