DNS server question

I need to have a machine be able to lookup and query a DNS server. I have software that tells me I need to be able to do the 3 things below::

-ping the domain. Ex: ping domain.net (which I can do)
>server domain.net (returns valid data)
>ls -t SRV domain.net (after this it tells me "Cant list domain domain.net:query refused)

I do not even know what the "ls -t SRV domain.net" command does. Can anyone tell me?Also why can it not get any information? I have even ran it on the DC\DNS server itself and it doesnt return any info. Thanks
Thomas NSystems Analyst - Windows System AdministratorAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

In the example, domain.net should should be replaced with your own domain info, else you will get the results for literally "domain.net".

Typing nslookup will start the nslookup command environment and display your default name server and it's address.

ls -t srv yourdomain.net  -  should list the SRV records if they were properly created. The first character is an "L" by the way.

A Service record (SRV record) is a specification of data in the Domain Name System defining the location, i.e. the hostname and port number, of servers for specified services. Some Internet protocols such as the Session Initiation Protocol (SIP) and the Extensible Messaging and Presence Protocol (XMPP) often require SRV support by network elements.

Thomas NSystems Analyst - Windows System AdministratorAuthor Commented:
okay thanks. Why would it not be able to list my SRV records? I cant even do it on the DNS server itself. All the SRV records I have seem to have nothing wrong with them.  It tells me the "query refused", I am a full domain and enterprise admin on my network.
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

Off the top of my head, I think that is considered a zone transfer type of request... since it is an open request and not specific. That is not normally allowed to any machine. Zone xfers are normally allowed only to other DNS servers on your network for your domain(s).

You can see in the properties of your DNS server what the zone transfer settings are. (under the domain properties, not server)

Ah, here is the story from MS:

FDiskWizard hit the nail on the head.  The ls sub-command of nslookup does zone tranfer request.  Your DNS server is most likely (best security practice) setup to restrict what IP addresses can do zone transfers.

Normally only DNS servers that are defined as secondary for the zone can do transfers.  Since the primary server does not do zone transfers to itself, it is not allowed to do a zone transfer to itself.

You have three options:

1) Go to a server that is secondary for that zone and issue the ls command.
2) Have your computer setup to be authorized to do a zone transfer.
3) Instead of doing a ls -t srv, do:

     set type=srv
Jon BrelieSystem ArchitectCommented:
Are you doing a split DNS model where your internal Active Directory domain is the same as your public URL domain name?  If so, you will need to make sure that you create SRV records on the DNS server as well as your public DNS.  

You local dns server thinks that it is authoritative for the domain and only looks to itself to check that domain.

Please run the following and post the results:

"nslookup -q=SRV domain.net"
Thomas NSystems Analyst - Windows System AdministratorAuthor Commented:
Here are the results of "nslookup -q=SRV domain.net". Also I am not doing a split DNS. This DNS server is only internal.

Z:\>nslookup -q=SRV domain.net
Server:  iepszw001.domain.net
        primary name server = iepszw001.domain.net
        responsible mail addr = hostmaster
        serial  = 654268
        refresh = 900 (15 mins)
        retry   = 600 (10 mins)
        expire  = 86400 (1 day)
        default TTL = 3600 (1 hour)

All my DC's are primary for that zone. I have a single domain network. I have it set to "Zone transfer to any server". I have about 8 DC's but if I go to any of them I get the same results when I try to run that command "query refused"
Thomas NSystems Analyst - Windows System AdministratorAuthor Commented:
That command I am meaning the "ls -t SRV domain.net". It tells me query refused.
If you don't any SRV records and the name you enter is a domain name, you will get back the SOA record for that domain.

Is this supposed to be your AD integrated domain?  Or just a "normal" IP name space?

When you set the zone transfer to any server, did you do it for that specific domain or for all domains?
Even to do that command from your DNS server... you will get that error. Read the MORE INFORMATION under the link I provided.

Basically you can add its own IP to the list. Or there is a hotfix for this specific issue.
or maybe add your workstation IP... But you may have to switch to "ONLY TO THE FOLLOWING SERVERS" instead of "ONLY TO SERVERS LISTED on the NAME SERVERS tab."

Note that this could be a taxing task on your server.

Also: Look up DNSLINT.exe
Thomas NSystems Analyst - Windows System AdministratorAuthor Commented:
Its my AD integrated domain.

I do not see where I can specify a domain, it just says all servers. I have attached a screen shot.
Thomas NSystems Analyst - Windows System AdministratorAuthor Commented:
DrDave242Senior Support EngineerCommented:
What software is this that requires the ability to perform a zone transfer of the SRV records?  That's not normal.  (Of course, it's possible that the documentation is not exactly correct, and it only needs to be able to query SRV records - that's perfectly normal.)

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
when you just enter "nslookup"  when it returns to the > prompt, does it list the correct IP address and host name for your AD DNS server?

I do agree with DrDave242, there is no reason I can think of that you need to do a zone transfers of SRV records.  Just being able to look them up should be enough.

If possible can you let us know what product this is?
Jon BrelieSystem ArchitectCommented:

The posts above make a very valid point.
Yeah, I meant to ask earlier... exactly what you're trying to accomplish.
Can you use a different method for SRV records. The proper way without the zone xfer is like this:

using LDAP as an example:

> set querytype=SRV


That should come back with all servers doing LDAP (your DCs)

Same for Kerberos:

In DNS if you expand your domain, your will see _tcp, _sites, etc... and this will make some sense.

Thomas NSystems Analyst - Windows System AdministratorAuthor Commented:
I checked the dns servers and found that some of them were only allowed to zone transfer to specific machines and others were set to all machines. Once I changed it to all machines on all the DNS servers the issue was fixed. Thanks guys and sorry didnt think about checking every single DNS server.
Thomas NSystems Analyst - Windows System AdministratorAuthor Commented:
Once I get all the machine information I will most likely change it from all machines to the specific ones I need including the ones that gave me the original problem on this thread.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.