Confused about interpreting nslookup results

tdean

first of all, i guess i dont understand what situation would come up where id say "Hey, lets break out nslookup!!"
second, is this run internally or externally? cause if im running this on someone elses site and it comes back "dns request timed out" or "cannot find server" stuff like that... does that indicate a problem on their end? or my firewall?

ugh

stupidboy

It seems there is not a day in my life where I have not needed to fire up a good old nslookup.

nslookup allows you to query a DNS server to resolve a name to an IP address.

You can use the command to query any accessible DNS server and you can do some cool queries that list the whole zone data when you have transfers enabled too.

If you are firing up nslookup and getting a time-out, the chances are the client you are using cannot communicate with the DNS servers correctly (these are the ones you will see via ipconfig /all). You may well get UnKnown if your client cannot do a reverse lookup (IP to name) so the server you are trying to query

Perhaps Using NSLOOKUP for DNS Server diagnosis may help you.

undomiel

I'll have to second stupidboy on this one. nslookup is a life saver for me. I use it all the time for verifying connectivity to internal dns servers as well as external. Another use is verifying consistency of the returned data from an internal source with an external source. The majority of active directory issues I run into revolve around name resolution so you definitely want to make sure you are nice and cozy with it.

Graham_84

nslookup rocks!

its a command line tools for querying dns, its helpful if you want to see who is the authoritive name servers for a zone, where the mail (mx) points too, query a records to see multiple records exist or round robin enabled. I use it most days. You can even list all records in a zone if zone transfers are enabled.

Neeko

I've used it already today. Was troubleshooting a VPN which is pointing to a dynamic dns address, and to check the HQ device was resolving the address to the correct IP I did a quick nslookup and found out it wasn't, and went from there.

Problems with email usually involve nslookup with the type set to mx to query mx record for a domain. Similarly the other records for the domain can be queried.

As said, can be used to check DNS connectivity too.

It's a helpful tool.

tdean

thanks for the responses guys, this DNS stuff has been driving me nuts... i will check out that site "stupidboy", and im sure i'll have questions.

stupidboy

tdean wrote: »

thanks for the responses guys, this DNS stuff has been driving me nuts... i will check out that site "stupidboy", and im sure i'll have questions.

Feel free to ask away. I left collage and worked for and ISP so DNS was essential understanding (pre Windows 2000 and AD). Obviously DNS is the corner stone of AD and essential knowledge for all.

Piers

stupidboy wrote: »

. I left collage and worked for and ISP so

I don't know if you meant to, but this cracked me up..

stupidboy

Piers wrote: »

I don't know if you meant to, but this cracked me up..

Well I went, not to say I actually learned stuff

tdean

stupidboy wrote: »

Feel free to ask away. I left collage and worked for and ISP so DNS was essential understanding (pre Windows 2000 and AD). Obviously DNS is the corner stone of AD and essential knowledge for all.

ok stupidboy..... i have a few questions if you have some time... let me know. i took some time off to gather myself, still confused though.

stupidboy

tdean wrote: »

ok stupidboy..... i have a few questions if you have some time... let me know. i took some time off to gather myself, still confused though.

Post away dude!

tdean

stupidboy wrote: »

Post away dude!

ok, i hope these make sense....

zones are within a domain like east or west.tdean.com?

zones need forwarders or root hints.... forwarders are your isp's dns servers ip's? and root hints basically follow the heirarchy of external authoritative dns servers before returning answer?

forward look up different from forwarders?

when/why would one use manual dns over ddns?

what would indicate a problem with fwdrs, zones root hints etc? how would a problem manifest itself on the network?

how/why would you set up non integrated ad dns?

using .com externally and .net or .local internally??

stupidboy

tdean wrote: »

zones are within a domain like east or west.tdean.com?

A zone is a DNS name space.

tdean wrote: »

zones need forwarders or root hints.... forwarders are your isp's dns servers ip's? and root hints basically follow the heirarchy of external authoritative dns servers before returning answer?

Within your DNS console you will find two types of zone. Forward and Reverse. Forward looks resolve names to IP address and reverse IP to name.

Forwarders can be used to forward DNS requests to other DNS servers, such as your ISP. There are also conditional forwarders that look at the domain portion of the request and forward the DNS request based on that condition. These are useful if you know the DNS server that hosts the DNS name space, effictive short cutting the DNS lookup.

Root hints are as you describe. These are top level servers that are able to forward requests down the DNS hierarchy until they reach the delegated server hosting the SOA.

tdean wrote: »

forward look up different from forwarders?

Forward lookups are name to IP (just categorised in the console for simplicity).

Forwarders resolve name to IP, however, all resolution requests are forwarded to specified hosts (like you ISP).

tdean wrote: »

when/why would one use manual dns over ddns?

In an AD DDNS is great for getting clients registered in the DNS name space. You would not use DDNS for your public facing DNS zones as there is the possibility to register rouge names in the zone.

tdean wrote: »

what would indicate a problem with fwdrs, zones root hints etc? how would a problem manifest itself on the network?

Typically if your root hints or forwarders are not working you will not get any name resolution outside of those zones hosted locally. So if this was your internal DNS server hosting your AD name space you will resolve zones that you are authoritative for (local AD name space), however, the server will have no way to resolve other names.

tdean wrote: »

how/why would you set up non integrated ad dns?

Integrated DNS is a DNS zone that is stored in your AD. Normally with standard zones these are stored as a flat text file on each server.

Integrated zones allow numerate servers to host the same data and allow the zone updates to occur via AD replication.

Setting up a zone as ADI is simply a check box in the zone creation. Something like "store this zone in Active Directory" during the zone creation wizard.

tdean wrote: »

using .com externally and .net or .local internally??

Although there is nothing to stop you using a TLD (like .com .net .org etc.) it is not recommended as it causes additional management overhead and confusion for the user base.

Recommendations for internal names spaces are things like .local, .corp or .internal. As these are not recognised TLDs there is no confusion and breaks the name space in two.

I think this make sense but please question if not.

Are you reading a certification book? Which one?

tdean

wow... thanks sb. i think im on the right track. im using the ms self paced book and syngress, plus other sources. i think i may have confused myself.

all the info that is in the FLZ when its expanded, how do i determine what is necessary or not?

is it FLZ that wont work if the "." is located at the top? ive had to delete that before.

also, is it unwise to flush dns on a server b/c then it has to recache everything?

stupidboy

tdean wrote: »

wow... thanks sb. i think im on the right track. im using the ms self paced book and syngress, plus other sources. i think i may have confused myself.

The MS Press books are usually very good, however, the Syngress ones have declined in recent time (IMO)

tdean wrote: »

all the info that is in the FLZ when its expanded, how do i determine what is necessary or not?

You should have the zones that you are authoritative for here. You will see your AD name space if this is an AD DNS server.

tdean wrote: »

is it FLZ that wont work if the "." is located at the top? ive had to delete that before.

This is an issue that affected Windows 2000 AD installations. If you installed DNS during a DCPROMO the server assumed that it was root (AKA ".") so it assumed that if it did not have a zone no one else would. In this case where the root level zone exists it is usually safe and desirable to remove it. With that said there have been a couple of occasions I have seen this used as a technique for ensuring clients cannot resolve external names (secure environments)

This issue was addressed in Window 2003 so its safe to install DNS during the DCPROMO

tdean wrote: »

also, is it unwise to flush dns on a server b/c then it has to recache everything?

The cache on a server is refreshed when the TTL (Time To Live) for a zone (set on the SOA record) expires and a client makes a request for those records. If you server had cached the WWW reocrd for TechExams and 21 minutes later you wanted the record again, the DNS server would check that the cache is still valid by performing a lookup (the TTL for TechExams is 20 minutes).

If you flush the DNS cache then the server will have to resolve the address(es) again and re-cache. This just means the DNS server will take a little longer in getting the right data back to the client (not that you will actually notice the delay).

If you are using a caching only DNS server (simply a server with no Forward Looks defined) it will help reduce the number of external queries required. This can help reduce bandwidth and DNS resolution.

Don't forget that clients keep a cache of records too. You can use ipconfig /displaydns to display these records. Very useful in troubleshooting clients.

Hope this is clear enough, I am ready for bed now so I hope I am not dribbling on my keyboard

tdean

this is great SB.... thanks again!! now i need to find some practice tests. i've never seen any of these "simulation" questions...

stupidboy

tdean wrote: »

this is great SB.... thanks again!! now i need to find some practice tests. i've never seen any of these "simulation" questions...

What ever you do, make sure you questions are above board. The that last thing you want to do after all this hard work is loose the cert due to using illegal materials.

If you are unsure please check out CertGuard - Exam Security & Integrity first. It might be worth a quick visit just so you are familiar with what to look out for (so as to avoid).

tdean

stupidboy wrote: »

What ever you do, make sure you questions are above board. The that last thing you want to do after all this hard work is loose the cert due to using illegal materials.

If you are unsure please check out CertGuard - Exam Security & Integrity first. It might be worth a quick visit just so you are familiar with what to look out for (so as to avoid).

thanks for the link... i didnt mean any of the illegal stuff. i've just never seen that type of test format before. would be nice to have an idea what im in for.... i mean, everyone has taken a multiple choice test at some point in their life...

stupidboy

tdean wrote: »

thanks for the link... i didnt mean any of the illegal stuff. i've just never seen that type of test format before. would be nice to have an idea what im in for.... i mean, everyone has taken a multiple choice test at some point in their life...

They are usually nothing to fear ... use the force and you'll be fine

If you have used the limited labs in TestOut (looks like there is a still a demo of the LabSim) should give you a feel. I can't think of anything else that comes close.

tdean

SB, sorry... got another question. this book is referring to dns application directory "partitions". i am having a tough time grasping that b/c i cant disassociate disk partitions in my head. what are these and why would i want to manually create one?

stupidboy

tdean wrote: »

SB, sorry... got another question. this book is referring to dns application directory "partitions". i am having a tough time grasping that b/c i cant disassociate disk partitions in my head. what are these and why would i want to manually create one?

The Active Directory database is broken in to partitions, these make is smaller and simpler for replication purposes. One of the partitions is for DNS and is added to when you check the store in active directory.

You could think of a pie sliced into smaller parts.

tdean

stupidboy wrote: »

The Active Directory database is broken in to partitions, these make is smaller and simpler for replication purposes. One of the partitions is for DNS and is added to when you check the store in active directory.

You could think of a pie sliced into smaller parts.

oooh, ok... damn, of all the sources ive been using, none of them explained it as simply as that. so that would be the difference between integrated and non? integrated is a partition in the ad, non integrated is outside of ad and has to be created manually with results stored in a txt file?

stupidboy

tdean wrote: »

oooh, ok... damn, of all the sources ive been using, none of them explained it as simply as that. so that would be the difference between integrated and non? integrated is a partition in the ad, non integrated is outside of ad and has to be created manually with results stored in a txt file?

Integrated Primary (ADI) is stored in an Active Directory Application Partition (Windows 2003 and higher, Windows 2000 does not support this) - The benefits here are it is simple to manage due to the multi-master model of AD (you can administer the same data on any DC).

Standard Primary (non-ADI) are stored as a flat txt format in C:\Windows\sytem32\dns\zone.name - The zone is stored on one a single server on the file system.

Secondary (non-ADI) are stored locally on the secondary server. This copy of the zone is read-only and updated from a Primary zone (this can be ADI or Standard)

stupidboy

Quick Google ... this might help clear things up a little

tdean

lol.... thanks SB. dont know why i had such a road block on that stuff.... i promise no more dns question!!

stupidboy

tdean wrote: »

lol.... thanks SB. dont know why i had such a road block on that stuff.... i promise no more dns question!!

Anytime, DNS causes many people issues. I sat with one of the guys in the office for 3 hours talking DNS. It was this session that enabled him to crack 70-292 (he had failed it twice before).