[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1523
  • Last Modified:

DNS Query Trace

Hi,
I am having DNS query timeouts in my network and although I have figured a pleasant workaround I wondered if anyone can advise me on a tool that will allow me to trace DNS Queries.
I suspect my firewall (although all outbound open) when it receives my forwarders from the Server 2008 DNS.

Just to clarify its the DNS Query I want to trace and not the destination I'm trying to resovle.

Thanks in advance.

0
pbrane
Asked:
pbrane
2 Solutions
 
Chris DentPowerShell DeveloperCommented:

You would need to monitor traffic flow on each device in the chain (since you'd need to debug a timeout on the network level).

Depending on your firewall you may find that it's dropping packets over a certain size, a common problem when EDNS was first implemented in MS DNS. Some firewalls dropped UDP packets larger than 512b.

You won't find a specific tool to do this short of a packet sniffer. For instance, Wireshark on the Windows boxes, TCPDump on Unix / Linux and whatever your Firewalls / Routers expose.

Note that you can use Dig to perform iterative queries, however, that doesn't show you information about why something was dropped, especially not if a forwarder is in use.

Chris
0
 
Krzysztof PytkoActive Directory EngineerCommented:
Hm, first I would try to use tracert command and analyze output.

type in command-line

tracert www.google.pl
0
 
Chev_PCNCommented:
There is a utility called tracetcp, which is similar to tracert, but you can specify the port.
This is useful in that it tells you the hop path.
You may have to try this multiple times, from each server in the path.
e.g. client PC to local server, local server to root domain server, root domain server to external ISP. This last is probably what will give you the info you need.
Also ask your ISP what their default TTL is. A very low TTL will mean that more queries get a negative response.
If you manage your firewall, or if you can engage your firewall team, it might be worthwhile to open ICMP for a few minutes so you can do some pings & tracerts to your ISP's DNS servers & others.

tracetcp-0.99.1beta.zip
0
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

 
pbraneAuthor Commented:
Now I suppose I need to find out whether I can restrict DNS query packet sizes to 512bytes from the server or allow greater packet sizes on the firewall.

I am going to accept Chris-Dent's answer shortly as I think he fully understands the problem I am having. His description is the exact reason why I wanted to trace the queries but I have one more question as an extension of this issue.

Would it make sense if I suggested opening Inbound UDP 53 for my internal DNS server?

Thanks
0
 
Chris DentPowerShell DeveloperCommented:

Tracert shows ICMP responses between the current system and the IP of the record for www.google.pl. Nothing to do with the DNS query really.

The trouble with this problem is that a DNS query timeout is a network problem, and in that instance you need to be checking traffic flow on UDP Port 53, not ICMP with ping / tracert.

Bear in mind that when a Forwarder is in use all DNS traffic flows between the local server and the forwarder. If you're getting occasional timeouts (not timeouts for everything) it suggests some UDP packets are being dropped between those two devices.

Chris
0
 
Chris DentPowerShell DeveloperCommented:

> Would it make sense if I suggested opening Inbound UDP 53 for my internal DNS server?

No.

The query will originates from a high-numbered port on your DNS server, and is set to UDP 53 on the forwarder. On MS DNS the ports are reserved and make up the 2500 you see when running netstat -an. The response from the remote server will come back to the high-numbered port. The firewall is expected to manage a psuedo-connection state for the UDP conversation, allowing the reply to come back into your network.

> Now I suppose I need to find out whether I can restrict DNS query packet sizes to 512bytes from the server or allow greater packet sizes on the firewall.

You might start by disabling EDNS:

dnscmd /config /enableednsprobes 0

The ideal is to check out if the packet is being dropped and raising the limit (if any is applied). Of course, that needs you to have access to all network devices in the chain which may not be feasible. Best case would have to accepting UDP packets up to 4096b, that'll cover you for everything from a simple query to EDNS to DNSSEC.

Chris
0
 
pbraneAuthor Commented:
I understand I havent provided the remark on whether the suggested solutions work  to this issue but my question was one of diagnosing the issue.
Chris-Dent your a star. Thanks for everyones input.
0
 
Chris DentPowerShell DeveloperCommented:

You're welcome, I hope you get to the bottom of it.

Chris
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now