Solved

DNS Query Trace

Posted on 2010-08-24
8
1,519 Views
Last Modified: 2013-11-16
Hi,
I am having DNS query timeouts in my network and although I have figured a pleasant workaround I wondered if anyone can advise me on a tool that will allow me to trace DNS Queries.
I suspect my firewall (although all outbound open) when it receives my forwarders from the Server 2008 DNS.

Just to clarify its the DNS Query I want to trace and not the destination I'm trying to resovle.

Thanks in advance.

0
Comment
Question by:pbrane
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 71

Accepted Solution

by:
Chris Dent earned 500 total points
ID: 33509841

You would need to monitor traffic flow on each device in the chain (since you'd need to debug a timeout on the network level).

Depending on your firewall you may find that it's dropping packets over a certain size, a common problem when EDNS was first implemented in MS DNS. Some firewalls dropped UDP packets larger than 512b.

You won't find a specific tool to do this short of a packet sniffer. For instance, Wireshark on the Windows boxes, TCPDump on Unix / Linux and whatever your Firewalls / Routers expose.

Note that you can use Dig to perform iterative queries, however, that doesn't show you information about why something was dropped, especially not if a forwarder is in use.

Chris
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33509925
Hm, first I would try to use tracert command and analyze output.

type in command-line

tracert www.google.pl
0
 
LVL 9

Expert Comment

by:Chev_PCN
ID: 33509981
There is a utility called tracetcp, which is similar to tracert, but you can specify the port.
This is useful in that it tells you the hop path.
You may have to try this multiple times, from each server in the path.
e.g. client PC to local server, local server to root domain server, root domain server to external ISP. This last is probably what will give you the info you need.
Also ask your ISP what their default TTL is. A very low TTL will mean that more queries get a negative response.
If you manage your firewall, or if you can engage your firewall team, it might be worthwhile to open ICMP for a few minutes so you can do some pings & tracerts to your ISP's DNS servers & others.

tracetcp-0.99.1beta.zip
0
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

 
LVL 4

Author Comment

by:pbrane
ID: 33510020
Now I suppose I need to find out whether I can restrict DNS query packet sizes to 512bytes from the server or allow greater packet sizes on the firewall.

I am going to accept Chris-Dent's answer shortly as I think he fully understands the problem I am having. His description is the exact reason why I wanted to trace the queries but I have one more question as an extension of this issue.

Would it make sense if I suggested opening Inbound UDP 53 for my internal DNS server?

Thanks
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 33510027

Tracert shows ICMP responses between the current system and the IP of the record for www.google.pl. Nothing to do with the DNS query really.

The trouble with this problem is that a DNS query timeout is a network problem, and in that instance you need to be checking traffic flow on UDP Port 53, not ICMP with ping / tracert.

Bear in mind that when a Forwarder is in use all DNS traffic flows between the local server and the forwarder. If you're getting occasional timeouts (not timeouts for everything) it suggests some UDP packets are being dropped between those two devices.

Chris
0
 
LVL 71

Assisted Solution

by:Chris Dent
Chris Dent earned 500 total points
ID: 33510069

> Would it make sense if I suggested opening Inbound UDP 53 for my internal DNS server?

No.

The query will originates from a high-numbered port on your DNS server, and is set to UDP 53 on the forwarder. On MS DNS the ports are reserved and make up the 2500 you see when running netstat -an. The response from the remote server will come back to the high-numbered port. The firewall is expected to manage a psuedo-connection state for the UDP conversation, allowing the reply to come back into your network.

> Now I suppose I need to find out whether I can restrict DNS query packet sizes to 512bytes from the server or allow greater packet sizes on the firewall.

You might start by disabling EDNS:

dnscmd /config /enableednsprobes 0

The ideal is to check out if the packet is being dropped and raising the limit (if any is applied). Of course, that needs you to have access to all network devices in the chain which may not be feasible. Best case would have to accepting UDP packets up to 4096b, that'll cover you for everything from a simple query to EDNS to DNSSEC.

Chris
0
 
LVL 4

Author Closing Comment

by:pbrane
ID: 33510170
I understand I havent provided the remark on whether the suggested solutions work  to this issue but my question was one of diagnosing the issue.
Chris-Dent your a star. Thanks for everyones input.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 33510183

You're welcome, I hope you get to the bottom of it.

Chris
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question