Confused about interpreting nslookup results

tdean · 07-10-2009, 01:40 AM

first of all, i guess i dont understand what situation would come up where id say "Hey, lets break out nslookup!!"
second, is this run internally or externally? cause if im running this on someone elses site and it comes back "dns request timed out" or "cannot find server" stuff like that... does that indicate a problem on their end? or my firewall?

ugh

stupidboy · 07-10-2009, 08:30 AM

It seems there is not a day in my life where I have not needed to fire up a good old nslookup.

nslookup allows you to query a DNS server to resolve a name to an IP address.

You can use the command to query any accessible DNS server and you can do some cool queries that list the whole zone data when you have transfers enabled too.

If you are firing up nslookup and getting a time-out, the chances are the client you are using cannot communicate with the DNS servers correctly (these are the ones you will see via ipconfig /all). You may well get UnKnown if your client cannot do a reverse lookup (IP to name) so the server you are trying to query

Perhaps Using NSLOOKUP for DNS Server diagnosis may help you.

undomiel · 07-10-2009, 10:30 AM

I'll have to second stupidboy on this one. nslookup is a life saver for me. I use it all the time for verifying connectivity to internal dns servers as well as external. Another use is verifying consistency of the returned data from an internal source with an external source. The majority of active directory issues I run into revolve around name resolution so you definitely want to make sure you are nice and cozy with it.

Graham_84 · 07-10-2009, 11:06 AM

nslookup rocks!

its a command line tools for querying dns, its helpful if you want to see who is the authoritive name servers for a zone, where the mail (mx) points too, query a records to see multiple records exist or round robin enabled. I use it most days. You can even list all records in a zone if zone transfers are enabled.

Neeko · 07-10-2009, 11:11 AM

I've used it already today. Was troubleshooting a VPN which is pointing to a dynamic dns address, and to check the HQ device was resolving the address to the correct IP I did a quick nslookup and found out it wasn't, and went from there.

Problems with email usually involve nslookup with the type set to mx to query mx record for a domain. Similarly the other records for the domain can be queried.

As said, can be used to check DNS connectivity too.

It's a helpful tool.

tdean · 07-13-2009, 03:19 PM

thanks for the responses guys, this DNS stuff has been driving me nuts... i will check out that site "stupidboy", and im sure i'll have questions.

stupidboy · 07-13-2009, 05:37 PM

Quote:

Originally Posted by tdean

thanks for the responses guys, this DNS stuff has been driving me nuts... i will check out that site "stupidboy", and im sure i'll have questions.

Feel free to ask away. I left collage and worked for and ISP so DNS was essential understanding (pre Windows 2000 and AD). Obviously DNS is the corner stone of AD and essential knowledge for all.

Piers · 07-14-2009, 02:52 PM

Quote:

Originally Posted by stupidboy

. I left collage and worked for and ISP so

I don't know if you meant to, but this cracked me up..

stupidboy · 07-14-2009, 08:44 PM

Quote:

Originally Posted by Piers

I don't know if you meant to, but this cracked me up..

Well I went, not to say I actually learned stuff

tdean · 07-24-2009, 06:22 PM

Quote:

Originally Posted by stupidboy

Feel free to ask away. I left collage and worked for and ISP so DNS was essential understanding (pre Windows 2000 and AD). Obviously DNS is the corner stone of AD and essential knowledge for all.

ok stupidboy..... i have a few questions if you have some time... let me know. i took some time off to gather myself, still confused though.

stupidboy · 07-24-2009, 07:05 PM

Quote:

Originally Posted by tdean

ok stupidboy..... i have a few questions if you have some time... let me know. i took some time off to gather myself, still confused though.

Post away dude!

tdean · 07-24-2009, 07:22 PM

Quote:

Originally Posted by stupidboy

Post away dude!

ok, i hope these make sense....

zones are within a domain like east or west.tdean.com?

zones need forwarders or root hints.... forwarders are your isp's dns servers ip's? and root hints basically follow the heirarchy of external authoritative dns servers before returning answer?

forward look up different from forwarders?

when/why would one use manual dns over ddns?

what would indicate a problem with fwdrs, zones root hints etc? how would a problem manifest itself on the network?

how/why would you set up non integrated ad dns?

using .com externally and .net or .local internally??

stupidboy · 07-24-2009, 07:59 PM

Quote:

Originally Posted by tdean

zones are within a domain like east or west.tdean.com?

A zone is a DNS name space.

Quote:

Originally Posted by tdean

zones need forwarders or root hints.... forwarders are your isp's dns servers ip's? and root hints basically follow the heirarchy of external authoritative dns servers before returning answer?

Within your DNS console you will find two types of zone. Forward and Reverse. Forward looks resolve names to IP address and reverse IP to name.

Forwarders can be used to forward DNS requests to other DNS servers, such as your ISP. There are also conditional forwarders that look at the domain portion of the request and forward the DNS request based on that condition. These are useful if you know the DNS server that hosts the DNS name space, effictive short cutting the DNS lookup.

Root hints are as you describe. These are top level servers that are able to forward requests down the DNS hierarchy until they reach the delegated server hosting the SOA.

Quote:

Originally Posted by tdean

forward look up different from forwarders?

Forward lookups are name to IP (just categorised in the console for simplicity).

Forwarders resolve name to IP, however, all resolution requests are forwarded to specified hosts (like you ISP).

Quote:

Originally Posted by tdean

when/why would one use manual dns over ddns?

In an AD DDNS is great for getting clients registered in the DNS name space. You would not use DDNS for your public facing DNS zones as there is the possibility to register rouge names in the zone.

Quote:

Originally Posted by tdean

what would indicate a problem with fwdrs, zones root hints etc? how would a problem manifest itself on the network?

Typically if your root hints or forwarders are not working you will not get any name resolution outside of those zones hosted locally. So if this was your internal DNS server hosting your AD name space you will resolve zones that you are authoritative for (local AD name space), however, the server will have no way to resolve other names.

Quote:

Originally Posted by tdean

how/why would you set up non integrated ad dns?

Integrated DNS is a DNS zone that is stored in your AD. Normally with standard zones these are stored as a flat text file on each server.

Integrated zones allow numerate servers to host the same data and allow the zone updates to occur via AD replication.

Setting up a zone as ADI is simply a check box in the zone creation. Something like "store this zone in Active Directory" during the zone creation wizard.

Quote:

Originally Posted by tdean

using .com externally and .net or .local internally??

Although there is nothing to stop you using a TLD (like .com .net .org etc.) it is not recommended as it causes additional management overhead and confusion for the user base.

Recommendations for internal names spaces are things like .local, .corp or .internal. As these are not recognised TLDs there is no confusion and breaks the name space in two.

I think this make sense but please question if not.

Are you reading a certification book? Which one?

tdean · 07-24-2009, 09:50 PM

wow... thanks sb. i think im on the right track. im using the ms self paced book and syngress, plus other sources. i think i may have confused myself.

all the info that is in the FLZ when its expanded, how do i determine what is necessary or not?

is it FLZ that wont work if the "." is located at the top? ive had to delete that before.

also, is it unwise to flush dns on a server b/c then it has to recache everything?

stupidboy · 07-24-2009, 10:20 PM

Quote:

Originally Posted by tdean

wow... thanks sb. i think im on the right track. im using the ms self paced book and syngress, plus other sources. i think i may have confused myself.

The MS Press books are usually very good, however, the Syngress ones have declined in recent time (IMO)

Quote:

Originally Posted by tdean

all the info that is in the FLZ when its expanded, how do i determine what is necessary or not?

You should have the zones that you are authoritative for here. You will see your AD name space if this is an AD DNS server.

Quote:

Originally Posted by tdean

is it FLZ that wont work if the "." is located at the top? ive had to delete that before.

This is an issue that affected Windows 2000 AD installations. If you installed DNS during a DCPROMO the server assumed that it was root (AKA ".") so it assumed that if it did not have a zone no one else would. In this case where the root level zone exists it is usually safe and desirable to remove it. With that said there have been a couple of occasions I have seen this used as a technique for ensuring clients cannot resolve external names (secure environments)

This issue was addressed in Window 2003 so its safe to install DNS during the DCPROMO

Quote:

Originally Posted by tdean

also, is it unwise to flush dns on a server b/c then it has to recache everything?

The cache on a server is refreshed when the TTL (Time To Live) for a zone (set on the SOA record) expires and a client makes a request for those records. If you server had cached the WWW reocrd for TechExams and 21 minutes later you wanted the record again, the DNS server would check that the cache is still valid by performing a lookup (the TTL for TechExams is 20 minutes).

If you flush the DNS cache then the server will have to resolve the address(es) again and re-cache. This just means the DNS server will take a little longer in getting the right data back to the client (not that you will actually notice the delay).

If you are using a caching only DNS server (simply a server with no Forward Looks defined) it will help reduce the number of external queries required. This can help reduce bandwidth and DNS resolution.

Don't forget that clients keep a cache of records too. You can use ipconfig /displaydns to display these records. Very useful in troubleshooting clients.

Hope this is clear enough, I am ready for bed now so I hope I am not dribbling on my keyboard

tdean · 07-27-2009, 08:04 PM

this is great SB.... thanks again!! now i need to find some practice tests. i've never seen any of these "simulation" questions...

stupidboy · 07-27-2009, 11:07 PM

Quote:

Originally Posted by tdean

this is great SB.... thanks again!! now i need to find some practice tests. i've never seen any of these "simulation" questions...

What ever you do, make sure you questions are above board. The that last thing you want to do after all this hard work is loose the cert due to using illegal materials.

If you are unsure please check out CertGuard - Exam Security & Integrity first. It might be worth a quick visit just so you are familiar with what to look out for (so as to avoid).

tdean · 07-27-2009, 11:58 PM

Quote:

Originally Posted by stupidboy

What ever you do, make sure you questions are above board. The that last thing you want to do after all this hard work is loose the cert due to using illegal materials.

If you are unsure please check out CertGuard - Exam Security & Integrity first. It might be worth a quick visit just so you are familiar with what to look out for (so as to avoid).

thanks for the link... i didnt mean any of the illegal stuff. i've just never seen that type of test format before. would be nice to have an idea what im in for.... i mean, everyone has taken a multiple choice test at some point in their life...

stupidboy · 07-28-2009, 03:20 PM

Quote:

Originally Posted by tdean

thanks for the link... i didnt mean any of the illegal stuff. i've just never seen that type of test format before. would be nice to have an idea what im in for.... i mean, everyone has taken a multiple choice test at some point in their life...

They are usually nothing to fear ... use the force and you'll be fine

If you have used the limited labs in TestOut (looks like there is a still a demo of the LabSim) should give you a feel. I can't think of anything else that comes close.

tdean · 07-30-2009, 12:32 AM

SB, sorry... got another question. this book is referring to dns application directory "partitions". i am having a tough time grasping that b/c i cant disassociate disk partitions in my head. what are these and why would i want to manually create one?

stupidboy · 07-30-2009, 07:52 PM

Quote:

Originally Posted by tdean

SB, sorry... got another question. this book is referring to dns application directory "partitions". i am having a tough time grasping that b/c i cant disassociate disk partitions in my head. what are these and why would i want to manually create one?

The Active Directory database is broken in to partitions, these make is smaller and simpler for replication purposes. One of the partitions is for DNS and is added to when you check the store in active directory.

You could think of a pie sliced into smaller parts.

tdean · 07-30-2009, 09:36 PM

Quote:

Originally Posted by stupidboy

The Active Directory database is broken in to partitions, these make is smaller and simpler for replication purposes. One of the partitions is for DNS and is added to when you check the store in active directory.

You could think of a pie sliced into smaller parts.

oooh, ok... damn, of all the sources ive been using, none of them explained it as simply as that. so that would be the difference between integrated and non? integrated is a partition in the ad, non integrated is outside of ad and has to be created manually with results stored in a txt file?

stupidboy · 07-30-2009, 09:48 PM

Quote:

Originally Posted by tdean

oooh, ok... damn, of all the sources ive been using, none of them explained it as simply as that. so that would be the difference between integrated and non? integrated is a partition in the ad, non integrated is outside of ad and has to be created manually with results stored in a txt file?

Integrated Primary (ADI) is stored in an Active Directory Application Partition (Windows 2003 and higher, Windows 2000 does not support this) - The benefits here are it is simple to manage due to the multi-master model of AD (you can administer the same data on any DC).

Standard Primary (non-ADI) are stored as a flat txt format in C:\Windows\sytem32\dns\zone.name - The zone is stored on one a single server on the file system.

Secondary (non-ADI) are stored locally on the secondary server. This copy of the zone is read-only and updated from a Primary zone (this can be ADI or Standard)

stupidboy · 07-30-2009, 09:57 PM

Quick Google ... this might help clear things up a little

tdean · 07-31-2009, 02:04 AM

lol.... thanks SB. dont know why i had such a road block on that stuff.... i promise no more dns question!!