Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

DNS Query Trace

Posted on 2010-08-24
8
1,513 Views
Last Modified: 2013-11-16
Hi,
I am having DNS query timeouts in my network and although I have figured a pleasant workaround I wondered if anyone can advise me on a tool that will allow me to trace DNS Queries.
I suspect my firewall (although all outbound open) when it receives my forwarders from the Server 2008 DNS.

Just to clarify its the DNS Query I want to trace and not the destination I'm trying to resovle.

Thanks in advance.

0
Comment
Question by:pbrane
8 Comments
 
LVL 70

Accepted Solution

by:
Chris Dent earned 500 total points
ID: 33509841

You would need to monitor traffic flow on each device in the chain (since you'd need to debug a timeout on the network level).

Depending on your firewall you may find that it's dropping packets over a certain size, a common problem when EDNS was first implemented in MS DNS. Some firewalls dropped UDP packets larger than 512b.

You won't find a specific tool to do this short of a packet sniffer. For instance, Wireshark on the Windows boxes, TCPDump on Unix / Linux and whatever your Firewalls / Routers expose.

Note that you can use Dig to perform iterative queries, however, that doesn't show you information about why something was dropped, especially not if a forwarder is in use.

Chris
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33509925
Hm, first I would try to use tracert command and analyze output.

type in command-line

tracert www.google.pl
0
 
LVL 9

Expert Comment

by:Chev_PCN
ID: 33509981
There is a utility called tracetcp, which is similar to tracert, but you can specify the port.
This is useful in that it tells you the hop path.
You may have to try this multiple times, from each server in the path.
e.g. client PC to local server, local server to root domain server, root domain server to external ISP. This last is probably what will give you the info you need.
Also ask your ISP what their default TTL is. A very low TTL will mean that more queries get a negative response.
If you manage your firewall, or if you can engage your firewall team, it might be worthwhile to open ICMP for a few minutes so you can do some pings & tracerts to your ISP's DNS servers & others.

tracetcp-0.99.1beta.zip
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 4

Author Comment

by:pbrane
ID: 33510020
Now I suppose I need to find out whether I can restrict DNS query packet sizes to 512bytes from the server or allow greater packet sizes on the firewall.

I am going to accept Chris-Dent's answer shortly as I think he fully understands the problem I am having. His description is the exact reason why I wanted to trace the queries but I have one more question as an extension of this issue.

Would it make sense if I suggested opening Inbound UDP 53 for my internal DNS server?

Thanks
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 33510027

Tracert shows ICMP responses between the current system and the IP of the record for www.google.pl. Nothing to do with the DNS query really.

The trouble with this problem is that a DNS query timeout is a network problem, and in that instance you need to be checking traffic flow on UDP Port 53, not ICMP with ping / tracert.

Bear in mind that when a Forwarder is in use all DNS traffic flows between the local server and the forwarder. If you're getting occasional timeouts (not timeouts for everything) it suggests some UDP packets are being dropped between those two devices.

Chris
0
 
LVL 70

Assisted Solution

by:Chris Dent
Chris Dent earned 500 total points
ID: 33510069

> Would it make sense if I suggested opening Inbound UDP 53 for my internal DNS server?

No.

The query will originates from a high-numbered port on your DNS server, and is set to UDP 53 on the forwarder. On MS DNS the ports are reserved and make up the 2500 you see when running netstat -an. The response from the remote server will come back to the high-numbered port. The firewall is expected to manage a psuedo-connection state for the UDP conversation, allowing the reply to come back into your network.

> Now I suppose I need to find out whether I can restrict DNS query packet sizes to 512bytes from the server or allow greater packet sizes on the firewall.

You might start by disabling EDNS:

dnscmd /config /enableednsprobes 0

The ideal is to check out if the packet is being dropped and raising the limit (if any is applied). Of course, that needs you to have access to all network devices in the chain which may not be feasible. Best case would have to accepting UDP packets up to 4096b, that'll cover you for everything from a simple query to EDNS to DNSSEC.

Chris
0
 
LVL 4

Author Closing Comment

by:pbrane
ID: 33510170
I understand I havent provided the remark on whether the suggested solutions work  to this issue but my question was one of diagnosing the issue.
Chris-Dent your a star. Thanks for everyones input.
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 33510183

You're welcome, I hope you get to the bottom of it.

Chris
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I was supporting a handful of Windows 2008 (non-R2) 2 node clusters with shared quorum disks. Some had SQL 2008 installed and some were just a vendor application that we supported. For the purposes of this article it doesn’t really matter which so w…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…

790 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question