DNS Check :- Superfluous name server listed at parent


Experienced some networking issues; specifically Active Directory is not authenticating.

Traced the problem back to expired domain name.

Renewed for another two years.

DNS Server


While at it checked DNS Servers to make sure that it is configured OK.




One of the freely available tools is pingdom.com; http://dnscheck.pingdom.com.


Test Result



Superfluous name server listed at parent: ns2

A name server listed at the parent, but not at the child, was found. This is most likely an administrative error. You should update the parent to match the name servers at the child as soon as possible.

Problem Identification

Our Domain Registrant has ns2 listed as one of our DNS Server.

But, it is not registered as a Name Server on our primary DNS Server.



Running MS Windows DNS Server and so everything is GUI.


Launched MMC – DNS, connect to DNS Server.


  1. Launched MMC
  2. Added DNS
  3. Connect to DNS Server
  4. Navigate to Forward Lookup Zones \ [Computer]
  5. Right click on the Domain Name
  6. From the drop-down menu, please select the Properties option
  7. Access the “Name Servers ” Tab
  8. Match the listed name servers to what you registered with your Domain Registrant








Returned to http://dnscheck.pingdom.com/ and confirmed that problem is resolved.


Tab – Basic View


Tab – Advanced View


Microsoft – DNS Server – Disabling Recursion


I will like to start a series of articles on how to harden a Microsoft DNS Server.

Before we dig in too deep let us first start talking about the weeds out there.


What prompts us

Reviewing the MS Windows Event Viewer discovered entries that looks like this:


The DNS server encountered an invalid domain name in a packet from The packet will be rejected. The event data contains the DNS packet.





Since we are referred to the “event data”, let us try to make sense of it:




What does the error mean?

It means that the host listed as the packet from w.x.y.z is sending us a request for a domain suffix that is different from the ones we have not explicitly declared we are handling.

The reasons are myriad and can include:

  • An application on that host is specifically sending DNS requests to us
  • The original request was directed at a DNS Server that has been configured to forward DNS requests


Network Monitoring

Let us use a Network Monitoring tool to read Network requests.

As we already have the Microsoft Network Monitoring Tool installed, we will use it.


Configure Microsoft Network Monitoring Tool


I will suggest that you tighten your filtering and only bring in DNS Traffic.

You can do so by using the Application’s menu.

In our version, Filter \ Load Filter \ Standard Filters \ DNS \ Protocol Filter – DNS

Here is what the Application generates based on this request:


Please click the “Apply” button to effect the filtering.


We will be interested in correlating Network Traffic flows with entries in the MS Event Viewer and so will add “Time Date Local Adjusted” to the list of columns to display.

That way we will be better able to match specific Event Viewer entries with items we capture from our Network Monitoring tool.

To do so, please click on the Columns \ Choose Columns:



Here is what things look like once we moved “Time Date Local Adjusted” from the “Select the desired columns” area to the “Enabled Columns” area.



Our Domain, but invalid hostname

  DNS Query Request



  1. Our instigator is sending UDP requests to our port 53 ( DNS )
  2. The QueryId is 0x4F2 and Query Identifier is 1266
  3. The full query is xmq.[full-doman-name]


DNS Query Response




  1. We replied via UDP from port 53 ( DNS )
  2. The QueryId is 0x4F2 and Query Identifier is 1266
  3. Our Reply Code is “Rcode = Name Error


Invalid Domain

DNS Query Request


Quick Explanation:

  1. We are receiving numerous simultaneous DNS requests bearing QueryID 26025 (0x65A9)
  2. The query is requesting 067.cz and it is requesting “all” records
  3. We can also confirm from the request dump that Recursion is desired (Recursion Desired = 1)


DNS Query Response



Quick Explanation:

  1. On behalf of the requester, our DNS Server connected to and requested data
  2. The query is requesting 067.cz and it is requesting “all” records
  3. We can also confirm from the request dump that Recursion is desired (Recursion Desired = 1)
  4. We received the following set of data
    • All Name Server ( ns1, ns2, ns3 )
    • SOA ( Start of Authority )
    • MX ( Mail )
    • spf1 ( Send Framework Record )



Server – Properties – Advanced Tab

Disable recursion – GUI


Disable recursion – Command Line

dnscmd . /config /norecursion 1


Disable recursion – Query


     dnscmd . /info




  1. In the “Configuration flags” section, fNoRecursion is set to 1

What is the implication?

Service Internal Clients

Can we still properly service DNS queries for our internal clients?

Queries for Authoritative Domains



    nslookup -querytype=MX FQDN. nameserver


    nslookup -querytype=MX labdomain.com.


  1. Request is pretty straight forward
  2. Please issue prefixed by a period to indicate it is fully formed; that is the DNS Suffix should not be auto-appended when passed to the DNS Server
  3. We are asking our DNS Server ( ) for Mail ( MX )  records







  1. We received back our MX record

Request Trace – Incoming



  1. We are requesting MX records for a specific domain


Request Trace – Response




  1. Response
    • We are authoritative
    • We replied with MX record(s)


Queries for Non-Authoritative Domains



    nslookup -querytype=MX FQDN. nameserver


    nslookup -querytype=MX talend.com.


  1. We are asking our DNS Server ( ) for Mail ( MX )  records for the Talend (talend.com) domain
  2. Again, notice that we need the . after the domain name







  1. We replied with “can’t find talend.com.: Server failed

Request Trace – Incoming



  1. We are requesting MX records for a specific domain


Request Trace – Response




  1. Response
    • We replied with “Server failure
    • Question Count is 1 (0x1)
    • Answer Count is 0 (0x0)


Once we disabled recursion, we stopped seeing the errors about “invalid domain name“.

We have other areas to cover and will do so in subsequent posts.







Microsoft – DNS – Query Tool – NSLookup – Error Message – *** Can’t find server name for address w.x.y.z: Non-existent domain


This is an easy one. As I researched for another post, I was trying to use nslookup from the command line, but getting this error.

Error Message - *** Can't find server name for address w.x.y.z: Non-existent domain

Error Description

So my query looks like this:

nslookup [host] [dns-server] 


nslookup dbhr ns1



*** Can't find server name for address 10.0.y.z: Non-existent domain

Problem Resolution

Traced the problem back to a missing reverse IP Address for the referenced DNS Server.

To correct:

Add missing pointer record

  • Launch DNS Management (dsnmgmt.msc)
  • Connect to domain’s primary server
  • Navigate to the “Reverse Lookup Zones”
  • Select the subnet or create a new subnet
  • Review the existing “Pointer” entries in the right pane
  • If you find a matching IP Address, update it
  • Or create a new one by right-clicking on the subnet branch and choosing the “New Pointer (PTR)” menu item


Clear DNS Cache


ipconfig /flushdns

Once your DNS Cache is cleared, please retry.

Microsoft – DNS Server – Promoting Secondary DNS Server


My Active Directory Server has being down for a couple of weeks or so.  My friend, who helps me repair computers, says that it is the same capacitor problem that besieges this particular Dell Model.

It looks like it will take a while to get it back up.

Problem Diagnosis

I was hoping that the secondary domain controller will be able to service DNS Requests, but that does not seem to be occurring.

Connected to my Domain Name Registrant and confirmed that my ns1 and ns2 entries are pointing to my current Dynamic IP Addresses.

Wishing DNS resolution has a good way to trace and debug things.

Problem Diagnosis – Secondary DNS Server

Let us determine what tools are available for reviewing DNS Server issues:

Review Secondary DNS Server – Event Viewer

As always MS Windows Event Viewer is a good place to check.

Thankfully, saw a few errors:

EventID Description
3000 The DNS server has encountered numerous run-time events. To determine the initial cause of these run-time events, examine the DNS server event log entries that precede this event. To prevent the DNS server from filling the event log too quickly, subsequent events with Event IDs higher than 3000 will be suppressed until events are no longer being generated at a high rate.
6527 Zone myLAB.com expired before it could obtain a successful zone transfer or update from a master server acting as its source for the zone. The zone has been shut down.
408 The DNS server could not open socket for address
Verify that this is a valid IP address for the server computer. If it is NOT valid use the Interfaces dialog under Server Properties in the DNS Manager to remove it from the list of IP interfaces. Then stop and restart the DNS server. (If this was the only IP interface on this machine and the DNS server may not have started as a result of this error. In that case remove the DNS\Parmeters\ ListenAddress value in the services section of the registry and restart.)If this is a valid IP address for this machine, make sure that no other application (e.g. another DNS server) is running that would attempt to use the DNS port.For more information, see “DNS server log reference” in the online Help.For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
407 The DNS server could not bind a User Datagram Protocol (UDP) socket to The event data is the error code. Restart the DNS server or reboot your computer.

Verify – DNS Server – DNSLint


Microsoft has a tool for diagnosing DNS Issues.


Download DNSlint from http://support.microsoft.com/kb/321045.


Run Self-extracting install.

DNSLint - Extract


Use – Test Domain Name


   dnslint /d [domain-name]


    dnslint /d myLab.org


Output : DNS Server : ns1

DNSLint -- Result

DNS Server : ns2

DNSLint -- Result [Secondary host]


  • So we ran DNSLint from the secondary server itself — Doing so means we are less likely to experience network \ firewall issues
  • And, still the secondary server is coming back with not responding to UDP Port 53 requests
  • None of the tests came back with data that is useful.  The following tests came back as Unknown : Answering authoritatively for domain, Authoritative name server


  • Though our secondary server is up, it is really not very useful in terms of servicing DNS requests

Verify – DNS Server – Listening Port


On the secondary DNS Server, let us go check our listening ports

Review Listening Ports


        netstat -anb | find "LISTENING"


        netstat -anb | find "LISTENING"


Networking - Netstat - Listening Ports


  • We can see that the server has TCP port 53 opened and listening on all interfaces on this box


Verify – DNS Server – DLint


One can use dlint to query DNS.



wget [URL] -O [output-file]


  wget http://pkgs.repoforge.org/dlint/dlint-1.4.0-0.2.el4.rf.noarch.rpm \
    -O /tmp/dlint-1.4.0-0.2.el4.rf.noarch.rpm


dlint -- wget



sudo rpm -Uvh [rpm]


sudo rpm -Uvh dlint-1.4.0-0.2.el4.rf.noarch.rpm


dlint -- install




dlint -n [domain-name]


dlint -n labDomain.org


dlint -n domain-name


  •  Error: no name servers found for domain

Upgrade Secondary Server to Primary Server


  • Launch DNS Management (dnsmgmt.msc)
  • Select the Domain Name
  • Right click on the Domain Name and from the drop-down menu select the “Properties” option
  • In the “Properties” window, select the “General” Tab
  • In the “General” Tab, you will see the following values – For Status, Expired and for Type: Secondary
  • As Type is listed as Secondary, click on the “Change” button
  • The “Change Zone Type” window appears
  • Click on the “Primary zone” button and click on the “OK” button
  • The change is almost complete – The Status is still Expired, but the Type is Primary
  • Click on the Apply button
  • Return to the main window
  • In the “Properties” window, select the “Start of Authority (SOA)” Tab
  • Change the “Primary Server” to the recently upgraded Server
  • Click on the Apply button
  • Click on the Domain Zone
  • Right-click on the Zone and from the drop-down, select the “Reload” button
  • Restart DNS Server


Couple of quick things:

  • Please repeat similar steps for each pertinent reverse DNS Zones


DNSMGMT – DNS – Forward Lookup Zones

DNSMgmt - Properties

DNSMGMT – DNS – Change Zone Type


DNSMgmt - Change Zone Type

Changes Started:

DNSMgmt - Change Zone Type (Revised)

Changes Ongoing:

DNSMgmt - Properties - Zone Type Changed to Primary


DNS – Verify – DNSList


Run DNSList again …

DNSList -- Good Result

DNS Zones in Active Directory

Though I have yet to fully vet the path of storing DNS Zones in “Active Directory”.

But, as we all know Active Directory’s great leap over MS Windows NT 4.0 is doing away with the limitation of Domain And Backup Domain Server and having multiple domain controllers.

Thus following the thought that each server will have its own copy of Active Directory,we can see that when we store DNS in AD, DNS is replicated and  available on all Domain Servers, as well.