12.7 Troubleshooting nslookup Problems

Team-Fly

	DNS on Windows 2000, 2nd Edition By Matt Larson, Cricket Liu
	Table of Contents
	Chapter 12.  nslookup

The last thing you want is to have problems with your troubleshooting tool. Unfortunately, some types of failures render the troubleshooting tool mostly useless. Other types of nslookup failures are, at best, confusing because they don't give you any direct information to work with. While there may be a few problems with nslookup itself, most of the problems you encounter will be with name server configuration and operation. We'll cover a few odd problems here.

12.7.1 Looking Up the Right Data

This isn't really a problem, per se, but it can be awfully confusing. If you use nslookup to look up a type of data for a domain name and the domain name exists but no data of the type you're looking for exists, you'll get an error like this:

 C:\>  nslookup  Default Server:  terminator.movie.edu  Address:  192.249.249.3  >  movie.edu.  *** No address (A) records available for movie.edu. 

So what types of records do exist? You can use set type=any to find out:

 >  set type=any  >  movie.edu.  Server:  terminator.movie.edu  Address:  192.249.249.3  movie.edu       nameserver = terminator.movie.edu movie.edu       nameserver = wormhole.movie.edu movie.edu         primary name server = terminator.movie.edu         responsible mail addr = administrator.movie.edu         serial  = 6         refresh = 3600 (1 hour)         retry   = 600 (10 mins)         expire  = 86400 (1 day)         default TTL = 3600 (1 hour) movie.edu       MX preference = 10, mail exchanger = wormhole.movie.edu terminator.movie.edu    internet address = 192.249.249.3 wormhole.movie.edu      internet address = 192.253.253.1 wormhole.movie.edu      internet address = 192.249.249.1 wormhole.movie.edu      internet address = 192.249.249.1 wormhole.movie.edu      internet address = 192.253.253.1 

Why are the IP addresses for terminator and wormhole returned? If you receive the NS records for movie.edu listing these two hosts as that zone's name servers, chances are the next thing you'll want are those hosts' IP addresses. The name server anticipates that and sends along address records in the Additional section. The same thing goes for the movie.edu MX record pointing to wormhole : if you get that record, you'll want wormhole 's IP address next. That explains why wormhole 's IP addresses show up twice, but this is arguably a bug in the Microsoft DNS Server.

12.7.2 No PTR Data for Name Server's Address

Here's a cryptic message:

 C:\>  nslookup  *** Can't find server name for address 192.249.249.3: Non-existent domain *** Can't find server name for address 192.249.249.3: Non-existent domain *** Default servers are not available Default Server:  UnKnown Address:  192.249.249.3 > 

The "Non-existent domain" message means that there's no PTR record for 3.249.249.192.in-addr.arpa . In other words, nslookup couldn't find the name for 192.249.249.3, which is the first name server the resolver is configured to query. The only reason nslookup looks up this address is to print the "Default Server" startup message. Obviously, this name server's data is messed up, at least for the 249.249.192.in-addr.arpa zone, so nslookup prints "UnKnown".

At least we've got the nslookup prompt: even if the server doesn't know its own name, it might still be able to answer other queries. This behavior is a vast improvement over the standard version of nslookup in the BIND distribution (the one shipped with most versions of Unix). That version of nslookup refuses even to run unless it can successfully reverse map the default server's IP address.

Still, the "Default servers are not available" message in the example is misleading. After all, a name server is there to say the address doesn't exist. More often, you'll see the error "timed out" if the name server isn't running on the host or the host can't be reached. Only then does the "Default servers are not available" message make sense.

12.7.3 Timeouts

What if your resolver is pointing to a name server that isn't running or a host that can't be reached? We kinda gave the answer away in the previous section, but here's what happens:

 C:\>  nslookup  DNS request timed out.     timeout was 2 seconds. *** Can't find server name for address 192.249.249.4: Timed out DNS request timed out.     timeout was 2 seconds. *** Can't find server name for address 192.249.249.4: Timed out *** Default servers are not available Default Server:  UnKnown Address:  192.249.249.4 > 

The resolver is configured to use the name server 192.249.249.4 (and only that name server). nslookup tries valiantly to contact itit goes through its timeout sequence twice in attempt to get the name server to reverse map its own IP address. Finally nslookup gives up, prints "UnKnown" for the default server, and gives you a prompt. You can't really do anything productive without changing servers at this pointafter all, no server is running at that IP addressbut at least you've got a prompt. Again, this is a better than the standard nslookup , which would have dumped us back to the command line.

Note that if your resolver is configured to send queries to more than one name server, nslookup tries the servers in order until it finds one that responds:

 C:\>  nslookup  DNS request timed out.     timeout was 2 seconds. *** Can't find server name for address 192.249.249.1: Timed out Default Server:  terminator.movie.edu Address:  192.249.249.3 > 

Occasionally you'll see timeouts during the course of an nslookup session. If you are looking up some remote information, the name server could fail to respond because it is still trying to look up the item and nslookup gave up waiting. How can you tell the difference between a name server that isn't running and a name server that is running but didn't respond? Use the ls command to point out the difference. In this case, no name server is running, or the host couldn't be reached:

 C:\>  nslookup  Default Server:  terminator.movie.edu  Address:  192.249.249.3  > ls foo. ls: connect: No error *** Can't list domain foo.: Unspecified error 

If a name server is running, you'll see the following error message:

 C:\>  nslookup  Default Server:  terminator.movie.edu  Address:  192.249.249.3  > ls foo.  [terminator.movie.edu] *** Can't list domain foo.: Non-existent domain 

That is, unless there's a top-level foo domain in your world.

12.7.4 Query Refused

You generally see a "query refused" error message under two conditions. The first is when you attempt a zone transfer and the server refuses for security reasons (for example, because you checked Only Allow Access From Secondaries Included on Notify List in the zone properties Notify window). This is what you'll see:

 C:\>  nslookup  Default Server:  terminator.movie.edu Address:  192.249.249.3 >  ls movie.edu   This attempts a zone transfer  [terminator.movie.edu] *** Can't list domain movie.edu: Query refused > 

You might also see a "query refused" error from a name server running a recent version of BIND, which has the ability to restrict queries to different zones based on the querier's source IP address.

12.7.5 Unspecified Error

You may run into a rather unsettling problem called "unspecified error." We have an example of this error here:

 C:/>  nslookup  Default Server:  terminator.movie.edu  Address:  192.249.249.3  >  set type=ns  >  .  Server:  terminator.movie.edu  Address:  192.249.249.3  Non-authoritative answer:  (root)  nameserver = NS.NIC.DDN.MIL  (root)  nameserver = B.ROOT-SERVERS.NET  (root)  nameserver = E.ROOT-SERVERS.NET  (root)  nameserver = D.ROOT-SERVERS.NET  (root)  nameserver = F.ROOT-SERVERS.NET  (root)  nameserver = C.ROOT-SERVERS.NET  (root)  nameserver = G.ROOT-SERVERS.NET  (root)  nameserver = hpfcsx.fc.hp.com  (root)  nameserver = hp-pcd.cv.hp.com  (root)  nameserver = hp-ses.sde.hp.com  (root)  nameserver = hpsatc1.gva.hp.com  (root)  nameserver = named_master.ch.apollo.hp.com  (root)  nameserver = A.ISI.EDU  (root)  nameserver = SRI-NIC.ARPA  (root)  nameserver = GUNTER-ADAM.ARPA  Authoritative answers can be found from:  (root)  nameserver = NS.NIC.DDN.MIL  (root)  nameserver = B.ROOT-SERVERS.NET  (root)  nameserver = E.ROOT-SERVERS.NET  (root)  nameserver = D.ROOT-SERVERS.NET  (root)  nameserver = F.ROOT-SERVERS.NET  (root)  nameserver = C.ROOT-SERVERS.NET  (root)  nameserver =  *** Error: record size incorrect (1050690 != 65519)  *** terminator.movie.edu can't find .: Unspecified error 

What happened here is that there was too much data to fit into a UDP datagram. ^[1] The name server stopped filling in the response when it ran out of room. The name server didn't set the truncation bit in the response message, or nslookup would have retried the query over a TCP connection. The name server must have decided that enough of the "important" information fit. You won't see this kind of error very often. You'll see it if you create too many NS records for a zone, so don't create too many. (Advice like this makes you wonder why you bought this book, right?) How many is too many depends upon how well the names can be "compressed" in the message, which in turn depends upon how many name servers share the same domain in their domain name. The root name servers were renamed to all be in the root-servers.net domain for this very reasonmore names fit in DNS messages if they share a common domain, which allows more root name servers to support the Internet. As a rule of thumb, don't go over 10 NS records.

^[1] What are all those hp.com name servers doing in there? This example illustrates a problem besides just filling a UDP datagram: under some conditions, older BIND name servers can easily be contaminated with " bogus " root name servers. This output shows a query to such a name server.