Solved

DNS Query Trace

Posted on 2010-08-24
8
1,515 Views
Last Modified: 2013-11-16
Hi,
I am having DNS query timeouts in my network and although I have figured a pleasant workaround I wondered if anyone can advise me on a tool that will allow me to trace DNS Queries.
I suspect my firewall (although all outbound open) when it receives my forwarders from the Server 2008 DNS.

Just to clarify its the DNS Query I want to trace and not the destination I'm trying to resovle.

Thanks in advance.

0
Comment
Question by:pbrane
8 Comments
 
LVL 71

Accepted Solution

by:
Chris Dent earned 500 total points
ID: 33509841

You would need to monitor traffic flow on each device in the chain (since you'd need to debug a timeout on the network level).

Depending on your firewall you may find that it's dropping packets over a certain size, a common problem when EDNS was first implemented in MS DNS. Some firewalls dropped UDP packets larger than 512b.

You won't find a specific tool to do this short of a packet sniffer. For instance, Wireshark on the Windows boxes, TCPDump on Unix / Linux and whatever your Firewalls / Routers expose.

Note that you can use Dig to perform iterative queries, however, that doesn't show you information about why something was dropped, especially not if a forwarder is in use.

Chris
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33509925
Hm, first I would try to use tracert command and analyze output.

type in command-line

tracert www.google.pl
0
 
LVL 9

Expert Comment

by:Chev_PCN
ID: 33509981
There is a utility called tracetcp, which is similar to tracert, but you can specify the port.
This is useful in that it tells you the hop path.
You may have to try this multiple times, from each server in the path.
e.g. client PC to local server, local server to root domain server, root domain server to external ISP. This last is probably what will give you the info you need.
Also ask your ISP what their default TTL is. A very low TTL will mean that more queries get a negative response.
If you manage your firewall, or if you can engage your firewall team, it might be worthwhile to open ICMP for a few minutes so you can do some pings & tracerts to your ISP's DNS servers & others.

tracetcp-0.99.1beta.zip
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 
LVL 4

Author Comment

by:pbrane
ID: 33510020
Now I suppose I need to find out whether I can restrict DNS query packet sizes to 512bytes from the server or allow greater packet sizes on the firewall.

I am going to accept Chris-Dent's answer shortly as I think he fully understands the problem I am having. His description is the exact reason why I wanted to trace the queries but I have one more question as an extension of this issue.

Would it make sense if I suggested opening Inbound UDP 53 for my internal DNS server?

Thanks
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 33510027

Tracert shows ICMP responses between the current system and the IP of the record for www.google.pl. Nothing to do with the DNS query really.

The trouble with this problem is that a DNS query timeout is a network problem, and in that instance you need to be checking traffic flow on UDP Port 53, not ICMP with ping / tracert.

Bear in mind that when a Forwarder is in use all DNS traffic flows between the local server and the forwarder. If you're getting occasional timeouts (not timeouts for everything) it suggests some UDP packets are being dropped between those two devices.

Chris
0
 
LVL 71

Assisted Solution

by:Chris Dent
Chris Dent earned 500 total points
ID: 33510069

> Would it make sense if I suggested opening Inbound UDP 53 for my internal DNS server?

No.

The query will originates from a high-numbered port on your DNS server, and is set to UDP 53 on the forwarder. On MS DNS the ports are reserved and make up the 2500 you see when running netstat -an. The response from the remote server will come back to the high-numbered port. The firewall is expected to manage a psuedo-connection state for the UDP conversation, allowing the reply to come back into your network.

> Now I suppose I need to find out whether I can restrict DNS query packet sizes to 512bytes from the server or allow greater packet sizes on the firewall.

You might start by disabling EDNS:

dnscmd /config /enableednsprobes 0

The ideal is to check out if the packet is being dropped and raising the limit (if any is applied). Of course, that needs you to have access to all network devices in the chain which may not be feasible. Best case would have to accepting UDP packets up to 4096b, that'll cover you for everything from a simple query to EDNS to DNSSEC.

Chris
0
 
LVL 4

Author Closing Comment

by:pbrane
ID: 33510170
I understand I havent provided the remark on whether the suggested solutions work  to this issue but my question was one of diagnosing the issue.
Chris-Dent your a star. Thanks for everyones input.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 33510183

You're welcome, I hope you get to the bottom of it.

Chris
0

Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I was supporting a handful of Windows 2008 (non-R2) 2 node clusters with shared quorum disks. Some had SQL 2008 installed and some were just a vendor application that we supported. For the purposes of this article it doesn’t really matter which so w…
This article explains how to install and use the NTBackup utility that comes with Windows Server.
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question