Windows 2000 DNS |
Most failed name resolution attempts fail in one of two general ways:
Important
Whenever you are trying to troubleshoot problems with name resolution, always submit an FQDN. In that way, you can make sure that your problem is not caused by an incorrect domain suffix appended to the queried name.
The following flowcharts and associated text in Figures 6.36–6.41 explain how to diagnose each of these problems. For another good source of information for diagnosing common problems, see RFC 1912, "Common DNS Operational and Configuration Errors."
Note
The flowcharts in Figures 6.36–6.41 direct you to other flowcharts in other figures. To locate the correct flow chart, see the figure captions.
Figure 6.36 No Answer or Name Not Found
Figure 6.37 Answer Is Incorrect
Figure 6.38 Authoritative Data Is Incorrect
Figure 6.39 Recursion Problem
Figure 6.40 Zone Transfer Fails
Figure 6.41 Check Server for Problems
If a query fails because you get the response Non-existent domain from Nslookup or the response Unknown host from Ping, the DNS server did not find the name or IP address that you are looking up. Use the following process, shown in Figure 6.36, to help troubleshoot the problem:
To check IP configuration, type ipconfig /all at the command prompt. In the command-line output, verify the IP address, subnet mask, and default gateway.
If the DNS server is authoritative for the name that is being looked up, you probably have a problem with authoritative data. For more information about checking for problems with authoritative data, see "Checking for Problems with Authoritative Data" later in this chapter.
– Or –
If the DNS server is not authoritative for the name that is being looked up, proceed to the next step.
Nslookup <query address> <IP address of server>
where IP address of server is the IP address of the server that you queried originally, and query address is the name or IP address you are attempting to resolve. If you get the message "Server failed" or "Request to server timed out," you probably have a problem involving a broken delegation. For more information about problems with broken delegations, see "Checking for Recursion Problems" later in this chapter.
– Or –
If you get an incorrect answer or the message "Non-existent domain," proceed to the next step.
Nslookup <query address> <IP address of server>
where IP address of server is the IP address of the server that you queried originally, and query address is the name or IP address you are attempting to resolve. If the answer is correct, the problem was a stale cache entry, and your problem is solved.
– Or –
If the answer is still not correct, you probably have a problem with authoritative data. For more information about problems with authoritative data, see "Checking for Problems with Authoritative Data" later in this chapter.
If you query a DNS server and it responds with incorrect information, use the following process, shown in Figure 6.37, to solve the problem.
Nslookup <query address> <IP address of server>
where IP address of server is the IP address of the server that you queried originally, and query address is the name or IP address you are attempting to resolve. If the answer is correct, the problem was a stale cache entry, and your problem is solved.
– Or –
If the answer is still not correct, you probably have a problem with authoritative data. For more information about how to diagnose problems with authoritative data, see "Checking for Problems with Authoritative Data" later in this chapter.
Use the following process, shown in Figure 6.41, to check the DNS server for problems.
If the DNS server does not respond to a direct ping of its IP address, you probably have a network connectivity problem between the client and the DNS server.
nslookup 127.0.0.1 <IP address of server>
If the resolver returns the name of the local host, the server does not have any problems.
– Or –
If the resolver returns the response "Server failure," proceed to step 4.
– Or –
If the resolver returns the response "Request to server timed out" or "No response from server," proceed to step 5.
net start DNS
– Or –
If it is running, the server might not be listening on the IP address that you used in your Nslookup query. From the Interfaces tab of the server properties page in the DNS console, administrators can restrict a DNS server to listen only on selected addresses. If the DNS server has been configured to limit service to a specific list of its configured IP addresses, it is possible that the IP address used to contact the DNS server is not in the list. You can try a different IP address in the list or add the IP address to the list. For more information about restricting a DNS server to listen only on selected addresses, see Windows 2000 Help.
– Or –
In rare cases, the DNS server might be configured to disable the use of its automatically created default zones. By default, the DNS service automatically creates the following standard reverse lookup zones based on RFC recommendations:
The automatic creation of these zones can only be disabled through the registry, so it is unlikely that this has happened. However, if you think automatic creation has been disabled, you can use the DNS console to make sure that the zones exist.
– Or –
In rare cases, the DNS server might have an advanced security or firewall configuration. If the server is located on another network that is reachable only through an intermediate host (such as a packet filtering router or proxy server), the DNS server might use a non-standard port to listen for and receive client requests. By default, Nslookup sends queries to DNS servers on UDP port 53, so if the DNS server uses any other port, Nslookup queries fail. If you think this might be the problem, check whether an intermediate filter is intentionally used to block traffic on well-known DNS ports. If not, try to modify the packet filters or port rules on the firewall to allow traffic on UDP/TCP port 53.
If you have determined that the server contains incorrect authoritative (non-cached) data, use the following process to help troubleshoot the problem:
If the server is a primary server for the zone — either the standard primary server for the zone or a server that uses Active Directory integration to load the zone — the data is incorrect on the primary zone. Go to step 5.
– Or –
If the server is hosting a secondary copy of the zone, proceed to the next step.
If the name is not correct on the master server, go to step 1. When prompted to examine a server, examine the server from which this server pulls zone transfers.
– Or –
If the name was correct on the master server, proceed to the next step.
– Or –
If the serial number on the master server is lower than or equal to the serial number on the secondary server, modify either the master server or the secondary server so that the serial number on the master server is higher than the serial number on the secondary server. Then, proceed to the next step.
– Or –
If the zone was transferred correctly, check whether the data is now correct. If not, the data is incorrect on the primary zone. Proceed to the next step.
If you are responsible for maintaining the zone, you can solve the problem. Otherwise, ask the person who is responsible for maintaining the zone to solve the problem.
For recursion to work successfully, all DNS servers that are used in the path of a recursive query must be able to respond and forward correct data. If they cannot, a recursive query can fail for any of the following reasons:
If you have determined that you have a problem with recursion, use the following process, shown in Figure 6.39, to help troubleshoot the problem. Start with the server used in your original query:
If this server does forward queries to another server, check for problems with the server to which this server forwards queries. To check for problems, follow the troubleshooting steps in "Checking the DNS Server for Problems." When that section instructs you to perform a task on the client, perform it on the server instead.
If the server is healthy and can forward queries, repeat this step, examining the server to which this server forwards queries.
– Or –
If this server does not forward queries to another server, proceed to the next step.
nslookup
server <IP address of the server you are examining>
set querytype=NS
.
If the resolver returns the IP address of a root server, you probably have a broken delegation between the root server and the name or IP address that you are attempting to resolve. Follow the procedure "To test for a broken delegation" to determine where you have a broken delegation.
–Or –
If the resolver returns the response "Request to server timed out," check whether the root hints points to functioning root servers by following the procedure "To view the current root hints." If the root hints does point to functioning root servers, you might have a network problem, or the server might use an advanced firewall configuration that prevents the resolver from querying the server, as described in "Checking the Server for Problems," earlier in this chapter. It is also possible that the recursive time-out default (15 seconds) is too short. For information about how to change this time-out, see the Windows 2000 Server Help. Search for "tuning advanced parameters."
Note
Begin the tests in the following procedure by querying a valid root server. The test takes you through a process of querying all the DNS servers from the root down to the server that you are testing for a broken delegation.
To test for a broken delegation
nslookup
server <server IP address>
set norecursion
set querytype=<resource record type>
<FQDN >
where resource record type is the type of resource record that you were querying for in your original query, and FQDN is the FQDN for which you were querying (terminated by a period).
– Or –
If the response does not contain an NS resource record, you have a broken delegation.
–Or –
If the response contains NS resource records, but no A resource records, type set recursion and query individually for A resource records of servers listed in the NS records. If for each NS resource record in a zone, you do not find at least one valid IP address of an A resource record for each NS resource record, you have a broken delegation.
If you determine that you have a broken delegation, fix it by adding or updating an A resource record in the parent zone with a valid IP address for a correct DNS server for the delegated zone.
To view the current root hints
If the root servers do not respond to pinging by IP address, the IP addresses for the root servers might have changed. However, reconfiguration of root servers, is uncommon.
If you have determined that a secondary server cannot pull a zone transfer from a master server, use the following process, shown in Figure 6.40, to diagnose and solve your zone transfer problems.
If so, it is possible that the zone on the master server includes incompatible resource records that Windows 2000 does not recognize. For a complete list of all RFC-compliant resource record types that are supported by DNS servers that are running under Windows 2000 Server, see Windows 2000 Server Help.