DNS Check :- Superfluous name server listed at parent

Background

Experienced some networking issues; specifically Active Directory is not authenticating.

Traced the problem back to expired domain name.

Renewed for another two years.

DNS Server

Introduction

While at it checked DNS Servers to make sure that it is configured OK.

 

Tools

dnscheck.pingdom.com

One of the freely available tools is pingdom.com; http://dnscheck.pingdom.com.

 

Test Result

Image

Textual

Superfluous name server listed at parent: ns2

A name server listed at the parent, but not at the child, was found. This is most likely an administrative error. You should update the parent to match the name servers at the child as soon as possible.

Problem Identification

Our Domain Registrant has ns2 listed as one of our DNS Server.

But, it is not registered as a Name Server on our primary DNS Server.

 

Remediation

Running MS Windows DNS Server and so everything is GUI.

MMC DNS

Launched MMC – DNS, connect to DNS Server.

Steps

  1. Launched MMC
  2. Added DNS
  3. Connect to DNS Server
  4. Navigate to Forward Lookup Zones \ [Computer]
  5. Right click on the Domain Name
  6. From the drop-down menu, please select the Properties option
  7. Access the “Name Servers ” Tab
  8. Match the listed name servers to what you registered with your Domain Registrant

 

Image

Before

 

After

 

Validate

Returned to http://dnscheck.pingdom.com/ and confirmed that problem is resolved.

Images

Tab – Basic View

 

Tab – Advanced View

 

Microsoft – DNS Server – Disabling Recursion

Background

I will like to start a series of articles on how to harden a Microsoft DNS Server.

Before we dig in too deep let us first start talking about the weeds out there.

 

What prompts us

Reviewing the MS Windows Event Viewer discovered entries that looks like this:

Textual:


The DNS server encountered an invalid domain name in a packet from 90.23.83.107. The packet will be rejected. The event data contains the DNS packet.

Image:

EventID-5504-InvalidDomainName

 

Data

Since we are referred to the “event data”, let us try to make sense of it:

 

EventID-5504-InvalidDomainName-Data

.cz

What does the error mean?

It means that the host listed as the packet from w.x.y.z is sending us a request for a domain suffix that is different from the ones we have not explicitly declared we are handling.

The reasons are myriad and can include:

  • An application on that host is specifically sending DNS requests to us
  • The original request was directed at a DNS Server that has been configured to forward DNS requests

 

Network Monitoring

Let us use a Network Monitoring tool to read Network requests.

As we already have the Microsoft Network Monitoring Tool installed, we will use it.

 

Configure Microsoft Network Monitoring Tool

Filter

I will suggest that you tighten your filtering and only bring in DNS Traffic.

You can do so by using the Application’s menu.

In our version, Filter \ Load Filter \ Standard Filters \ DNS \ Protocol Filter – DNS

Here is what the Application generates based on this request:

applyDNSFilter

Please click the “Apply” button to effect the filtering.

Output

We will be interested in correlating Network Traffic flows with entries in the MS Event Viewer and so will add “Time Date Local Adjusted” to the list of columns to display.

That way we will be better able to match specific Event Viewer entries with items we capture from our Network Monitoring tool.

To do so, please click on the Columns \ Choose Columns:

ChooseFrameSummaryColumns

 

Here is what things look like once we moved “Time Date Local Adjusted” from the “Select the desired columns” area to the “Enabled Columns” area.

ChooseFrameSummaryColumns-After

 

Our Domain, but invalid hostname

  DNS Query Request

xmqgzjczmg-request

Explanation:

  1. Our instigator is sending UDP requests to our port 53 ( DNS )
  2. The QueryId is 0x4F2 and Query Identifier is 1266
  3. The full query is xmq.[full-doman-name]

 

DNS Query Response

xmqgzjczmg-response-nameerror

 

Explanation:

  1. We replied via UDP from port 53 ( DNS )
  2. The QueryId is 0x4F2 and Query Identifier is 1266
  3. Our Reply Code is “Rcode = Name Error

 

Invalid Domain

DNS Query Request

request@014658

Quick Explanation:

  1. We are receiving numerous simultaneous DNS requests bearing QueryID 26025 (0x65A9)
  2. The query is requesting 067.cz and it is requesting “all” records
  3. We can also confirm from the request dump that Recursion is desired (Recursion Desired = 1)

 

DNS Query Response

response@014658

 

Quick Explanation:

  1. On behalf of the requester, our DNS Server connected to 77.78.104.139 and requested data
  2. The query is requesting 067.cz and it is requesting “all” records
  3. We can also confirm from the request dump that Recursion is desired (Recursion Desired = 1)
  4. We received the following set of data
    • All Name Server ( ns1, ns2, ns3 )
    • SOA ( Start of Authority )
    • MX ( Mail )
    • spf1 ( Send Framework Record )

 

Resolution

Server – Properties – Advanced Tab

Disable recursion – GUI

ServerConfiguration

Disable recursion – Command Line


dnscmd . /config /norecursion 1

 

Disable recursion – Query

Syntax


     dnscmd . /info

Output

dnscmdInfo

Explanation

  1. In the “Configuration flags” section, fNoRecursion is set to 1

What is the implication?

Service Internal Clients

Can we still properly service DNS queries for our internal clients?

Queries for Authoritative Domains

Query

Syntax:


    nslookup -querytype=MX FQDN. nameserver

 Sample:


    nslookup -querytype=MX labdomain.com. 10.0.7.49

Explanation:

  1. Request is pretty straight forward
  2. Please issue prefixed by a period to indicate it is fully formed; that is the DNS Suffix should not be auto-appended when passed to the DNS Server
  3. We are asking our DNS Server ( 10.0.7.49 ) for Mail ( MX )  records

 

Output:

Image:

internalMXCommandLine.0935AM

 

Explanation:

  1. We received back our MX record

Request Trace – Incoming

internalMXRequestCropped

Explanation:

  1. We are requesting MX records for a specific domain

 

Request Trace – Response

internalMXResponseCropped

 

Explanation:

  1. Response
    • We are authoritative
    • We replied with MX record(s)

 

Queries for Non-Authoritative Domains

Query

Syntax:


    nslookup -querytype=MX FQDN. nameserver

 Sample:


    nslookup -querytype=MX talend.com. 10.0.7.49

Explanation:

  1. We are asking our DNS Server ( 10.0.7.49 ) for Mail ( MX )  records for the Talend (talend.com) domain
  2. Again, notice that we need the . after the domain name

 

Output:

Image:

externalTalendMXConsole

 

Explanation:

  1. We replied with “can’t find talend.com.: Server failed

Request Trace – Incoming

internalMXRequestCropped

Explanation:

  1. We are requesting MX records for a specific domain

 

Request Trace – Response

externalTalendMXResponse.1042AM

 

Explanation:

  1. Response
    • We replied with “Server failure
    • Question Count is 1 (0x1)
    • Answer Count is 0 (0x0)

Summary

Once we disabled recursion, we stopped seeing the errors about “invalid domain name“.

We have other areas to cover and will do so in subsequent posts.

Reference

Standards

Download

Configuration

Q/A

 

Microsoft – DNS – Query Tool – NSLookup – Error Message – *** Can’t find server name for address w.x.y.z: Non-existent domain

Introduction

This is an easy one. As I researched for another post, I was trying to use nslookup from the command line, but getting this error.

Error Message - *** Can't find server name for address w.x.y.z: Non-existent domain

Error Description

So my query looks like this:
Syntax:

nslookup [host] [dns-server] 

Sample:

nslookup dbhr ns1

 

Error:

*** Can't find server name for address 10.0.y.z: Non-existent domain

Problem Resolution

Traced the problem back to a missing reverse IP Address for the referenced DNS Server.

To correct:

Add missing pointer record

  • Launch DNS Management (dsnmgmt.msc)
  • Connect to domain’s primary server
  • Navigate to the “Reverse Lookup Zones”
  • Select the subnet or create a new subnet
  • Review the existing “Pointer” entries in the right pane
  • If you find a matching IP Address, update it
  • Or create a new one by right-clicking on the subnet branch and choosing the “New Pointer (PTR)” menu item

errorCannotFindServer

Clear DNS Cache

Syntax:

ipconfig /flushdns

Once your DNS Cache is cleared, please retry.

Microsoft – DNS Server – Promoting Secondary DNS Server

Introduction

My Active Directory Server has being down for a couple of weeks or so.  My friend, who helps me repair computers, says that it is the same capacitor problem that besieges this particular Dell Model.

It looks like it will take a while to get it back up.

Problem Diagnosis

I was hoping that the secondary domain controller will be able to service DNS Requests, but that does not seem to be occurring.

Connected to my Domain Name Registrant and confirmed that my ns1 and ns2 entries are pointing to my current Dynamic IP Addresses.

Wishing DNS resolution has a good way to trace and debug things.

Problem Diagnosis – Secondary DNS Server

Let us determine what tools are available for reviewing DNS Server issues:

Review Secondary DNS Server – Event Viewer

As always MS Windows Event Viewer is a good place to check.

Thankfully, saw a few errors:

EventID Description
3000 The DNS server has encountered numerous run-time events. To determine the initial cause of these run-time events, examine the DNS server event log entries that precede this event. To prevent the DNS server from filling the event log too quickly, subsequent events with Event IDs higher than 3000 will be suppressed until events are no longer being generated at a high rate.
6527 Zone myLAB.com expired before it could obtain a successful zone transfer or update from a master server acting as its source for the zone. The zone has been shut down.
408 The DNS server could not open socket for address 24.6.18.17.
Verify that this is a valid IP address for the server computer. If it is NOT valid use the Interfaces dialog under Server Properties in the DNS Manager to remove it from the list of IP interfaces. Then stop and restart the DNS server. (If this was the only IP interface on this machine and the DNS server may not have started as a result of this error. In that case remove the DNS\Parmeters\ ListenAddress value in the services section of the registry and restart.)If this is a valid IP address for this machine, make sure that no other application (e.g. another DNS server) is running that would attempt to use the DNS port.For more information, see “DNS server log reference” in the online Help.For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
407 The DNS server could not bind a User Datagram Protocol (UDP) socket to 24.6.18.17. The event data is the error code. Restart the DNS server or reboot your computer.

Verify – DNS Server – DNSLint

Introduction

Microsoft has a tool for diagnosing DNS Issues.

Download

Download DNSlint from http://support.microsoft.com/kb/321045.

Install

Run Self-extracting install.

DNSLint - Extract

Usage

Use – Test Domain Name

Syntax:

   dnslint /d [domain-name]

Sample:

    dnslint /d myLab.org

 

Output : DNS Server : ns1

DNSLint -- Result

DNS Server : ns2

DNSLint -- Result [Secondary host]

Explanation:

  • So we ran DNSLint from the secondary server itself — Doing so means we are less likely to experience network \ firewall issues
  • And, still the secondary server is coming back with not responding to UDP Port 53 requests
  • None of the tests came back with data that is useful.  The following tests came back as Unknown : Answering authoritatively for domain, Authoritative name server

Conclusion:

  • Though our secondary server is up, it is really not very useful in terms of servicing DNS requests

Verify – DNS Server – Listening Port

Introduction

On the secondary DNS Server, let us go check our listening ports

Review Listening Ports

Syntax:

        netstat -anb | find "LISTENING"

Sample:

        netstat -anb | find "LISTENING"

Output:

Networking - Netstat - Listening Ports

Explanation:

  • We can see that the server has TCP port 53 opened and listening on all interfaces on this box

 

Verify – DNS Server – DLint

Introduction

One can use dlint to query DNS.

Download

Syntax:


wget [URL] -O [output-file]

Sample:

  wget http://pkgs.repoforge.org/dlint/dlint-1.4.0-0.2.el4.rf.noarch.rpm \
    -O /tmp/dlint-1.4.0-0.2.el4.rf.noarch.rpm

Output:

dlint -- wget

Install

Syntax:

sudo rpm -Uvh [rpm]

Sample:

sudo rpm -Uvh dlint-1.4.0-0.2.el4.rf.noarch.rpm

Output:

dlint -- install

 

Test

Syntax:

dlint -n [domain-name]

Sample:

dlint -n labDomain.org

Output:

dlint -n domain-name

Explanation:

  •  Error: no name servers found for domain

Upgrade Secondary Server to Primary Server

Steps

  • Launch DNS Management (dnsmgmt.msc)
  • Select the Domain Name
  • Right click on the Domain Name and from the drop-down menu select the “Properties” option
  • In the “Properties” window, select the “General” Tab
  • In the “General” Tab, you will see the following values – For Status, Expired and for Type: Secondary
  • As Type is listed as Secondary, click on the “Change” button
  • The “Change Zone Type” window appears
  • Click on the “Primary zone” button and click on the “OK” button
  • The change is almost complete – The Status is still Expired, but the Type is Primary
  • Click on the Apply button
  • Return to the main window
  • In the “Properties” window, select the “Start of Authority (SOA)” Tab
  • Change the “Primary Server” to the recently upgraded Server
  • Click on the Apply button
  • Click on the Domain Zone
  • Right-click on the Zone and from the drop-down, select the “Reload” button
  • Restart DNS Server

 

Couple of quick things:

  • Please repeat similar steps for each pertinent reverse DNS Zones

 

DNSMGMT – DNS – Forward Lookup Zones

DNSMgmt - Properties

DNSMGMT – DNS – Change Zone Type

Current:

DNSMgmt - Change Zone Type

Changes Started:

DNSMgmt - Change Zone Type (Revised)

Changes Ongoing:

DNSMgmt - Properties - Zone Type Changed to Primary

 

DNS – Verify – DNSList

Steps

Run DNSList again …

DNSList -- Good Result

DNS Zones in Active Directory

Though I have yet to fully vet the path of storing DNS Zones in “Active Directory”.

But, as we all know Active Directory’s great leap over MS Windows NT 4.0 is doing away with the limitation of Domain And Backup Domain Server and having multiple domain controllers.

Thus following the thought that each server will have its own copy of Active Directory,we can see that when we store DNS in AD, DNS is replicated and  available on all Domain Servers, as well.