Is it possible to detect HOSTS file resolution vs DNS resolution

Question

For diagnostic purposes I would like to be able to find out if a customer has a hostname failure because of a HOSTS file entry. Is it possible to detect that a DNS query was resolved by HOSTS or DNS?

(Of course I'm curious about multiple OSes: Windows, HPUX, AIX, Linux, Mac)

I suspect it may be possible if I could bypass the hostname resolution sequencing configuration of the machine. Of course reading the HOSTS file directly is an option but if there's an in memory problem (i.e. virus, or just changed to remove the misconfiguration but not taken effect yet) then it wouldn't be helpful.

Answer 1

On Linux, you could use getent to filter the "database" used by the "hosts resolving" service:

# Request that looks only in file (/etc/hosts)
getent -s hosts:files ahosts mydomain.tld

# Request that looks only in dns (as defined in /etc/resolv.conf)
getent -s hosts:dns ahosts mydomain.tld 

The database:service could be found in /etc/nsswitch.conf

Answer 2

On Windows, if you are looking up server1 you can compare the IP address printed in the output of ping server1 with the output of the nslookup server1 command.

This URL states that on Windows, nslookup does not use the hosts file:

https://serverfault.com/questions/95036/what-can-cause-a-dns-lookup-to-ignore-a-hosts-file-entry

Both ping server1 and nslookup server1 print the IP address they associate with server1, but ping will use the hosts file (on my system) and nslookup does not.