How does ping figure out the IP address of a website?

I'm trying to understand better the different network-query tools such as nc, curl, whois, dig, nslookup and at the same time a bit more about the architecture of internet requests, servers, and the like (NIC, A Record, MX) whilst already knowing a little about TCP, nameservers, domain registrars, packet sniffers, HTTP headers, and IP addresses. That's my background, here's my question.

When I dig or whois let's say www.valgrind.org (or valgrind.org) I get at least two different IP answers: 178.250.76.80 and 172.16.0.23#53.

$ nslookup valgrind.org
Server:         172.16.0.23
Address:        172.16.0.23#53

Non-authoritative answer:
Name:   valgrind.org
Address: 178.250.76.80

Trying to browse to either of these in w3m or chromium leads to a 403 Forbidden error. Furthermore I'm not sure which one to navigate to, but ping is somehow able to figure it out! If I ping valgrind.org (or ping www.valgrind.org) it chooses

$ ping valgrind.org
PING valgrind.org (178.250.76.80) 56(84) bytes of data.
64 bytes from 178.250.76.80: icmp_req=1 ttl=50 time=80.2 ms

How did it know to do that? And what other tool should I be using to find out how my browser goes from 178.250.76.80 to valgrind.org and loads something?

isomorphismes

Posted 2013-08-26T17:37:41.270

Reputation: 1 534

This is pretty off-topic for here. I'll help get you started though: The first 'two answers' you get are not two different answers. The first address is the address of YOUR dns server; the server nslookup sent the query to. The only 'answer' there is 178.250.76.80. This is for professionals, not people seeking to learn the basics. – yoonix – 2013-08-26T17:47:06.380

@yoonix I did actually look at man ping before asking here but it doesn't answer my question. – isomorphismes – 2013-08-26T18:06:01.820

Answers

There are different programs and protocols at work here each is configured to respond independently of the others.

To find an IP address, a linux host will generally use the hosts: directive in /etc/nsswitch.conf to determine which order to query the various sources. A typical entry would be

hosts:      files dns

which says check the files (typically /etc/hosts ) then the dns system. So a search will be conducted of the /etc/hosts file and if it contains an entry for valgrind.org the associated IP address will be returned. If /etc/hosts doesn't contain an entry for valgrind.org, then a request will be made to the DNS. This involves reading the contents of /etc/resolv.conf to determine which servers should be contacted to request DNS information ...

Looking at the output from your command, you're not getting two different addresses. The first part of the output is telling you which server was contacted by nslookup (172.16.0.23) and also on which port (#53) to get the answer. We also know that there is no correctly configured PTR record for 172.16.0.23 as, as RobM's answer shows, the Server would be shown as a name if it were.

The second part of the output is the information that you requested and tells you that 178.250.76.80 is the IPv4 address of valgrind.org.

When you contact 178.250.76.80 on port 80 (http) directly you get a 403 forbidden because that's how the http server at that address has been configured. It is most likely configured as a name based virtual server and thus requires a valid http Host: (sec 14.23) header to route your request to the appropriate vhost.

The ping command is part if the ICMP protocol suite and is an ICMP echo request, the host at 178.250.76.80 responds to ping because it has been configured to do so and sends an ICMP Echo Reply to each Echo Request.

user35787

Posted 2013-08-26T17:37:41.270

Reputation:

You need to understand how nslookup works.

nslookup

The first part of the answer, as should become clearer here, is the name server you're talking to. The answer it provides is the second part

So in my example, I'm asking nslookup to query my currently configured DNS server about where it thinks www.serverfault.com is to be found.

nslookup replies with the address of the server it used to run the query, and the answer it gave. This is important if you're specifying a particular DNS server to run dig or nslookup against, which is a fairly normal part of troubleshooting name resolution issues.

Rob Moir

Posted 2013-08-26T17:37:41.270

Reputation: 647

You misunderstand the output of nslookup. It isn't giving two answers, but just one. The first address is where it got the answer from. ping performs exactly the same task and gets exactly the same result. The reason you get the 403 when you try to give the IP address to the browser is because the server is running virtual hosting. With virtual hosting, a server can have multiple sites with only a single IP address. It decides which site to serve you based on the name the browswer tells it you entered. When you enter the IP address, the server doesn't know which site you wanted.

psusi

Posted 2013-08-26T17:37:41.270

Reputation: 7 195

it will depend on your OS and ping version. if it is linux, you can find out all what is doing by using strace.

strace ping valgrind.org

step by step it will show you. too long to post, but here is my output so that i know at some point it checks the hosts file

.
.
open("/etc/host.conf", O_RDONLY)        = 3
.
.
.

johnshen64

Posted 2013-08-26T17:37:41.270

Reputation: 4 399