TCP "connection refused" handling in dig on Windows is broken

Below, I present behavior of dig on Windows for three different source code revisions:

before !4115 (merged)
after !4115 (merged), before !4444 (merged)
after !4444 (merged)

This is what happens for d48e0400 (before !4115 (merged)) when one tries to query a TCP port on which nothing is listening:

>>>>> dig @127.0.0.1 -p 12345 isc.org. +tcp +tries=1 +time=2

; <<>> DiG 9.17.6 <<>> @127.0.0.1 -p 12345 isc.org. +tcp +tries=1 +time=2
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

;; Connection to 127.0.0.1#12345(127.0.0.1) for isc.org. failed: timed out.

>>>>> dig @127.0.0.1 -p 12345 isc.org. +tcp +tries=2 +time=2
;; Connection to 127.0.0.1#12345(127.0.0.1) for isc.org. failed: timed out.

; <<>> DiG 9.17.6 <<>> @127.0.0.1 -p 12345 isc.org. +tcp +tries=2 +time=2
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

;; Connection to 127.0.0.1#12345(127.0.0.1) for isc.org. failed: timed out.

>>>>> dig @127.0.0.1 -p 12345 isc.org. +tcp +tries=1 +time=3
;; Connection to 127.0.0.1#12345(127.0.0.1) for isc.org. failed: connection refused.

>>>>> dig @127.0.0.1 -p 12345 isc.org. +tcp +tries=2 +time=3
;; Connection to 127.0.0.1#12345(127.0.0.1) for isc.org. failed: connection refused.

>>>>> dig @10.53.0.5 -p 12345 isc.org. +tcp +tries=1 +time=2

; <<>> DiG 9.17.6 <<>> @10.53.0.5 -p 12345 isc.org. +tcp +tries=1 +time=2
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

;; Connection to 10.53.0.5#12345(10.53.0.5) for isc.org. failed: timed out.

>>>>> dig @10.53.0.5 -p 12345 isc.org. +tcp +tries=2 +time=2
;; Connection to 10.53.0.5#12345(10.53.0.5) for isc.org. failed: timed out.

; <<>> DiG 9.17.6 <<>> @10.53.0.5 -p 12345 isc.org. +tcp +tries=2 +time=2
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

;; Connection to 10.53.0.5#12345(10.53.0.5) for isc.org. failed: timed out.

>>>>> dig @10.53.0.5 -p 12345 isc.org. +tcp +tries=1 +time=3
;; Connection to 10.53.0.5#12345(10.53.0.5) for isc.org. failed: connection refused.

>>>>> dig @10.53.0.5 -p 12345 isc.org. +tcp +tries=2 +time=3
;; Connection to 10.53.0.5#12345(10.53.0.5) for isc.org. failed: connection refused.

Observations:

the message logged depends on what +time is set to,
traffic sniffer shows multiple SYN/RST+ACK exchanges whose count depends on whether the connection "times out" or is "refused".

This is what happens for 3a366622 (after !4115 (merged), before !4444 (merged)):

>>>>> dig @127.0.0.1 -p 12345 isc.org. +tcp +tries=1 +time=2
;; Connection to 127.0.0.1#12345(127.0.0.1) for isc.org. failed: connection refused.

>>>>> dig @127.0.0.1 -p 12345 isc.org. +tcp +tries=2 +time=2
;; Connection to 127.0.0.1#12345(127.0.0.1) for isc.org. failed: connection refused.
;; Connection to 127.0.0.1#12345(127.0.0.1) for isc.org. failed: connection refused.

>>>>> dig @127.0.0.1 -p 12345 isc.org. +tcp +tries=1 +time=3
;; Connection to 127.0.0.1#12345(127.0.0.1) for isc.org. failed: connection refused.

>>>>> dig @127.0.0.1 -p 12345 isc.org. +tcp +tries=2 +time=3
;; Connection to 127.0.0.1#12345(127.0.0.1) for isc.org. failed: connection refused.
;; Connection to 127.0.0.1#12345(127.0.0.1) for isc.org. failed: connection refused.

>>>>> dig @10.53.0.5 -p 12345 isc.org. +tcp +tries=1 +time=2
;; Connection to 10.53.0.5#12345(10.53.0.5) for isc.org. failed: timed out.

>>>>> dig @10.53.0.5 -p 12345 isc.org. +tcp +tries=2 +time=2
;; Connection to 10.53.0.5#12345(10.53.0.5) for isc.org. failed: timed out.
;; Connection to 10.53.0.5#12345(10.53.0.5) for isc.org. failed: timed out.

>>>>> dig @10.53.0.5 -p 12345 isc.org. +tcp +tries=1 +time=3
;; Connection to 10.53.0.5#12345(10.53.0.5) for isc.org. failed: connection refused.

>>>>> dig @10.53.0.5 -p 12345 isc.org. +tcp +tries=2 +time=3
;; Connection to 10.53.0.5#12345(10.53.0.5) for isc.org. failed: connection refused.
;; Connection to 10.53.0.5#12345(10.53.0.5) for isc.org. failed: connection refused.

Observations:

Queries sent towards 127.0.0.1 seem to work fine:
- dig invocations exit quickly,
- traffic sniffer shows just one SYN/RST+ACK pair being exchanged per each +tries,
- "connection refused" is consistently logged, no matter what +time is set to.
Queries sent towards 10.53.0.5 (configured on a loopback interface) behave oddly:
- dig invocations takes a longer while to return,
- traffic sniffer shows multiple SYN/RST+ACK pairs being exchanged per each +tries,
- the message logged depends on what +time is set to.

!4444 (merged) seems to break things in an even different way:

>>>>> dig @127.0.0.1 -p 12345 isc.org. +tcp +tries=1 +time=2
;; Connection to 127.0.0.1#12345(127.0.0.1) for isc.org. failed: connection refused.

>>>>> dig @127.0.0.1 -p 12345 isc.org. +tcp +tries=2 +time=2
;; Connection to 127.0.0.1#12345(127.0.0.1) for isc.org. failed: connection refused.
;; Connection to 127.0.0.1#12345(127.0.0.1) for isc.org. failed: connection refused.

>>>>> dig @127.0.0.1 -p 12345 isc.org. +tcp +tries=1 +time=3
;; Connection to 127.0.0.1#12345(127.0.0.1) for isc.org. failed: connection refused.

>>>>> dig @127.0.0.1 -p 12345 isc.org. +tcp +tries=2 +time=3
;; Connection to 127.0.0.1#12345(127.0.0.1) for isc.org. failed: connection refused.
;; Connection to 127.0.0.1#12345(127.0.0.1) for isc.org. failed: connection refused.

>>>>> dig @10.53.0.5 -p 12345 isc.org. +tcp +tries=1 +time=2
;; Connection to 10.53.0.5#12345(10.53.0.5) for isc.org. failed: timed out.

>>>>> dig @10.53.0.5 -p 12345 isc.org. +tcp +tries=2 +time=2
;; Connection to 10.53.0.5#12345(10.53.0.5) for isc.org. failed: timed out.
;; Connection to 10.53.0.5#12345(10.53.0.5) for isc.org. failed: timed out.

>>>>> dig @10.53.0.5 -p 12345 isc.org. +tcp +tries=1 +time=3
;; Connection to 10.53.0.5#12345(10.53.0.5) for isc.org. failed: timed out.

>>>>> dig @10.53.0.5 -p 12345 isc.org. +tcp +tries=2 +time=3
;; Connection to 10.53.0.5#12345(10.53.0.5) for isc.org. failed: timed out.
;; Connection to 10.53.0.5#12345(10.53.0.5) for isc.org. failed: timed out.

Observations:

Queries sent towards 127.0.0.1 still seem to work fine.
Queries sent towards 10.53.0.5 never return "connection refused" any more despite the packet sniffer showing multiple SYN/RST+ACK exchanges per each +tries.

Windows Firewall is disabled on the host on which the above tests were run.

All in all, with the code in its current shape (after !4444 (merged)), the legacy system test is consistently failing due to no "connection refused" messages being logged for queries sent towards named instances that intentionally do not listen for TCP connections.

From a user's perspective, I would expect the following:

1 SYN/RST+ACK exchange per each +tries,
timeouts should never be logged if "connection refused" is detected,
dig should behave consistently for all target addresses.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information