Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

DNS Query Trace

Posted on 2010-08-24
8
Medium Priority
?
1,522 Views
Last Modified: 2013-11-16
Hi,
I am having DNS query timeouts in my network and although I have figured a pleasant workaround I wondered if anyone can advise me on a tool that will allow me to trace DNS Queries.
I suspect my firewall (although all outbound open) when it receives my forwarders from the Server 2008 DNS.

Just to clarify its the DNS Query I want to trace and not the destination I'm trying to resovle.

Thanks in advance.

0
Comment
Question by:pbrane
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 71

Accepted Solution

by:
Chris Dent earned 2000 total points
ID: 33509841

You would need to monitor traffic flow on each device in the chain (since you'd need to debug a timeout on the network level).

Depending on your firewall you may find that it's dropping packets over a certain size, a common problem when EDNS was first implemented in MS DNS. Some firewalls dropped UDP packets larger than 512b.

You won't find a specific tool to do this short of a packet sniffer. For instance, Wireshark on the Windows boxes, TCPDump on Unix / Linux and whatever your Firewalls / Routers expose.

Note that you can use Dig to perform iterative queries, however, that doesn't show you information about why something was dropped, especially not if a forwarder is in use.

Chris
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33509925
Hm, first I would try to use tracert command and analyze output.

type in command-line

tracert www.google.pl
0
 
LVL 9

Expert Comment

by:Chev_PCN
ID: 33509981
There is a utility called tracetcp, which is similar to tracert, but you can specify the port.
This is useful in that it tells you the hop path.
You may have to try this multiple times, from each server in the path.
e.g. client PC to local server, local server to root domain server, root domain server to external ISP. This last is probably what will give you the info you need.
Also ask your ISP what their default TTL is. A very low TTL will mean that more queries get a negative response.
If you manage your firewall, or if you can engage your firewall team, it might be worthwhile to open ICMP for a few minutes so you can do some pings & tracerts to your ISP's DNS servers & others.

tracetcp-0.99.1beta.zip
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
LVL 4

Author Comment

by:pbrane
ID: 33510020
Now I suppose I need to find out whether I can restrict DNS query packet sizes to 512bytes from the server or allow greater packet sizes on the firewall.

I am going to accept Chris-Dent's answer shortly as I think he fully understands the problem I am having. His description is the exact reason why I wanted to trace the queries but I have one more question as an extension of this issue.

Would it make sense if I suggested opening Inbound UDP 53 for my internal DNS server?

Thanks
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 33510027

Tracert shows ICMP responses between the current system and the IP of the record for www.google.pl. Nothing to do with the DNS query really.

The trouble with this problem is that a DNS query timeout is a network problem, and in that instance you need to be checking traffic flow on UDP Port 53, not ICMP with ping / tracert.

Bear in mind that when a Forwarder is in use all DNS traffic flows between the local server and the forwarder. If you're getting occasional timeouts (not timeouts for everything) it suggests some UDP packets are being dropped between those two devices.

Chris
0
 
LVL 71

Assisted Solution

by:Chris Dent
Chris Dent earned 2000 total points
ID: 33510069

> Would it make sense if I suggested opening Inbound UDP 53 for my internal DNS server?

No.

The query will originates from a high-numbered port on your DNS server, and is set to UDP 53 on the forwarder. On MS DNS the ports are reserved and make up the 2500 you see when running netstat -an. The response from the remote server will come back to the high-numbered port. The firewall is expected to manage a psuedo-connection state for the UDP conversation, allowing the reply to come back into your network.

> Now I suppose I need to find out whether I can restrict DNS query packet sizes to 512bytes from the server or allow greater packet sizes on the firewall.

You might start by disabling EDNS:

dnscmd /config /enableednsprobes 0

The ideal is to check out if the packet is being dropped and raising the limit (if any is applied). Of course, that needs you to have access to all network devices in the chain which may not be feasible. Best case would have to accepting UDP packets up to 4096b, that'll cover you for everything from a simple query to EDNS to DNSSEC.

Chris
0
 
LVL 4

Author Closing Comment

by:pbrane
ID: 33510170
I understand I havent provided the remark on whether the suggested solutions work  to this issue but my question was one of diagnosing the issue.
Chris-Dent your a star. Thanks for everyones input.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 33510183

You're welcome, I hope you get to the bottom of it.

Chris
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Scenario:  You do full backups to a internal hard drive in either product (SBS or Server 2008).  All goes well for a very long time.  One day, backups begin to fail with a message that the disk is full.  Your disk contains many, many more backups th…
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Suggested Courses

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question