Best Practice Ezine #42 DNS
Try this thinking exercise
I would like you to think of all the Windows 2003 services, for example: WINS, Netlogon or Alerter. Now which service would you say is the most important? Next, focus on Windows services, but
this time ask yourself, which service is the most complicated to configure? I predict that DNS would be high on your list for both importance and difficulty.
There is so much to know about DNS that I can only feature a few examples in a newsletter. What I want to do is give tips for people at three levels, expert, intermediate and beginner.
Calculating IP Address
ranges is a black art, which many network managers solve by creating custom
Excel spreadsheets. IPAT cracks this problem of allocating IP addresses
in networks in two ways:
For Mr Organized there is a nifty subnet
calculator, you enter the network address and the subnet mask, then IPAT
works out the usable addresses and their ranges.
For Mr Lazy IPAT
discovers and then displays the IP addresses of existing computers.
Download the Free IP Address Tracker
Let us begin with my stock question, where do you get this Debug Logging tool? This is easy, Debug Logging is built-in. Next question where do I find it? Add or Remove Programs, Windows
Components - No. DNS Snap-in, Server - YES. (The actual Server icon, not the Forward Lookup zone).
Our next decision is what DNS information should we collect? How should we filter the packets? Our answer depends on the situation. Is the problem is a client query that is not being resolved, or if it is two
DNS servers
that do not update one another's host records? To troubleshoot the client problem we would collect packets showing DNS queries. Whereas with the server to server problem we would filter for zone transfers.
Last question, do we want requests or
responses? Guy says both usually.
Once you have decided what to log, just enter the path to filename in the DNS Debug Logging window. While you run various DNS queries or transfers, the log collects the data. Now comes the task of interpreting the data collected in the log
file. The key detective skill to develop is parsing the line, breaking down the data in to recognisable patterns. To digress; have you ever been in a wood and a friend says do you see such and such a fruit, once you
have seen one, you suddenly see loads? Well examining debug logs is similar. Once you see patterns like the remote IP address, the direction of packet then a blur of letters and numbers turns into
meaningful chunks of information.
With attention to detail you will soon get your eye in. In no time you will spot the keywords for example, [NotAuth] means the server did not understand the zone being queried because it was not authoritative.
The DNS packet is saying: ' I have no information for that domain. On the other hand [Refused]
means, ' I may know, but I am not telling you for security reasons '.
A common error is [NXDomain] meaning this name does not exist on the network. For example attempting to contact nowhere.org
resulted in this line with NXDOMAIN error.
PACKET UDP Snd [8385 A DR NXDOMAIN] (7)nowhere(3)org(2)cp(3)com(0)
Last week I did not have time to write the ezine as I was on site. Instead, I had the pleasure of working alongside a top clustering consultant ($1000 a day man). Even thought he was a genius, he used the
help files. On reflection I wondered if it was the other way around, I thought he was a genius because he had mastered the art of when and how to use the help files. Could being a computer expert be
that easy, just consult the builtin help?
Two final reminders.
1) Did you turn of the DNS logging when you had finished? Remember logging is very server intensive.
2) DNS Debug logging and DNSLint are new for Windows Server 2003
If you are looking for handy network utilities, try some of the free downloads at
Tools4Ever
The purpose of DNSLint is to display DNS information as a web page. In many ways DNSLint reminds me of NSLookup, except that the DNSLint output is html rather than in a DOS command window. Talking of
NSLookup, DNSLint gave only incomplete information on one of my tests, the reason turned out to be that no reverse lookup had been configured for the zone we were troubleshooting. The
first question that I ask about any utility is where do you find it? In the case of DNSLint the answer is: Support Cabinet on Windows Server 2003 CD. One useful features of DSLint is
that it displays Port Numbers e.g. TCP 53, this is most helpful when troubleshooting firewall problems. As with many of Windows 2003's command line utilities there are whole bank of switches. To get
started try DNSLint /d yourdom.com. However there is a trap with /d,
if you are NOT connected to the internet. You must add another switch: /s server IP Example DNSLint
/d yourdom.com /s 10.1.1.100 Another feature of DNSLint is that it displays MX records which will assist in tracking down email delivery problems. For further email testing, for example SMTP or
POP3, try the /c switch.
Now I am thinking of basic troubleshooting here. So if the problem is that clients cannot ' see ' the server, check these settings on both machines:
a)
Master the IPCONFIG /all and also the /flushdns /registerdns /displaydns switches.
b) Network Card, TCP/IP properties.
c) System Icon, Computer Tab.
d) On the DNS server navigate to the DNS Snap-in check the Forward Lookup Zone records,
e) Again on the server, at the DNS snap-in check the server icon properties, especially the Monitor Tab.
See more on DNS - Whole Section here
See more interesting DNS, DHCP and IP articles
• E 194 Delete Accounts •
E 136 IPv6 •
E 93 Ipconfig • E 52 Wins • E 51 WINS •
Ezines
•
E 44 DHCP •
E 42 DNS • E
33 DHCP • E 32 Tools •
Free CSV Import
Utility • E 10 Tools
•
E 9Tools • E
8 Security Permissions • Free
IP Tracker •
Review of Permissions
Monitor
|
