Windows Troubleshooting Tip – Advanced DNS Query Debugging With NSLookup
I’ve published a number of articles on following a simple and straightforward troubleshooting methodology. I advocate a simple and focused approach shown in Figure 1. You can see that symptom identification is the first step, followed by root cause analysis and problem resolution.
Figure 1. MikeDan’s Quick and Dirty Troubleshooting Methodology.
There’s lots of great tools built right in to Windows that will actually help when narrowing down network communications problems. One of my favorites is NSLookup. I’ve previously written about NSLookup and covered the basic use. This article focuses on deep DNS troubleshooting. I recommend you read Windows Troubleshooting Tip – NSLookup if you’re not already familiar with NSLookup.
Displaying Detailed Query Data
By default, NSLookup is user friendly. It only displays the basic name resolution information resolution for a target host. If you’ve researched DNS, you know that there can be a complex set of queries and responses with multiple servers involved before that resolution is returned to the client. And there’s an easy way to display all of that as it happens.
As an example I’m going to use NSLookup to resolve the hostname www.interfacett.com against my favorite DNS provider, Level 3. The DNS server at Level 3 I’ll use here is 4.2.2.6. Here’s the basic NSLookup for that scenario:
For ease of reading, here’s the text from that screenshot:
C:\>nslookup
Default Server: UnKnown
Address: 10.0.1.1
> server 4.2.2.6
Default Server: resolver8.level3.net
Address: 4.2.2.6
> www.interfacett.com
Server: resolver8.level3.net
Address: 4.2.2.6
Non-authoritative answer:
Name: www.interfacett.com
Address: 8.19.33.146
> _
Now I’ll turn on verbose debugging and re-run the same query. To set verbose debugging in NSLookup I just type set d2. Then I run the exact same query as before, with very different output.
Because the entire response won’t fit in a single window, here’s the text from the query:
> set d2
> www.interfacett.com
Server: resolver8.level3.net
Address: 4.2.2.6
————
SendRequest(), len 61
HEADER:
opcode = QUERY, id = 9, rcode = NOERROR
header flags: query, want recursion
questions = 1, answers = 0, authority records = 0, additional = 0
QUESTIONS:
www.interfacett.com.Phoenix.Interfacett.com, type = A, class = IN
————
————
Got answer (145 bytes):
HEADER:
opcode = QUERY, id = 9, rcode = NXDOMAIN
header flags: response, want recursion, recursion avail.
questions = 1, answers = 0, authority records = 1, additional = 0
QUESTIONS:
www.interfacett.com.Phoenix.Interfacett.com, type = A, class = IN
AUTHORITY RECORDS:
-> Interfacett.com
type = SOA, class = IN, dlen = 72
ttl = 720 (12 mins)
primary name server = ns-1995.awsdns-57.co.uk
responsible mail addr = awsdns-hostmaster.amazon.com
serial = 1
refresh = 7200 (2 hours)
retry = 900 (15 mins)
expire = 604800 (7 days)
default TTL = 14400 (4 hours)
————
————
SendRequest(), len 61
HEADER:
opcode = QUERY, id = 10, rcode = NOERROR
header flags: query, want recursion
questions = 1, answers = 0, authority records = 0, additional = 0
QUESTIONS:
www.interfacett.com.Phoenix.Interfacett.com, type = AAAA, class = IN
————
————
Got answer (145 bytes):
HEADER:
opcode = QUERY, id = 10, rcode = NXDOMAIN
header flags: response, want recursion, recursion avail.
questions = 1, answers = 0, authority records = 1, additional = 0
QUESTIONS:
www.interfacett.com.Phoenix.Interfacett.com, type = AAAA, class = IN
AUTHORITY RECORDS:
-> Interfacett.com
type = SOA, class = IN, dlen = 72
ttl = 720 (12 mins)
primary name server = ns-1995.awsdns-57.co.uk
responsible mail addr = awsdns-hostmaster.amazon.com
serial = 1
refresh = 7200 (2 hours)
retry = 900 (15 mins)
expire = 604800 (7 days)
default TTL = 14400 (4 hours)
————
————
SendRequest(), len 53
HEADER:
opcode = QUERY, id = 11, rcode = NOERROR
header flags: query, want recursion
questions = 1, answers = 0, authority records = 0, additional = 0
QUESTIONS:
www.interfacett.com.Interfacett.com, type = A, class = IN
————
————
Got answer (137 bytes):
HEADER:
opcode = QUERY, id = 11, rcode = NXDOMAIN
header flags: response, want recursion, recursion avail.
questions = 1, answers = 0, authority records = 1, additional = 0
QUESTIONS:
www.interfacett.com.Interfacett.com, type = A, class = IN
AUTHORITY RECORDS:
-> Interfacett.com
type = SOA, class = IN, dlen = 72
ttl = 720 (12 mins)
primary name server = ns-1995.awsdns-57.co.uk
responsible mail addr = awsdns-hostmaster.amazon.com
serial = 1
refresh = 7200 (2 hours)
retry = 900 (15 mins)
expire = 604800 (7 days)
default TTL = 14400 (4 hours)
————
————
SendRequest(), len 53
HEADER:
opcode = QUERY, id = 12, rcode = NOERROR
header flags: query, want recursion
questions = 1, answers = 0, authority records = 0, additional = 0
QUESTIONS:
www.interfacett.com.Interfacett.com, type = AAAA, class = IN
————
————
Got answer (137 bytes):
HEADER:
opcode = QUERY, id = 12, rcode = NXDOMAIN
header flags: response, want recursion, recursion avail.
questions = 1, answers = 0, authority records = 1, additional = 0
QUESTIONS:
www.interfacett.com.Interfacett.com, type = AAAA, class = IN
AUTHORITY RECORDS:
-> Interfacett.com
type = SOA, class = IN, dlen = 72
ttl = 719 (11 mins 59 secs)
primary name server = ns-1995.awsdns-57.co.uk
responsible mail addr = awsdns-hostmaster.amazon.com
serial = 1
refresh = 7200 (2 hours)
retry = 900 (15 mins)
expire = 604800 (7 days)
default TTL = 14400 (4 hours)
————
————
SendRequest(), len 37
HEADER:
opcode = QUERY, id = 13, rcode = NOERROR
header flags: query, want recursion
questions = 1, answers = 0, authority records = 0, additional = 0
QUESTIONS:
www.interfacett.com, type = A, class = IN
————
————
Got answer (53 bytes):
HEADER:
opcode = QUERY, id = 13, rcode = NOERROR
header flags: response, want recursion, recursion avail.
questions = 1, answers = 1, authority records = 0, additional = 0
QUESTIONS:
www.interfacett.com, type = A, class = IN
ANSWERS:
-> www.interfacett.com
type = A, class = IN, dlen = 4
internet address = 8.19.33.146
ttl = 300 (5 mins)
————
Non-authoritative answer:
————
SendRequest(), len 37
HEADER:
opcode = QUERY, id = 14, rcode = NOERROR
header flags: query, want recursion
questions = 1, answers = 0, authority records = 0, additional = 0
QUESTIONS:
www.interfacett.com, type = AAAA, class = IN
————
————
Got answer (121 bytes):
HEADER:
opcode = QUERY, id = 14, rcode = NOERROR
header flags: response, want recursion, recursion avail.
questions = 1, answers = 0, authority records = 1, additional = 0
QUESTIONS:
www.interfacett.com, type = AAAA, class = IN
AUTHORITY RECORDS:
-> interfacett.com
type = SOA, class = IN, dlen = 72
ttl = 719 (11 mins 59 secs)
primary name server = ns-1995.awsdns-57.co.uk
responsible mail addr = awsdns-hostmaster.amazon.com
serial = 1
refresh = 7200 (2 hours)
retry = 900 (15 mins)
expire = 604800 (7 days)
default TTL = 14400 (4 hours)
————
Name: www.interfacett.com
Address: 8.19.33.146
Remember that the queries were the same in both examples. The final result was the same in both examples. The difference is that with d2 set, I can see the entire process of name resolution.
How does this help? It tells me which servers are being queried and what records or referrals are returned from each. If I have a complex DNS architecture or if I believe an errant DNS server is handing out incorrect results, seeing the entire query process helps me find the spot along the resolution path where the failure occurs.
Mike Danseglio -CISSP / CEH
Interface Technical Training – Technical Director and Instructor
Agile Methodology in Project Management
In this video, you will gain an understanding of Agile and Scrum Master Certification terminologies and concepts to help you make better decisions in your Project Management capabilities. Whether you’re a developer looking to obtain an Agile or Scrum Master Certification, or you’re a Project Manager/Product Owner who is attempting to get your product or … Continue reading Agile Methodology in Project Management
Windows 10 Basic Desktop and Navigation
This post is from our recent three-part Windows 10 webinar series. You can watch the video replay of the entire Windows 10 webinars at the following links. Windows 10 Features and Navigation Windows instructor Steve Fullmer introduces the navigation and some of the new features associated with Windows 10 including Sysinternals Tools for Windows Client … Continue reading Windows 10 Basic Desktop and Navigation
JavaScript for C# Developers – September 24, 2014
Is JavaScript worth taking the time to learn if I’m a server-side .NET developer? How much of C# carries over to JavaScript? In this recorded video from Dan Wahlin’s webinar on September 24,2014, Dan answers these questions and more while also discussing similarities between the languages, key differences, and the future of JavaScript (ES6). If … Continue reading JavaScript for C# Developers – September 24, 2014
Write a Comment
See what people are saying...