Windows Server 2012 : Troubleshooting DNS (part 1) – Using the DNS Event Viewer to Diagnose Problems, Using the Nslookup Command-Line Utility

Using the DNS Event Viewer to Diagnose Problems

As any good administrator knows, Event Viewer is the first place to look when troubleshooting. Windows Server 2012 makes it even more straightforward to use because DNS events compiled from Event Viewer are immediately accessible from the DNS Manager Console. Parsing this set of logs can help you troubleshoot DNS replication issues, query problems, and other issues.

For more advanced event log diagnosis, you can turn on Debug Logging on a per-server basis. It is recommended that this functionality be turned on only as required, however, as this can affect server performance and the log files can fill up fast. To enable Debug Logging, follow these steps:

1. Launch Server Manager from a Windows 2012 server with a full GUI.

2. Select the DNS section. The list of servers in the server pool with the DNS role installed will be shown.

3. Right-click the DNS server to configure and select DNS Manager.

4. Select the DNS server name to configure.

5. Right-click the server name and choose Properties.

6. Select the Debug Logging tab.

7. Check the Log Packets for Debugging check box.

8. Configure any additional settings as required, and click OK.

By default, the log file is named dns.log and is saved in The C:\Windows\System32\dns\ directory. Listing 1 shows the debug of the DNS server dc1.companyabc.com of a lookup of the record www.cco.com from the server at 10.1.2.13. You can see from the log that the request was forwarded to the DNS server at 12.222.165.144 and that the results were then sent to the requesting server at 10.1.1.1.

Listing 1. DNS Log File


5/28/2012 6:48:32 PM 067C PACKET  000000BDAFD158A0 UDP Rcv 10.1.1.1        3b60
Q [0001   D   NOERROR] A      (3)www(3)cco(3)com(0)
5/28/2012 6:48:32 PM 067C PACKET  000000BDB0216410 UDP Snd 12.222.165.144  ebfc
Q [0000       NOERROR] A      (3)www(3)cco(3)com(0)
5/28/2012 6:48:32 PM 067C PACKET  000000BDB0D8FF80 UDP Rcv 12.222.165.144  ebfc
R Q [8084 A  R  NOERROR] A      (3)www(3)cco(3)com(0)
5/28/2012 6:48:32 PM 067C PACKET  000000BDAFD158A0 UDP Snd 10.1.1.1        3b60
R Q [8081   DR  NOERROR] A      (3)www(3)cco(3)com(0)
5/28/2012 6:48:58 PM 067C PACKET  000000BDB0A2B5B0 UDP Rcv 10.1.2.13       0006
Q [0001   D   NOERROR] A      (3)www(3)cco(3)com(10)companyabc(3)com(0)
5/28/2012 6:48:58 PM 067C PACKET  000000BDB0A2B5B0 UDP Snd 10.1.2.13       0006
R Q [8385 A DR NXDOMAIN] A      (3)www(3)cco(3)com(10)companyabc(3)com(0)
5/28/2012 6:48:58 PM 067C PACKET  000000BDB01CFCE0 UDP Rcv 10.1.2.13       0007
Q [0001   D   NOERROR] AAAA   (3)www(3)cco(3)com(10)companyabc(3)com(0)
5/28/2012 6:48:58 PM 067C PACKET  000000BDB01CFCE0 UDP Snd 10.1.2.13       0007
R Q [8385 A DR NXDOMAIN] AAAA   (3)www(3)cco(3)com(10)companyabc(3)com(0)
5/28/2012 6:48:58 PM 067C PACKET  000000BDB0D8FF80 UDP Rcv 10.1.2.13       0008
Q [0001   D   NOERROR] A      (3)www(3)cco(3)com(0)
5/28/2012 6:48:58 PM 067C PACKET  000000BDAFD158A0 UDP Snd 128.8.10.90     d511
Q [0000       NOERROR] A      (3)www(3)cco(3)com(0)
5/28/2012 6:48:59 PM 067C PACKET  000000BDAFD27B40 UDP Rcv 128.8.10.90     d511
R Q [0080       NOERROR] A      (3)www(3)cco(3)com(0)
5/28/2012 6:48:59 PM 067C PACKET  000000BDAFD158A0 UDP Snd 192.55.83.30    9b01
Q [0000       NOERROR] A      (3)www(3)cco(3)com(0)
5/28/2012 6:48:59 PM 067C PACKET  000000BDB09D48F0 UDP Rcv 192.55.83.30    9b01
R Q [0080       NOERROR] A      (3)www(3)cco(3)com(0)
5/28/2012 6:48:59 PM 067C PACKET  000000BDAFD158A0 UDP Snd 12.222.165.144  c2da
Q [0000       NOERROR] A      (3)www(3)cco(3)com(0)
5/28/2012 6:48:59 PM 067C PACKET  000000BDAF446E30 UDP Rcv 12.222.165.144  c2da
R Q [8084 A  R  NOERROR] A      (3)www(3)cco(3)com(0)
5/28/2012 6:48:59 PM 067C PACKET  000000BDB0D8FF80 UDP Snd 10.1.2.13       0008
R Q [8081   DR  NOERROR] A      (3)www(3)cco(3)com(0)
5/28/2012 6:48:59 PM 067C PACKET  000000BDB0A2B5B0 UDP Rcv 10.1.2.13       0009
Q [0001   D   NOERROR] AAAA   (3)www(3)cco(3)com(0)
5/28/2012 6:48:59 PM 067C PACKET  000000BDB0D8FF80 UDP Snd 12.222.165.144  7b4a
Q [0000       NOERROR] AAAA   (3)www(3)cco(3)com(0)
5/28/2012 6:48:59 PM 067C PACKET  000000BDB0F3BB90 UDP Rcv 12.222.165.144  7b4a
R Q [8084 A  R  NOERROR] AAAA   (3)www(3)cco(3)com(0)
5/28/2012 6:48:59 PM 067C PACKET  000000BDB0A2B5B0 UDP Snd 10.1.2.13       0009
R Q [8081   DR  NOERROR] AAAA   (3)www(3)cco(3)com(0)


The DNS log can be very detailed and tedious to read, but provides a wealth of information about exactly what the DNS server is doing. You can get even more detail by selecting the Details check box on the Debug Logging tab, which also enables you to see the data that was returned. Logging does add significantly to the load of the DNS server, so it should only be enabled when troubleshooting and disabled immediately afterwards.

Using Performance Monitor to Monitor DNS

Performance Monitor is a built-in, often-overlooked utility that allows for a great deal of insight into issues in a network. With regard to DNS, many critical DNS counters can be monitored relating to queries, zone transfers, memory utilization, and other important factors.

Client-Side Cache and HOST Resolution Problems

Windows 2000 and higher clients have a built-in client cache for name resolution that caches all information retrieved from name servers. When requesting lookups, the client resolver parses this cache first, before contacting the name server. Items remain in this cache until the TTL expires, the machine is rebooted, or the cache is flushed. In cases where erroneous information has been entered into the client cache, it can be flushed by typing ipconfig /flushdns at the command prompt.

By default, all clients have a file named HOSTS that provides for a simple line-by-line resolution of names to IP addresses. This file is normally located in \%Systemroot%\System32\Drivers\etc. Problems can occur when these manual entries conflict with DNS, and it is, therefore, wise to ensure that there are not conflicts with this HOSTS file and the DNS database when troubleshooting.

Using the Nslookup Command-Line Utility

The Nslookup command-line utility is perhaps the most useful tool for DNS client troubleshooting. Its functionality is basic, but the information obtained can do wonders for helping to understand DNS problems. Nslookup, in its most basic operation, contacts the default DNS server of a client and attempts to resolve a name that is inputted. For example, to test a lookup on www.companyabc.com, type nslookup www.companyabc.com at the command prompt. Different query types can also be input into Nslookup. For example, you can create simple queries to view the MX and SOA records associated with a specific domain by following these steps, which are illustrated in Figure 1:

1. Open a command prompt instance by choosing Start, All Programs, Accessories, Command Prompt.

2. Type nslookup and press Enter.

3. Type set query=mx and press Enter.

4. Type domainname and press Enter.

5. Type set query=soa and press Enter.

6. Type domainname and press Enter.

Figure 1. Nslookup of an MX and an SOA record.

Nslookup’s functionality is not limited to these simple lookups. Performing an nslookup /? lists the many functions it is capable of. Nslookup is a tool of choice for many name-resolution problems and is a must in any troubleshooter’s arsenal.

Windows Server 2012 : Troubleshooting DNS (part 2) – Using the DNSCmd Command-Line Utility, Managing DNS with PowerShell