DNS Check :- Superfluous name server listed at parent

Background

Experienced some networking issues; specifically Active Directory is not authenticating.

Traced the problem back to expired domain name.

Renewed for another two years.

DNS Server

Introduction

While at it checked DNS Servers to make sure that it is configured OK.

 

Tools

dnscheck.pingdom.com

One of the freely available tools is pingdom.com; http://dnscheck.pingdom.com.

 

Test Result

Image

Textual

Superfluous name server listed at parent: ns2

A name server listed at the parent, but not at the child, was found. This is most likely an administrative error. You should update the parent to match the name servers at the child as soon as possible.

Problem Identification

Our Domain Registrant has ns2 listed as one of our DNS Server.

But, it is not registered as a Name Server on our primary DNS Server.

 

Remediation

Running MS Windows DNS Server and so everything is GUI.

MMC DNS

Launched MMC – DNS, connect to DNS Server.

Steps

  1. Launched MMC
  2. Added DNS
  3. Connect to DNS Server
  4. Navigate to Forward Lookup Zones \ [Computer]
  5. Right click on the Domain Name
  6. From the drop-down menu, please select the Properties option
  7. Access the “Name Servers ” Tab
  8. Match the listed name servers to what you registered with your Domain Registrant

 

Image

Before

 

After

 

Validate

Returned to http://dnscheck.pingdom.com/ and confirmed that problem is resolved.

Images

Tab – Basic View

 

Tab – Advanced View

 

Microsoft – DNS – Corrective Measures ( MS Windows 2003 )

Background

I have had my share of issues with my Microsoft DNS Servers lately.

I wish I could say punishing has meant learning, but NO, I am more confused than I should be.

Notes

So let us keep notes on things I am changing and why…

Backup

It goes without saying, backup your files

DNS

  1. Backup your DNS configuration files — [program files]\windows\system32\dns

Disable Dynamic Updates

Unless your DNS Zones are kept in Active Directory, I will suggest you disable dynamic updates.  If Dynamic Updates are on, you can receive incorrect entries over the Internet.

Here is how to disable Dynamic Updates

Code


set "serverName=LABDC"
set "ZoneName=labdomain.com"

@rem dnscmd serverName /Config {ZoneName|..AllZones} /AllowUpdate {1|0}
dnscmd %serverName% /Config %ZoneName% /AllowUpdate 0


GUI
DynamicUpdates

Use NetDiag /Fix

The Fix option in NetDiag fixes problems.

Temporarily allow Dynamic Updates, “invoke netdiag /fix“, disable “Dynamic Updates”.

Here are the steps:

  1. Using DNSCMD, issue Configuration Command to “Allow updates”
  2. Issue netdiag
    • /fix — fix simple erors
    • /v — verbose or debug switch
    • /d — domain name
    • /test
      • DefGw — default gateway
      • Dclist —  domain con
      • DNS — DNS
      • Kerberos
      • Ldap
      • NbtNm — NetBIOS over TCP/IP (NetBT) name test

set "serverName=ADServer"
set "ZoneName=labdomain.com"
set "namingContext=LABDOMAIN"

@rem dnscmd serverName /Config {ZoneName|..AllZones} /AllowUpdate {1|0}
dnscmd %serverName% /Config %ZoneName% /AllowUpdate 1


@rem netdiag /fix
netdiag /fix /v /test:dns /d:%namingContext%  /test:DefGw /test:Dclist /test:DNS /test:DsGetDC /test:Kerberos /test:Ldap /test:NbtNm


@rem dnscmd serverName /Config {ZoneName|..AllZones} /AllowUpdate {1|0}
dnscmd %serverName% /Config %ZoneName% /AllowUpdate 0

Use DCDiag /Fix

Temporarily allow Dynamic Updates, “invoke dcdiag /fix“, disable “Dynamic Updates”.


set "serverName=ADServer"
set "ZoneName=labdomain.com"
set "namingContext=LABDOMAIN"

@rem dnscmd serverName /Config {ZoneName|..AllZones} /AllowUpdate {1|0}
dnscmd %serverName% /Config %ZoneName% /AllowUpdate 1

@rem invoke dcdiag /fix
dcdiag /fix  /test:dns /s:%serverName% /n:%namingContext%


@rem dnscmd serverName /Config {ZoneName|..AllZones} /AllowUpdate {1|0}
dnscmd %serverName% /Config %ZoneName% /AllowUpdate 0

Keep in mind

Code : If you have IP Address for ServerName


rem set "serverName=ADServer"
rem using IP Address
set "serverName=10.0.4.1"

set "ZoneName=labdomain.com"
set "namingContext=LABDOMAIN"

@rem dnscmd serverName /Config {ZoneName|..AllZones} /AllowUpdate {1|0}
dnscmd %serverName% /Config %ZoneName% /AllowUpdate 1

dcdiag /fix  /test:dns /s:%serverName% /n:%namingContext%


@rem dnscmd serverName /Config {ZoneName|..AllZones} /AllowUpdate {1|0}
dnscmd %serverName% /Config %ZoneName% /AllowUpdate 0


Error Message

Performing initial setup:
*** Warning: could not confirm the identity of this server in
the directory versus the names returned by DNS servers.
If there are problems accessing this directory server then
you may need to check that this server is correctly registered
with DNS
[10.0.4.1] Directory Binding Error 87:
The parameter is incorrect.
This may limit some of the tests that can be performed.
Done gathering initial info.

Configure your DNS Servers to look locally

Here is what ours look like.

DNSServerShouldHaveOwnIPAddressOrLoopbackAddress

Register Forwarders

On the AD Servers, configure forwarders to point to your ISP’s DNS.


set "serverName=ns1"
@rem specific DNS Server IP Address for your ISP
@rem in our case Comcast
set "masterIPaddressISPDNS1=75.75.75.75"
set "masterIPaddressISPDNS2=75.75.76.76"

@rem dnscmd <ServerName> /ResetForwarders <MasterIPaddress ...>
dnscmd %serverName% /ResetForwarders %masterIPaddressISPDNS1% %masterIPaddressISPDNS2%

GUI

Server-Forwarders

Missing Forwarders

If you are missing the forwarder records, you will get errors when you run dcdiag /test:dns

Missing Root hints

Textual

TEST: Forwarders/Root hints (Forw)

Error: Root hints list has invalid root hint server: a.root-servers.net. (198.41.0.4)
Error: Root hints list has invalid root hint server: b.root-servers.net. (192.228.79.201)

Error: Root hints list has invalid root hint server: c.root-servers.net. (192.33.4.12)

Screen Image

Server-Forwarders-Missing

Missing Root hints ptr records

Textual

Summary of test results for DNS servers used by the above</pre>
<pre>domain controllers:

 DNS server: 192.203.230.10 (e.root-servers.net.)
 1 test failure on this DNS server
 This is not a valid DNS server. PTR record query for the 1.0.0.17.in-addr.arpa. failed on the DNS server 192.203.230.10

Screen Image

Server-Forwarders-Missing-Ptr

Comment

So take advice from ChicagoTech – “Fixed Root hints list has invalid root hint server error” and contact your ISP via Google to get those DNS records.

Use 3rd Party DNS Validation Tools

3rd party validation tools help in so many ways:

  1. They are usually Unixes\Bind and so they give you 3rd party credibility
    • Quite a few servers out there use Unix\Linux and so you get an instant third eye
    • They give you detailed checks and error messages that you can google on

Here are some that I have used:

  1. Pingdom
    http://dnscheck.pingdom.com/
  2. ripe.net
    http://dnscheck.ripe.net/

Pingdom.com

Here is the results of running our LAB domain server against pingdom.com

PAGE 1

dnscheck_01

PAGE 2

dnscheck_02

Tools

Microsoft Tools

  1. DCDiag
    https://technet.microsoft.com/en-us/library/Cc731968.aspx
  2. NetDiag
    https://technet.microsoft.com/en-us/library/Cc731434.aspx

Summary

As noted above, pingdom.com is reporting about a baker’s dozen worth of errors and warnings.

Most of them are due to the fact that we are using the same machine for Intranet and Internet traffic.

Bad practices really do come to light on the Net!

References

Microsoft – Tools

dnscmd

  1. Dnscmd Syntax
    https://technet.microsoft.com/en-us/library/cc756116(v=ws.10).aspx

Netdiag

  1. How to use the Network Diagnostics Tool (Netdiag.exe) in Windows 2000
    https://support.microsoft.com/en-us/kb/321708

dcdiag

  1. How to use the Network Diagnostics Tool (Netdiag.exe) in Windows 2000
    https://support.microsoft.com/en-us/kb/265706

Microsoft – DNS Server – Settings

Forwarders

  1. Configure forwarders for a DNS server
    https://technet.microsoft.com/en-us/library/cc755608(v=ws.10).aspx

mcpmag.com

  1. 10 DNS Errors That Will Kill Your Network
    https://mcpmag.com/articles/2004/05/01/10-dns-errors-that-will-kill-your-network.aspx

University of Oxford

  1. Configuring DNS to support Active Directory using a Private Internal Name
    https://help.it.ox.ac.uk/windows/active/dns/internaldomain/index

ServerLab

  1. Using Linux BIND DNS Servers for Active Directory Domains
    http://www.serverlab.ca/tutorials/linux/network-services/using-linux-bind-dns-servers-for-active-directory-domains/

Tver State University, Russia

  1. Managing the DNS Server Configuration
    http://edc.tversu.ru/elib/inf/0034/0596005628_dnswinsvr-chp-13-sect-3.html

Tech Republic

Conditional Forwarding

  1. Step-By-Step: Standard and conditional forwarding in Windows 2003 DNS
    http://www.techrepublic.com/article/step-by-step-standard-and-conditional-forwarding-in-windows-2003-dns/

WindowsNetworking.com

Conditional Forwarding

  1. Configuring Forwarders using DNSCMD
    http://www.windowsnetworking.com/kbase/WindowsTips/WindowsServer2008/AdminTips/Network/ConfiguringForwardersusingDNSCMD.html
  2. DNS Conditional Forwarding in Windows Server 2003
    http://www.windowsnetworking.com/articles-tutorials/windows-2003/DNS_Conditional_Forwarding_in_Windows_Server_2003.html

Domain Manager Cleanup

  1. How to remove orphaned Domain Controller’s DNS records?
    http://serverfault.com/questions/595419/how-to-remove-orphaned-domain-controllers-dns-records
  2. Clean Up Server Metadata
    https://technet.microsoft.com/en-us/library/cc816907(v=ws.10).aspx
  3. Remove Active Directory Domain Controller Metadata
    https://gallery.technet.microsoft.com/scriptcenter/d31f091f-2642-4ede-9f97-0e1cc4d577f3

Microsoft – DNS Server – Disabling Recursion

Background

I will like to start a series of articles on how to harden a Microsoft DNS Server.

Before we dig in too deep let us first start talking about the weeds out there.

 

What prompts us

Reviewing the MS Windows Event Viewer discovered entries that looks like this:

Textual:


The DNS server encountered an invalid domain name in a packet from 90.23.83.107. The packet will be rejected. The event data contains the DNS packet.

Image:

EventID-5504-InvalidDomainName

 

Data

Since we are referred to the “event data”, let us try to make sense of it:

 

EventID-5504-InvalidDomainName-Data

.cz

What does the error mean?

It means that the host listed as the packet from w.x.y.z is sending us a request for a domain suffix that is different from the ones we have not explicitly declared we are handling.

The reasons are myriad and can include:

  • An application on that host is specifically sending DNS requests to us
  • The original request was directed at a DNS Server that has been configured to forward DNS requests

 

Network Monitoring

Let us use a Network Monitoring tool to read Network requests.

As we already have the Microsoft Network Monitoring Tool installed, we will use it.

 

Configure Microsoft Network Monitoring Tool

Filter

I will suggest that you tighten your filtering and only bring in DNS Traffic.

You can do so by using the Application’s menu.

In our version, Filter \ Load Filter \ Standard Filters \ DNS \ Protocol Filter – DNS

Here is what the Application generates based on this request:

applyDNSFilter

Please click the “Apply” button to effect the filtering.

Output

We will be interested in correlating Network Traffic flows with entries in the MS Event Viewer and so will add “Time Date Local Adjusted” to the list of columns to display.

That way we will be better able to match specific Event Viewer entries with items we capture from our Network Monitoring tool.

To do so, please click on the Columns \ Choose Columns:

ChooseFrameSummaryColumns

 

Here is what things look like once we moved “Time Date Local Adjusted” from the “Select the desired columns” area to the “Enabled Columns” area.

ChooseFrameSummaryColumns-After

 

Our Domain, but invalid hostname

  DNS Query Request

xmqgzjczmg-request

Explanation:

  1. Our instigator is sending UDP requests to our port 53 ( DNS )
  2. The QueryId is 0x4F2 and Query Identifier is 1266
  3. The full query is xmq.[full-doman-name]

 

DNS Query Response

xmqgzjczmg-response-nameerror

 

Explanation:

  1. We replied via UDP from port 53 ( DNS )
  2. The QueryId is 0x4F2 and Query Identifier is 1266
  3. Our Reply Code is “Rcode = Name Error

 

Invalid Domain

DNS Query Request

request@014658

Quick Explanation:

  1. We are receiving numerous simultaneous DNS requests bearing QueryID 26025 (0x65A9)
  2. The query is requesting 067.cz and it is requesting “all” records
  3. We can also confirm from the request dump that Recursion is desired (Recursion Desired = 1)

 

DNS Query Response

response@014658

 

Quick Explanation:

  1. On behalf of the requester, our DNS Server connected to 77.78.104.139 and requested data
  2. The query is requesting 067.cz and it is requesting “all” records
  3. We can also confirm from the request dump that Recursion is desired (Recursion Desired = 1)
  4. We received the following set of data
    • All Name Server ( ns1, ns2, ns3 )
    • SOA ( Start of Authority )
    • MX ( Mail )
    • spf1 ( Send Framework Record )

 

Resolution

Server – Properties – Advanced Tab

Disable recursion – GUI

ServerConfiguration

Disable recursion – Command Line


dnscmd . /config /norecursion 1

 

Disable recursion – Query

Syntax


     dnscmd . /info

Output

dnscmdInfo

Explanation

  1. In the “Configuration flags” section, fNoRecursion is set to 1

What is the implication?

Service Internal Clients

Can we still properly service DNS queries for our internal clients?

Queries for Authoritative Domains

Query

Syntax:


    nslookup -querytype=MX FQDN. nameserver

 Sample:


    nslookup -querytype=MX labdomain.com. 10.0.7.49

Explanation:

  1. Request is pretty straight forward
  2. Please issue prefixed by a period to indicate it is fully formed; that is the DNS Suffix should not be auto-appended when passed to the DNS Server
  3. We are asking our DNS Server ( 10.0.7.49 ) for Mail ( MX )  records

 

Output:

Image:

internalMXCommandLine.0935AM

 

Explanation:

  1. We received back our MX record

Request Trace – Incoming

internalMXRequestCropped

Explanation:

  1. We are requesting MX records for a specific domain

 

Request Trace – Response

internalMXResponseCropped

 

Explanation:

  1. Response
    • We are authoritative
    • We replied with MX record(s)

 

Queries for Non-Authoritative Domains

Query

Syntax:


    nslookup -querytype=MX FQDN. nameserver

 Sample:


    nslookup -querytype=MX talend.com. 10.0.7.49

Explanation:

  1. We are asking our DNS Server ( 10.0.7.49 ) for Mail ( MX )  records for the Talend (talend.com) domain
  2. Again, notice that we need the . after the domain name

 

Output:

Image:

externalTalendMXConsole

 

Explanation:

  1. We replied with “can’t find talend.com.: Server failed

Request Trace – Incoming

internalMXRequestCropped

Explanation:

  1. We are requesting MX records for a specific domain

 

Request Trace – Response

externalTalendMXResponse.1042AM

 

Explanation:

  1. Response
    • We replied with “Server failure
    • Question Count is 1 (0x1)
    • Answer Count is 0 (0x0)

Summary

Once we disabled recursion, we stopped seeing the errors about “invalid domain name“.

We have other areas to cover and will do so in subsequent posts.

Reference

Standards

Download

Configuration

Q/A