Tech Line

DNS Request Mess

Not sure if a DNS client's requests are reaching the DNS server?

  • By Chris Wolf
  • 10/18/2005
Chris: I've been working on some intermittent DNS issues for about a week. One of our workstations intermittently fails to map drives when a user logs on and her logon script is processed. I believe the failure is occurring due to DNS queries timing out, but I want to be sure. Other workstations on the same subnet don't seem to have any problem.

Since I have seen some problems with other services, I'm now thinking that my intermittent network problems may be the result of a faulty NIC. Is there any way that I can validate whether or not the client's DNS queries are actually reaching the DNS server?
— David

Tech Help—Just An
E-Mail Away

Got a Windows, Exchange or virtualization question or need troubleshooting help? Or maybe you want a better explanation than provided in the manuals? Describe your dilemma in an e-mail to the MCPmag.com editors at mailto:[email protected]; the best questions get answered in this column and garner the questioner with a nifty MCPmag.com baseball-style cap.

When you send your questions, please include your full first and last name, location, certifications (if any) with your message. (If you prefer to remain anonymous, specify this in your message, but submit the requested information for verification purposes.)

After checking with David, I found out that swapping out NIC cards on the workstation fixed the problem. That being said, that concludes my column for this week.

Hopefully, you're still reading at this point. If I were to write two sentence columns, I don't think I'd be doing this for much longer. Now before I continue any more on another useless tangent, let me take this time to talk about DNS Debug logging.

With Debug Logging, you can log requests from a single DNS client, which would have allowed David to verify that the requests from his workstation were not reaching the DNS server. This feature is disabled by default. To enable debug logging, follow these steps:

  1. In the DNS MMC, right-click on the DNS server object and select Properties.
  2. Click on the Debug Logging tab.
  3. Check the "Log packets for debug logging checkbox."
  4. To just log requests and replies to a single DNS client, click the Filter packets by IP Address checkbox.
  5. Now click the Filter button.
  6. In the Filter dialog box, type in the IP address of the DNS client computer in question and then click the Add button.
  7. Click OK to close the Filter dialog box.
  8. Click OK to close the DNS server Properties dialog box.

In the procedure, note that I configured filtering. This causes the DNS server to only log traffic to and from the client in question. With filtering enabled and configured, it will be much easier for you to find DNS queries and responses to the DNS client having the problems.

With logging enabled, you can validate client traffic by first returning to the client and manually performing a query using the nslookup command. For example, in my test lab I ran the command nslookup server1.mcpmag.com on the workstation. I then returned to the DNS server and opened the %windir%\system32\dns\dns.log file to view the logged query. Here are the logged results:

20051016 09:39:59 8A8 PACKET UDP Rcv 192.168.0.120 0004 Q [0001 D NOERROR] (7)server1(6)mcpmag(3)com(0)

20051016 09:39:59 8A8 PACKET UDP Snd 192.168.0.120 0004 R Q [8085 A DR NOERROR] (7)server1(6)mcpmag(3)com(0)

Notice that server successfully received the query (first line) and then sent a response (second line). Also, note that each line also indicated a NOERROR status. If DNS was unable to satisfy the query, you'd see other error codes such as NXDOMAIN or SERVFAIL. For more information on the possible error codes and DNS debug logging in general, take a look at the article, "Debug Logging for DNS in Windows 2003" on Guy Smith's Computer Performance Web site.

Some seasoned admins out there may be thinking "Well, I can validate traffic using either Ethereal or Network Monitor." These methods also can be seen as viable alternatives to what I'm prescribing here. For example, you could run Ethereal on the DNS server and filter the capture, so that only port 53 traffic is captured from the client in question. This would allow you to see the DNS traffic from the client. However, if you're not too familiar with Ethereal or Network Monitor, you'll probably find using Debug Logging on the DNS server to give you a definitive answer more quickly. Also, if the query is being logged, you are validating that the DNS query is being passed all the way up to the Application layer of the OSI model. This can allow you to not only validate that the DNS server received the request, but also that the request was passed up to the DNS service as well.

[Chris Wolf has just released Virtualization: From the Desktop to the Enterprise (Apress) and also welcomes your virtualization questions for this column. —Editors]

About the Author

Chris Wolf is a Microsoft MVP for Windows --Virtual Machine and is a MCSE, MCT, and CCNA. He's a Senior Analyst for Burton Group who specializes in the areas of virtualization solutions, high availability, storage and enterprise management. Chris is the author of Virtualization: From the Desktop to the Enterprise (Apress), Troubleshooting Microsoft Technologies (Addison Wesley), and a contributor to the Windows Server 2003 Deployment Kit (Microsoft Press).learningstore-20/">Troubleshooting Microsoft Technologies (Addison Wesley) and a contributor to the Windows Server 2003 Deployment Kit (Microsoft Press).

comments powered by Disqus
Most   Popular