Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x

DNS

25K

Solutions

25K

Contributors

The Domain Name System (DNS) is a hierarchical, globally distributed system responsible for associating the name of a computer, service or other resource into an IP address for connecting to the Internet or a private network. Most prominently, it translates domain names to the numerical IP addresses needed for the purpose of computer services and devices worldwide.

Share tech news, updates, or what's on your mind.

Sign up to Post

Resolve DNS query failed errors for Exchange
2
Technology Partners: We Want Your Opinion!
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address.

There is a new bug in BIND, affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) through BIND 9.9.7-P1 and BIND 9.10.2-P2.

Basically, anyone can stop your BIND service (named), effectively shutting down your name resolution.

So if you administer name servers using BIND, you need to update NOW.
Unfortunately, that means you cannot wait for binaries for your distribution to become available, you need to install from source.

Problems:
  1. You need to install a development environment in your DNS servers
  2. Configuring and compiling can take a long time, using resources
  3. You need to uninstall the current packages, without losing your zone files and named config, including startup scripts.

My solution: configure a test server, configure, compile and install the new version of BIND from source, then copy all the files to the production servers. This way you disrupt the service for 20 sec max.

Caveat: all servers should run the same distribution and packages.

My servers all run Debian 7.8, with minimal packages installed, to reduce attack vectors.

Technique:
1. Create a test server (either from scratch, or by cloning one of your production DNS servers).
2. Prepare the build environment
test-server:apt-get install build-essential libssl-dev

Open in new window


3. Download and extract the package:

Open in new window

0
 
LVL 35

Author Comment

by:Dan Craciun
Comment Utility
0
I've written instructions for one router type, but this principle may be useful for others of the same brand and even other brands of router.

Problem:
I had an issue especially with mobile devices that refused to use DNS information supplied via DHCP, in general they seem to use service provider DNS information that is used by data (3G/4G) services and override wifi with it.
My aim was to get all DNS traffic to go to OpenDNS for filtering.

My firewall is a Zywall USG 50, I'm not sure how it compares with yours for features but I had to experiment to find a way to not just
#a. block DNS requests to unapproved addresses
but also
#b.  take those requests and redirect them so that the end user has a seamless experience and no reconfiguration for any devices.

In my mind I wanted a router option that simply allowed me to direct all traffic on port 53 (DNS uses TCP and UDP on this port) to a specified address, but as is often the case, manuals didn't make it obvious that this was even possible let alone how to go about it.

In the end the answer came through NAT (network address translation) rather than DNS forwarding options.

With the USG 50, DNS forwarding only really helps when a client directly requests DNS from the router itself. (*Make sure you check your router manual before you follow these tips as you may have more options than I do in this case)
In my organization I've set up an internal domain controller for DNS that forwards …
0
Occasionally you run into the website or two that will not resolve properly using your own DNS servers.  Some people simply set up global forwarders for their DNS server.  I don’t recommend doing this because it can cause problems resolving addresses on your local network, especially if you have multiple sub-nets or even multiple routed networks.

The better solution is to use conditional forwarders.  Conditional forwarders allow you to specify a DNS server to use for a particular domain.  In my case we had problems resolving paypal.com from one of our networks.  By setting up a conditional forwarder, we were able to address the paypal problem without causing DNS resolution problems for other domains or our own networks.

Here is how its done on a Windows 2008 DNS Server (all Windows Servers are typical):

1. Open the DNS manage from Administrative Tools int the control panel.
2. Navigate to and right click on Conditional Forwarders under your DNS Server. then select “New Conditional Forwarder”
CondForward13. Enter the Domain of the site you want to resolve using forwarders
CondForward24. Enter the DNS Server to use for resolving this domain.  I used one of Level3's and one of Google’s in this case.  OpenDNS Servers are also a good choice.
CondForward35. If you use Active Directory, make sure you check the box to store in Active Directory.  That way the forwarder will replicate to your other DNS Servers.  The default’s are ok for the rest of the settings.
CondForward5
1
 
LVL 9

Author Comment

by:Frank McCourry
Comment Utility
Thanks!
0
There have been a lot of times when we have seen the need to enter a large number of DNS entries in a forward lookup zone.

The standard procedure would be to launch the DNS Manager console, create the Zone and start adding new hosts using the New Host action. The higher the number of new hosts to be added, the greater the possibility of making a mistake. This article has been created to make the Administrator's life easier.

When the admin is executing the above GUI driven procedure, he is actually executing the dnscmd command followed by some switches and parameters. It seems reasonable to write a batch file that would do this in sequence with a hit of a single button.

The actual dnscmd command syntax is explained below:

dnscmd [ServerName] /recordadd ZoneName NodeName RRType RRData

While the Parameters are the following:
ServerName: Specifies the DNS server the administrator is planning to manage, represented by local computer syntax, IP address, FQDN, or Host name. If omitted, the local server is used.
ZoneName: Specifies the zone in which the record resides.
NodeName: Specifies a specific node in the zone.
RRType: Specifies the type of record to be added.
RRData: Specifies the type of data that is expected when using a certain data type.

Based on the above if our ServerName is dt00001.mydomain.com, our ZoneName is …
4
 

Expert Comment

by:TechDept
Comment Utility
If the naming and IP scheme is as straight forward as in the example, just do it with a script loop. DOS, VBScript, or PowerShell will do. Here's an example in DOS.

Just assign the variables appropriate values. Then when you are satisfied that everything is right, remove the "echo" from the start of the dnscmd line.

-----Cut Here-----
@echo off
  cls

:SET_ENV
  SETLOCAL ENABLEDELAYEDEXPANSION

:SET_VAR
  set Count_Val=15
  set Start_Val=2
  set DNS_Server=dt00001.mydomain.com
  set Zone_Name=myzone.mydomain.com
  set Host_Prefix=dt
  set Host_Val=00000
  set IP_Network=172.29.2

:DO
  for /L %%n in (%Start_Val%,1,%Count_Val%) do (
    set Padded_Val=%Host_Val%%%n
    echo dnscmd %DNS_Server% /recordadd %Zone_Name% %Host_Prefix%!Padded_Val:~-5! A %IP_Network%.%%n
  )

:END
  pause
  cls
  exit 0
-----Cut Here-----
0
I wrote this article to explain some important DNS concepts that should be known to avoid some typical configuration errors I often see in forums.

I assume that what is described here is the typical behavior of Microsoft DNS client. I don't know other DNS client implementation on other platforms to tell you that this applies everywhere,  so other experts please feel free to comment about it.

Saying "Microsoft DNS client" I mean the DNS client service on any Microsoft platform. This is true for workstations, for servers, for domain controllers.


Concept #1: The DNS "Preferred" server

When you configure DNS servers in the IP settings of a NIC on a Windows machine, you may configure what is called a "primary" and "secondary" DNS servers.

In my opinion these terms ("primary" and "secondary") are a very bad choice from Microsoft because in fact the DNS server list can contain more than 2 DNS servers, as you may have already seen if you went to see in the "DNS" tab of the "Advanced" IP settings.
Basically the DNS servers list is an ordered list of as many as you want DNS servers.

Also, the term "primary" make you think that this DNS server has a specific role or function against other "secondary" servers", that this server may have some priority against other servers in the list, which is not the case as I'll try to explain now.

Ok, so what happens when a Windows machine have to resolve a DNS name for the first time after a startup ?

Very simple: …
15
 

Expert Comment

by:LostMyWatch
Comment Utility
The epitome of "easy to understand". Well done!
0
 
LVL 19

Expert Comment

by:Raheman M. Abdul
Comment Utility
Great article and very good and clear explanation. Many thanks for your time and effort to make such a great article.
0
One of the most often confused topics in the area DNS is the idea of GLUE records. Specifically, what they are, when they are needed, when they are provided, and how they are created.

First, WHAT IS GLUE?
To understand GLUE, you must first understand that DNS is a top-down, recursive, distributed database. Thus, to resolve (on your own) the name host.example.com., you first contact one of the 13 top-level (root) DNS servers and ask about .com. The reply will tell you where to find .com's nameservers, so you'll choose one of those and ask about example.com. The result will tell you where example.com's nameservers are, so you'll choose one of those to ask about host.example.com, whereupon you finally get your reply: 10.0.0.10.

That's all well and good, until you look deeper and see that nameserver entries are NAMES, not IP addresses. So if the nameserver for example.com is dns.example.com, you're going to be stuck -- you can't query the nameserver dns.example.com for the name dns.example.com because its self-referencing. (The term in DNS, is circular.)

That is where GLUE comes in. GLUE is simply an IP address of a nameserver that is provided as "additional data" in the DNS reply from a parent server. So, when I query the .com server for example.com's nameservers, it will reply not just with dns.example.com, but also with the IP address of dns.example.com (10.0.0.100) in the "additional data" area of the response.…
2
 
LVL 32

Expert Comment

by:DrDamnit
Comment Utility
Well written. Excellent. Useful.
0
I will assume you are running a non-server version of some sort of Windows throughout this article. There are many flavors of Windows since Windows Server 2000 - 2008, XP Home & Pro, Vista Home & Pro, and Windows 7 Starter, Home, Pro, Ultimate, etc. Not all of these version of Windows have the Microsoft web server known as Internet Information Services (IIS) – formerly called Internet Information Server. I don't believe ANY version of Windows installs IIS by default, so you will need to go to Add/Remove Programs in the Control Panel, and "Turn Windows Features on or off", and turn it on. The Starter and Home versions of Windows may not have IIS available at all. For this reason, I recommend using Apache 2.2+ for Windows, it's ALWAYS free.

You can install Apache on any type of operating system, and there is a wealth knowledge available for various issues, configurations, and add-ons available online. Apache is also "open source", which means it is TOTALLY free to use. If you are seeking to get more involved with developing content for the internet in a corporate business environment, you will probably want to get involved with using IIS for Windows, but getting started with IIS is somewhat more difficult (in the authors opinion) because you need to have a more detailed understand of things like DNS, Security, opening ports, and other internet specific details. The Apache Web Server packages can be found at http://httpd.apache.org/download.cgi and I recommend downloading the…
3
 

Expert Comment

by:jayballentine
Comment Utility
Open Source does not mean free! If you use appache for profit you are soppose to pay. Read the fine detail. Open source is the way code is written.     Take a look and see. Unless they have changed it in the last little bit, but i doubt it. If you find out other wise i would be supprised, and i would applogize to you personally.
0
 
LVL 13

Expert Comment

by:Michael Machie
Comment Utility
This article is pretty much useless except to state that setting up your own Servers take a lot of work and to also sell DynDNS.Org subscriptions.

Not a single link or explanation of how to set anything up. And he received points for this?

Disappointing to say the least...
0
If you have a multi-homed DNS setup in windows, you can have issues with connectivity to the server that hosts the DNS services (or even member servers of your domain if this same DNS server is a DC). This is because windows registers all of its IPs (both IPv4 AND IPv6) into the DNS Domain record for DNS server resolution (NS records) and in turn end up having clients resolve to what could be an unwanted or unreachable subnet (especially with IPv6 enabled since clients will often try to resolve IPv6 first) - this woudl happen in cases where you don't do routing between the networks for the clients or this same server is not a gateway for the clients, thus users cannot resolve domain hosts and records.

This is ALSO the case per microsoft;

"When DNS queries for the domain name or the domain controller's fully qualified domain name (FQDN) are sent to a Windows 2000 domain controller that is running Routing and Remote Access, the domain name or FQDN for the domain controller is resolved to an Internet protocol (IP) address that is used by Routing and Remote Access. DNS Manager displays HOST (A) records for the Routing and Remote Access server IP addresses and Routing and Remote Access client IP addresses with the name of the domain controller and the name of the domain that is used for Active Directory."

In Microsoft Article http://support.microsoft.com/kb/289735, it states;

Start Registry Editor (Regedt32.exe).
Locate and click the following key in the registry:
0
This article explains how a domain name may be inadvertently appended to all DNS queries. This exhibits as described below.

C:\> ping www.internetdomain.com
Pinging www.internetdomain.com.internal.domain.com [23.24.25.26] ... 

Open in new window

And / Or:
C:\> NsLookup www.internetdomain.com
...
Name:    www.internetdomain.com.internal.domain.com
Address: 23.24.25.26

Open in new window


Cause

This issue can occur in either of these two scenarios.

EITHER

1. A Primary DNS Suffix which is a sub-domain of a public domain name.
Windows IP Configuration

        Host Name . . . . . . . . . . . . : SomeHost
        Primary Dns Suffix  . . . . . . . : internal.domain.com

Open in new window


2.  A Wildcard Record exists for *.domain.com on the public DNS server for domain.com and "Append parent suffixes of the primary DNS suffix" is ticked (TCP/IP settings, Advanced, DNS). Or a Wildcard exists for *.internal.domain.com.

OR

1.  domain.com exists in the DNS Suffix Search List.

2.  A Wildcard Record exists for *.domain.com on the public DNS server for domain.com.

In either case each Suffix is requested before the multi-label name is submitted.

Examples

In the following examples the detailed responses from NsLookup are available by enabling the Debugging option.
C:\> NsLookup
> set debug
> www.internetdomain.com

Open in new window

Or
> set d2
> www.internetdomain.com

Open in new window

1. With no wildcard record
C:\> NsLookup
> www.internetdomain.com

ACTION:  Appending Primary DNS Suffix
HEADER:  NXDOMAIN (Does Not Exist)
QUESTIONS:  www.internetdomain.com.internal.domain.com

ACTION:  Appending Parent Suffix
HEADER:  NXDOMAIN (Does Not Exist)
QUESTIONS:  www.internetdomain.com.domain.com

ACTION:  Without Suffix
HEADER:  NOERROR
QUESTIONS:  www.internetdomain.com
ANSWERS:  IP Address(es) of www.google.com and any related records

Open in new window

2. With a wildcard for domain.com and Append Parent Suffixes selected

C:\> NsLookup
> www.internetdomain.com

ACTION:  Appending Primary DNS Suffix
HEADER:  NOERROR
QUESTIONS:  www.internetdomain.com.internal.domain.com
ANSWERS:  IP Address(es) of *.domain.com. Matching Wildcard record to "www.internetdomain.com.internal"

Open in new window


3. With a wildcard for internal.domain.com

C:\> NsLookup
> www.internetdomain.com

ACTION:  Appending Primary DNS Suffix
HEADER:  NOERROR
QUESTIONS:  www.internetdomain.com.internal.domain.com
ANSWERS:  IP Address(es) of *.internal.domain.com. Matching wildcard record to "www.internetdomain.com"

Open in new window


4. With a Wildcard for domain.com and a DNS Suffix Search List including
domain.com


Open in new window

1
Looking for the Wi-Fi vendor that's right for you?
Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

This article is intended as an extension of a blog on Aging and Scavenging by the MS Enterprise Networking Team.
In brief, Scavenging is used as follows:

Each record in a zone which has been dynamically registered with an MS DNS Server will have a Time Stamp. The Time Stamp is used in conjunction with the Aging Intervals to determine when a record is Stale. When a record is Refreshed the Time Stamp is updated. The Scavenging process will remove any Stale records it encounters within a zone.

If a system changes IP Address an Update is sent to DNS. An Update will ignore any No-Refresh Interval and update the record data as well as the Time Stamp.

Manually created records are not removed by the Scavenging Process, they have no Time Stamp value and therefore cannot be considered stale.

SOA and NS records tend not to be involved in the Scavenging Process as they are created by a different mechanism; they are not dynamically registered by default, instead they are automatically created.

There are several different systems or services involved with dynamic registration of DNS Records.
 

DHCP Server



By default Microsoft DHCP updates DNS on behalf of each client. When DHCP is performing updates the clients will not register record directly with the DNS server (while using a lease from that DHCP server). If DHCP does not update on behalf of each client then the client will register directly (if capable, Windows 2000 or higher).

The DHCP server will …
7
Most DNS problems are VERY easily troubleshot and identifiable if you can follow the steps a DNS query takes. I would like to share the step-by-step a DNS query takes from the origin to the destination.
_____________________________________________________________________
THE CLIENTS RESPONSIBILITY:
1)  The client tries to contact a remote site using DNS and will send out a DNS query. It will first look at its own records prior to anything else.
 --- a)The first place it will look in its own DNS resolver cache
((NOTE: The problem with a DNS resolver cache is you may, once in a while, get a bad record. This will point your client to the wrong IP. You can resolve this by flushing your DNS cache. It doesn't hurt your computer to flush the DNS cache, and it can easily be done by going to the command prompt and typing IPconfig /flushdns))
--- b)Then, the client will look in the C:\Windows\system32\drivers\ect\Host file. This file has to be manually configured.
((NOTE: The problem with a configured HOST file, is if the client does not see the DNS solution in the Host file, it can assume that the query can't be resolved and stop right there. In other words your query will not make it to the server and could time out.  If you have a DNS server, these records should NEVER be configured. They are editable by with a text editor, like Wordpad or notepad. It is OK to have the default 127.0.0.1 loopback address for the local HOST.))
20
 
LVL 17

Expert Comment

by:Premkumar Yogeswaran
Comment Utility
Hi ChiefIT,
It is an good article..!!!

I have a question in this:
@ Clients Responsibility:
a) DNS cache b)host file both is fine.

Could you let us know were the DNS suffix list will participate in DNS query?

Thanks,
Prem
0
 
LVL 71

Expert Comment

by:Chris Dent
Comment Utility
DNS suffixes are appended, in order, to any single-label query (or multi-label query, set in group policy).

As such, the DNS Suffixes and the appending of are the responsibility of the client, this would be a "1 c". The client then repeats the query (2 to 4) for each suffix until it either gets a non-NXDOMAIN response or it runs out of suffixes to append.

Chris
0

DNS

25K

Solutions

25K

Contributors

The Domain Name System (DNS) is a hierarchical, globally distributed system responsible for associating the name of a computer, service or other resource into an IP address for connecting to the Internet or a private network. Most prominently, it translates domain names to the numerical IP addresses needed for the purpose of computer services and devices worldwide.