Sunday, August 1, 2010

Troubleshooting DNS servers

There may be 3 problems we face when dealing with DNS server:
  • The DNS server is not responding to clients.
  • The DNS server does not resolve names correctly.
  • The DNS server appears to be affected by a problem for reasons not described above.
Dealing with this 1 by 1.
1. The DNS server is not responding to clients

Cause 1: Network failure

Solution: Check if the hardware is fully ok, i.e. adapters are properly plugged or not. Then check network connectivity by pinging other computers or routers (such as its default gateway) that are used and available on the same network as the affected DNS servers.


Cause2: Network is o.k. but non-responsive to client's query

Solution: If the DNS client can ping the DNS server, verify that the DNS server is started or not and is able to listen to client's request. Try using the nslookup command to test whether the server can respond to DNS clients. You need to install a package called dnsutils - which provide clients such as nslookup, host and other tools. The Berkeley Internet Name Domain (BIND) implements an Internet domain name server. his package delivers various client programs related to DNS that are derived from the BIND source tree.


Cause: The DNS server has restricted some IP addresses to which it will respond.
Solution: If above is the case, it is possible that the IP address being used by clients to contact it is not in the list of restricted IP addresses permitted to provide service to clients.   
Try testing the server for a response again, but specify a different IP address known to be in the restricted interfaces list for the server. If the DNS server responds for that address, add the missing server IP address to the list.

Cause: The DNS server has been configured to disable the use of its automatically created default reverse lookup zones.
Solution: Verify that automatically created reverse lookup zones have been created for the server or that advanced configuration changes have not been previously made to the server.

By default, DNS servers automatically create the following three standard reverse lookup zones based on Request for Comments (RFC) recommendations:

These zones are created with common IP addresses covered by these zones that are not useful in a reverse lookup search (0.0.0.0, 127.0.0.1, and 255.255.255.255). By being authoritative for the zones corresponding to these addresses, the DNS service avoids unnecessary recursion to root servers in order to perform reverse lookups on these types of IP addresses.

It is possible, although unlikely, that these automatic zones are not created. This is because disabling the creation of these zones involves advanced manual configuration of the server registry by a user.

To verify that these zones have been created, do the following:

1. Open the DNS console.

2. From the View menu, click Advanced.

3. In the console tree, click Reverse Lookup Zones.

Where?

* DNS/applicable DNS server/Reverse Lookup Zones

4. In the details pane, verify that the following reverse lookup zones are present:

* 0.in-addr.arpa

* 127.in-addr.arpa

* 255.in-addr.arpa

See also: Open the DNS console; DNS RFCs.

Cause: The DNS server is configured to use a non-default service port, such as in an advanced security or firewall configuration.
Solution: Verify that the DNS server is not using a non-standard configuration.

This is a rare but possible cause. By default, the nslookup command sends queries to targeted DNS servers using User Datagram Protocol (UDP) port 53. If the DNS server is located on another network only reachable through an intermediate host (such as a packet-filtering router or proxy server), the DNS server might use a non-standard port to listen for and receive client requests.

If this situation applies, determine whether any intermediate firewall or proxy server configuration is intentionally used to block traffic on well-known service ports used for DNS. If not, you might be able to add such a packet filter onto these configurations to permit traffic to standard DNS ports.

Also, check the DNS server event log to see if Event ID 414 or other critical service-related events have occurred which might indicate why the DNS server is not responding.

See also: DNS server log reference; View the DNS server system event log; Microsoft Windows Deployment and Resource Kits.
The DNS server does not resolve names correctly.

Cause: The DNS server provides incorrect data for queries it successfully answers.

Solution: Determine the cause of the incorrect data for the DNS server.

Some of the most likely causes include the following:

* Resource records (RRs) were not dynamically updated in a zone.

* An error was made when manually adding or modifying static resource records in the zone.

* Stale resource records in the DNS server database, left from cached lookups or zone records not updated with current information or removed when they are no longer needed.

To help prevent the most common types of problems, be sure to first review best practices for tips and suggestions on deploying and managing your DNS servers. Also, follow and use the checklists appropriate for installing and configuring DNS servers and clients based on your deployment needs.

If you are deploying DNS for Active Directory, note new directory integration features. These features can cause some differences for DNS server defaults when the DNS database is directory-integrated, that differ from those used with traditional file-based storage.

Many DNS server problems start with failed queries at a client, so it is often good to start there and troubleshoot the DNS client first.

See also: DNS best practices; DNS Checklists; Troubleshooting DNS clients; Modify an existing resource record in a zone; Clear the server names cache; Modifying server defaults.

Cause: The DNS server does not resolve names for computers or services outside of your immediate network, such as those located on external networks or the Internet.

Solution: The server has a problem based on its ability to correctly perform recursion. Recursion is used in most DNS configurations to resolve names that are not located within the configured DNS domain name used by the DNS servers and clients.

If a DNS server fails to resolve a name for which it is not authoritative, the cause is usually a failed recursive query. Recursive queries are used frequently by DNS servers to resolve remote names delegated to other DNS zones and servers.

For recursion to work successfully, all DNS servers used in the path of a recursive query must be able to respond to and forward correct data. If not, a recursive query can fail for any of the following reasons:

* The recursive query times out before it can be completed.

* A remote DNS server fails to respond.

* A remote DNS server provides incorrect data.

If a server fails a recursive query for a remote name, review the following possible causes to troubleshoot the problem. If you do not understand recursion or the DNS query process, review conceptual topics in Help to better understand the issues involved.

See also: How DNS query works.

Cause: The DNS server is not configured to use other DNS servers to assist it in resolving queries.

Solution: Check whether the DNS server can use both forwarders and recursion.

By default, all DNS servers are enabled to use recursion, although the option to disable its use is configurable using the DNS console to modify advanced server options. The other possibility where recursion might be disabled is if the server is configured to use forwarders and recursion has been specifically disabled for that configuration.

Note

* If you disable recursion on the DNS server, you will not be able to use forwarders on the same server.

See also: Disable recursion on the DNS server; Configure a DNS server to use forwarders.

Cause: Current root hints for the DNS server are not valid.
Solution: Check whether server root hints are valid.

If configured and used correctly, root hints always should point to DNS servers authoritative for the zone containing the domain root and top-level domains.

By default, DNS servers are configured to use root hints appropriate to your deployment, based on the following available choices when using the DNS console to configure a server:

1. If the DNS server is installed as the first DNS server for your network, it is configured as a root server.

For this configuration, root hints are disabled at the server because the server is authoritative for the root zone.

2. If the installed server is an additional DNS server for your network, you can direct the Configure DNS Server Wizard to update its root hints from an existing DNS server on the network.

3. If you do not have other DNS servers on your network but still need to resolve Internet DNS names, you can use the default root hints file which includes a list of Internet root servers authoritative for the Internet DNS namespace.

See also: Update root hints on the DNS server; Updating root hints.

Cause: The DNS server does not have network connectivity to the root servers.
Solution: Test for connectivity to the root servers.

If root hints appear to be configured correctly, verify that the DNS server used in a failed query can ping its root servers by IP address.

If a ping attempt to one root server fails, it might indicate that an IP address for that root server has changed. Reconfiguration of root servers, however, is uncommon.

A more likely cause is a full loss of network connectivity or in some cases, poor network performance on the intermediate network links between the DNS server and its configured root servers. Follow basic TCP/IP network troubleshooting steps to diagnose connections and determine whether this is the problem.

By default, the DNS service uses a recursive time-out of 15 seconds before failing a recursive query. Under normal network conditions, this time-out does not need to be changed. If performance warrants it, however, you can increase this value.

To review additional performance related information on DNS queries, you can enable and use the DNS server debug log file, Dns.log, which can provide extensive information about some types of service-related events.

See also: Test a TCP/IP configuration by using the ping command; Using server debug logging options; View a DNS server debug log file; Tuning advanced server parameters.

Cause: Other problems exist with updating DNS server data, such as an issue related to zones or dynamic updates.
Solution: Determine whether the problem is related to zones. As needed, Troubleshoot any issues in this area, such as possible failure of zone transfer.

No comments:

Post a Comment