Windows – nslookup picking up wrong address

It all looks perfrectly normal to me. The name servers for iis.se are ns.nic.se, ns2.nic.se, and ns3.nic.se.

You get the Server Unknown message because you don't have a PTR zone set up on your DNS servers for your subnet (which isn't required). When you run nslookup from the DNS server the DNS client on the server (which is what nslookup uses, as the DNS server is also a DNS client and operates as any other DNS client does) first performs a PTR lookup to find the name of the server configured in the DNS settings of the TCP\IP protocol bound to the NIC. Not finding a PTR record, nslookup responds with Server Unknown. This is perfectly normal and acceptable.

Next you issue the query for www.iis.se and get a response from one of the name servers at iis.se from both the IPv6 and IPv4 addresses of that name server, that it can't find a record for www.iis.se. This is a perfectly normal response if no record for www exists.

You do that two more times against two different name servers and get the same response, which again is perfectly normal where no record for www.iis.se can be found.

You do that a third time on a server that has 127.0.0.1 configured as it's DNS server in the TCP\IP protocol settings of the NIC and get a request timed out, which tells me that the DNS client is pointing to 127.0.0.1 for DNS but that the DNS server (if you're running this particular nslookup from the DNS server) isn't listening on 127.0.0.1 so the query times out.

Try running nslookup against each of the name servers for the iis.se domain and query each one for www and see what they answer.

It appears from what you're saying that the request for windows.cs is going to the ISPs DNS server now and again. The nxdomain result is then cached by Windows' DNS client, and thus used for any retries with a web browser, ping etc. Clearing the cache (ipconfig /flushdns) should force the Windows DNS client to retry the query, but there's no guarantee it won't go to the ISP DNS server again.

The reason ping can't resolve the hostname but nslookup can is because nslookup a low-level tool that bypasses the Windows DNS client. It uses whatever DNS server you tell it to (the first one by default), and does the query on the fly. You can change the DNS server it queries by typing server <host> from the nslookup prompt, where host is the IP or FQDN.

The Windows DNS client however will only do queries for entries that are not in its cache (or have expired). Otherwise it returns the cached result.

It's not immediately apparent why the Windows client is using the ISP DNS server. Perhaps it could not resolve the local server recently (due perhaps to being on another network), perhaps the local server was returning errors. Or, perhaps it is not ordered correctly under Advanced TCP/IP settings > DNS.

Personally I prefer to only use local DNS server addresses on workstations (propagated by DHCP), to simplify configuration and avoid issues like this. I'd be curious to know the rationale behind setting the ISPs DNS server on desktops. I can't imagine there being any valid performance reasons, and as far as redundancy goes two is enough on most networks (if not add a third).