Windows Troubleshooting Tip – Advanced DNS Query Debugging With NSLookup

Home > Blogs > Windows Server > Windows Troubleshooting Tip – Advanced DNS Query Debugging With NSLookup

Windows Troubleshooting Tip – Advanced DNS Query Debugging With NSLookup

Like This Blog 2 Mike Danseglio
Added by December 23, 2013

I’ve published a number of articles on following a simple and straightforward troubleshooting methodology. I advocate a simple and focused approach shown in Figure 1. You can see that symptom identification is the first step, followed by root cause analysis and problem resolution.

Figure 1. MikeDan’s Quick and Dirty Troubleshooting Methodology.

There’s lots of great tools built right in to Windows that will actually help when narrowing down network communications problems. One of my favorites is NSLookup. I’ve previously written about NSLookup and covered the basic use. This article focuses on deep DNS troubleshooting. I recommend you read Windows Troubleshooting Tip – NSLookup if you’re not already familiar with NSLookup.

Displaying Detailed Query Data
By default, NSLookup is user friendly. It only displays the basic name resolution information resolution for a target host. If you’ve researched DNS, you know that there can be a complex set of queries and responses with multiple servers involved before that resolution is returned to the client. And there’s an easy way to display all of that as it happens.

As an example I’m going to use NSLookup to resolve the hostname www.interfacett.com against my favorite DNS provider, Level 3. The DNS server at Level 3 I’ll use here is 4.2.2.6. Here’s the basic NSLookup for that scenario:

001-NSLookup-DNS-scenario

For ease of reading, here’s the text from that screenshot:
C:\>nslookup
Default Server: UnKnown
Address: 10.0.1.1

> server 4.2.2.6
Default Server: resolver8.level3.net
Address: 4.2.2.6

> www.interfacett.com
Server: resolver8.level3.net
Address: 4.2.2.6

Non-authoritative answer:
Name: www.interfacett.com
Address: 8.19.33.146

> _

Now I’ll turn on verbose debugging and re-run the same query. To set verbose debugging in NSLookup I just type set d2. Then I run the exact same query as before, with very different output.

002-NSLookup-DNS-debugging-quert

Because the entire response won’t fit in a single window, here’s the text from the query:

> set d2

> www.interfacett.com

Server:  resolver8.level3.net

Address:  4.2.2.6

 

————

SendRequest(), len 61

    HEADER:

        opcode = QUERY, id = 9, rcode = NOERROR

        header flags:  query, want recursion

        questions = 1,  answers = 0,  authority records = 0,  additional = 0

 

    QUESTIONS:

        www.interfacett.com.Phoenix.Interfacett.com, type = A, class = IN

 

————

————

Got answer (145 bytes):

    HEADER:

        opcode = QUERY, id = 9, rcode = NXDOMAIN

        header flags:  response, want recursion, recursion avail.

        questions = 1,  answers = 0,  authority records = 1,  additional = 0

 

    QUESTIONS:

        www.interfacett.com.Phoenix.Interfacett.com, type = A, class = IN

    AUTHORITY RECORDS:

    ->  Interfacett.com

        type = SOA, class = IN, dlen = 72

        ttl = 720 (12 mins)

        primary name server = ns-1995.awsdns-57.co.uk

        responsible mail addr = awsdns-hostmaster.amazon.com

        serial  = 1

        refresh = 7200 (2 hours)

        retry   = 900 (15 mins)

        expire  = 604800 (7 days)

        default TTL = 14400 (4 hours)

 

————

————

SendRequest(), len 61

    HEADER:

        opcode = QUERY, id = 10, rcode = NOERROR

        header flags:  query, want recursion

        questions = 1,  answers = 0,  authority records = 0,  additional = 0

 

    QUESTIONS:

        www.interfacett.com.Phoenix.Interfacett.com, type = AAAA, class = IN

 

————

————

Got answer (145 bytes):

    HEADER:

        opcode = QUERY, id = 10, rcode = NXDOMAIN

        header flags:  response, want recursion, recursion avail.

        questions = 1,  answers = 0,  authority records = 1,  additional = 0

 

    QUESTIONS:

        www.interfacett.com.Phoenix.Interfacett.com, type = AAAA, class = IN

    AUTHORITY RECORDS:

    ->  Interfacett.com

        type = SOA, class = IN, dlen = 72

        ttl = 720 (12 mins)

        primary name server = ns-1995.awsdns-57.co.uk

        responsible mail addr = awsdns-hostmaster.amazon.com

        serial  = 1

        refresh = 7200 (2 hours)

        retry   = 900 (15 mins)

        expire  = 604800 (7 days)

        default TTL = 14400 (4 hours)

 

————

————

SendRequest(), len 53

    HEADER:

        opcode = QUERY, id = 11, rcode = NOERROR

        header flags:  query, want recursion

        questions = 1,  answers = 0,  authority records = 0,  additional = 0

 

    QUESTIONS:

        www.interfacett.com.Interfacett.com, type = A, class = IN

 

————

————

Got answer (137 bytes):

    HEADER:

        opcode = QUERY, id = 11, rcode = NXDOMAIN

        header flags:  response, want recursion, recursion avail.

        questions = 1,  answers = 0,  authority records = 1,  additional = 0

 

    QUESTIONS:

        www.interfacett.com.Interfacett.com, type = A, class = IN

    AUTHORITY RECORDS:

    ->  Interfacett.com

        type = SOA, class = IN, dlen = 72

        ttl = 720 (12 mins)

        primary name server = ns-1995.awsdns-57.co.uk

        responsible mail addr = awsdns-hostmaster.amazon.com

        serial  = 1

        refresh = 7200 (2 hours)

        retry   = 900 (15 mins)

        expire  = 604800 (7 days)

        default TTL = 14400 (4 hours)

 

————

————

SendRequest(), len 53

    HEADER:

        opcode = QUERY, id = 12, rcode = NOERROR

        header flags:  query, want recursion

        questions = 1,  answers = 0,  authority records = 0,  additional = 0

 

    QUESTIONS:

        www.interfacett.com.Interfacett.com, type = AAAA, class = IN

 

————

————

Got answer (137 bytes):

    HEADER:

        opcode = QUERY, id = 12, rcode = NXDOMAIN

        header flags:  response, want recursion, recursion avail.

        questions = 1,  answers = 0,  authority records = 1,  additional = 0

 

    QUESTIONS:

        www.interfacett.com.Interfacett.com, type = AAAA, class = IN

    AUTHORITY RECORDS:

    ->  Interfacett.com

        type = SOA, class = IN, dlen = 72

        ttl = 719 (11 mins 59 secs)

        primary name server = ns-1995.awsdns-57.co.uk

        responsible mail addr = awsdns-hostmaster.amazon.com

        serial  = 1

        refresh = 7200 (2 hours)

        retry   = 900 (15 mins)

        expire  = 604800 (7 days)

        default TTL = 14400 (4 hours)

 

————

————

SendRequest(), len 37

    HEADER:

        opcode = QUERY, id = 13, rcode = NOERROR

        header flags:  query, want recursion

        questions = 1,  answers = 0,  authority records = 0,  additional = 0

 

    QUESTIONS:

        www.interfacett.com, type = A, class = IN

 

————

————

Got answer (53 bytes):

    HEADER:

        opcode = QUERY, id = 13, rcode = NOERROR

        header flags:  response, want recursion, recursion avail.

        questions = 1,  answers = 1,  authority records = 0,  additional = 0

 

    QUESTIONS:

        www.interfacett.com, type = A, class = IN

    ANSWERS:

    ->  www.interfacett.com

        type = A, class = IN, dlen = 4

        internet address = 8.19.33.146

        ttl = 300 (5 mins)

 

————

Non-authoritative answer:

————

SendRequest(), len 37

    HEADER:

        opcode = QUERY, id = 14, rcode = NOERROR

        header flags:  query, want recursion

        questions = 1,  answers = 0,  authority records = 0,  additional = 0

 

    QUESTIONS:

        www.interfacett.com, type = AAAA, class = IN

 

————

————

Got answer (121 bytes):

    HEADER:

        opcode = QUERY, id = 14, rcode = NOERROR

        header flags:  response, want recursion, recursion avail.

        questions = 1,  answers = 0,  authority records = 1,  additional = 0

 

    QUESTIONS:

        www.interfacett.com, type = AAAA, class = IN

    AUTHORITY RECORDS:

    ->  interfacett.com

        type = SOA, class = IN, dlen = 72

        ttl = 719 (11 mins 59 secs)

        primary name server = ns-1995.awsdns-57.co.uk

        responsible mail addr = awsdns-hostmaster.amazon.com

        serial  = 1

        refresh = 7200 (2 hours)

        retry   = 900 (15 mins)

        expire  = 604800 (7 days)

        default TTL = 14400 (4 hours)

 

————

Name:    www.interfacett.com

Address:  8.19.33.146

Remember that the queries were the same in both examples. The final result was the same in both examples. The difference is that with d2 set, I can see the entire process of name resolution.

How does this help? It tells me which servers are being queried and what records or referrals are returned from each. If I have a complex DNS architecture or if I believe an errant DNS server is handing out incorrect results, seeing the entire query process helps me find the spot along the resolution path where the failure occurs.
Mike Danseglio -CISSP / CEH
Interface Technical Training – Technical Director and Instructor

Videos You May Like

A Simple Introduction to Cisco CML2

0 3902 0

Mark Jacob, Cisco Instructor, presents an introduction to Cisco Modeling Labs 2.0 or CML2.0, an upgrade to Cisco’s VIRL Personal Edition. Mark demonstrates Terminal Emulator access to console, as well as console access from within the CML2.0 product. Hello, I’m Mark Jacob, a Cisco Instructor and Network Instructor at Interface Technical Training. I’ve been using … Continue reading A Simple Introduction to Cisco CML2

Creating Dynamic DNS in Network Environments

0 646 1

This content is from our CompTIA Network + Video Certification Training Course. Start training today! In this video, CompTIA Network + instructor Rick Trader teaches how to create Dynamic DNS zones in Network Environments. Video Transcription: Now that we’ve installed DNS, we’ve created our DNS zones, the next step is now, how do we produce those … Continue reading Creating Dynamic DNS in Network Environments

Cable Testers and How to Use them in Network Environments

0 735 1

This content is from our CompTIA Network + Video Certification Training Course. Start training today! In this video, CompTIA Network + instructor Rick Trader demonstrates how to use cable testers in network environments. Let’s look at some tools that we can use to test our different cables in our environment. Cable Testers Properly Wired Connectivity … Continue reading Cable Testers and How to Use them in Network Environments

Write a Comment

See what people are saying...

    Share your thoughts...

    Please fill out the comment form below to post a reply.