Troubleshooting DNS Servers
Applies To: Windows Server 2008
What problem are you having?
The DNS server is not responding to clients..
The DNS server does not resolve names correctly..
The DNS server appears to be affected by a problem for reasons not described here..
The DNS server is not responding to clients.
Cause: The Domain Name System (DNS) server is affected by a network failure.
Solution: Verify that the server computer has a valid functioning network connection. First, check that related client hardware (cables and network adapters) are working properly at the client by using basic network and hardware troubleshooting steps.
If the server hardware appears to be prepared and functioning properly, check that it has network connectivity by using the ping command to contact other computers or routers (such as its default gateway) that are used and available on the same network as the affected DNS servers.
Cause: The DNS server is reachable through basic network testing, but it is not responding to DNS queries from clients.
Solution: If the DNS client can ping the DNS server computer, verify that the DNS server is started and able to listen to and respond to client requests. Try using the nslookup command to test whether the server can respond to DNS clients.
For more information, see Start or Stop a DNS Server.
Cause: The DNS server has been configured to limit service to a specific list of its configured IP addresses. The IP address originally used in testing its responsiveness is not included in this list.
Solution: If the server was previously configured to restrict the IP addresses for which it responds to queries, it is possible that the IP address that are being used by clients to contact it is not in the list of restricted IP addresses that are permitted to provide service to clients.
Try testing the server for a response again, but specify a different IP address that is known to be in the restricted interfaces list for the server. If the DNS server responds for that address, add the missing server IP address to the list.
Cause: The DNS server has been configured to disable the use of its automatically created default reverse lookup zones.
Solution: Verify that automatically created reverse lookup zones have been created for the server or that advanced configuration changes have not been previously made to the server.
By default, DNS servers automatically create the following three standard reverse lookup zones based on Request for Comments (RFC) recommendations.
These zones are created with common IP addresses covered by these zones that are not useful in a reverse lookup search (0.0.0.0, 127.0.0.1, and 255.255.255.255). By being authoritative for the zones corresponding to these addresses, the DNS service avoids unnecessary recursion to root servers to perform reverse lookups on these types of IP addresses.
It is possible, although unlikely, that these automatic zones are not created. This is because disabling the creation of these zones involves advanced manual configuration of the server registry by a user.
To verify that these zones have been created, do the following:
Open DNS Manager.
On the View menu, click Advanced.
In the console tree, click Reverse Lookup Zones.
- DNS/applicable DNS server/Reverse Lookup Zones
In the details pane, verify that the following reverse lookup zones are present:
Cause: The DNS server is configured to use a nondefault service port, for example, in an advanced security or firewall configuration.
Solution: Verify that the DNS server is not using a nonstandard configuration.
This is a rare but possible cause. By default, the nslookup command sends queries to targeted DNS servers using User Datagram Protocol (UDP) port 53. If the DNS server is located on another network and is reachable only through an intermediate host (such as a packet-filtering router or proxy server), the DNS server might use a nonstandard port to listen for and receive client requests.
If this situation applies, determine whether any intermediate firewall or proxy server configuration is intentionally used to block traffic on well-known service ports that are used for DNS. If not, you might be able to add such a packet filter to these configurations to permit traffic to standard DNS ports.
Also, check the DNS server event log to see if Event ID 414 or other critical service-related events have occurred that might indicate why the DNS server is not responding.
The DNS server does not resolve names correctly.
Cause: The DNS server provides incorrect data for queries that it answers successfully.
Solution: Determine the cause of the incorrect data for the DNS server.
Some of the most likely causes include the following:
Resource records were not dynamically updated in a zone.
An error was made when static resource records were manually added or modified in the zone.
Stale resource records in the DNS server database that were left from cached lookups or zone records were not updated with current information or removed when they were no longer needed.
To help prevent the most common types of problems, be sure to first review best practices for tips and suggestions for deploying and managing your DNS servers. Also, follow and use the checklists that are appropriate for installing and configuring DNS servers and clients, based on your deployment needs.
If you are deploying DNS for Active Directory Domain Services (AD DS), note the new directory-integration features. These features can cause some differences for DNS server defaults—when the DNS database is directory-integrated—that differ from the DNS server defaults that are used with traditional file-based storage.
Many DNS server problems start with failed queries at a client. Therefore, it is often a good idea to start there and troubleshoot the DNS client first.
For more information, see Troubleshooting DNS Clients
Cause: The DNS server does not resolve names for computers or services outside your immediate network, for example, the names of computers or services that are located on external networks or the Internet.
Solution: The server has a problem with its ability to correctly perform recursion. Recursion is used in most DNS configurations to resolve names that are not located within the configured DNS domain name that is used by the DNS servers and clients.
If a DNS server fails to resolve a name for which it is not authoritative, the cause is usually a failed recursive query. Recursive queries are used frequently by DNS servers to resolve remote names that are delegated to other DNS zones and servers.
For recursion to work successfully, all DNS servers in the path of a recursive query must be able to respond to and forward correct data. If not, a recursive query can fail for any of the following reasons:
The recursive query times out before it can be completed.
A remote DNS server fails to respond.
A remote DNS server provides incorrect data.
Cause: The DNS server is not configured to use other DNS servers to assist it in resolving queries.
Solution: Check whether the DNS server can use both forwarders and recursion.
By default, all DNS servers are enabled to use recursion, although the option to disable its use is configurable in DNS Manager to modify advanced server options. The other possible situation in which recursion might be disabled is if the server is configured to use forwarders and recursion has been specifically disabled for that configuration.
If you disable recursion on the DNS server, you will not be able to use forwarders on the same server.
For more information, see Configure a DNS Server to Use Forwarders.
Cause: Current root hints for the DNS server are not valid.
Solution: Check whether server root hints are valid.
If they are configured and used correctly, root hints should always point to DNS servers that are authoritative for the zone that contains the domain root and top-level domains.
By default, DNS servers are configured to use root hints that are appropriate to your deployment, based on the following available choices when you use DNS Manager to configure a server:
If the DNS server is installed as the first DNS server for your network, it is configured as a root server.
For this configuration, root hints are disabled at the server because the server is authoritative for the root zone.
If the installed server is an additional DNS server for your network, you can direct the Configure a DNS Server Wizard to update its root hints from an existing DNS server on the network.
If you do not have other DNS servers on your network but you still need to resolve Internet DNS names, you can use the default root hints file, which includes a list of Internet root servers that are authoritative for the Internet DNS namespace.
Cause: The DNS server does not have network connectivity to the root servers.
Solution: Test for connectivity to the root servers.
If root hints appear to be configured correctly, verify that the DNS server that is used in a failed query can ping its root servers by IP address.
If a ping attempt to one root server fails, it might indicate that an IP address for that root server has changed. Reconfiguration of root servers, however, is uncommon.
A more likely cause is a full loss of network connectivity or in some cases, poor network performance on the intermediate network links between the DNS server and its configured root servers. Follow basic TCP/IP network troubleshooting steps to diagnose connections and determine whether this is the problem.
By default, the DNS service uses a recursive time-out of 15 seconds before failing a recursive query. Under normal network conditions, this time-out does not have to be changed. If performance requires it, however, you can increase this value.
To review additional performance-related information for DNS queries, you can enable and use the DNS server debug log file, Dns.log. This log can provide extensive information about some types of service-related events.
Cause: Other problems exist with updating DNS server data, such as an issue that is related to zones or dynamic updates.
Solution: Determine whether the problem is related to zones. As needed, troubleshoot any issues in this area, such as possible failure of zone transfer.
The DNS server appears to be affected by a problem for reasons not described here.
Cause: My problem is not described here.
Solution: Search TechNet (https://go.microsoft.com/fwlink/?LinkId=170) for the latest technical information that might relate to the problem. If necessary, you can obtain information and instructions that pertain to your problem or issue.
If you are connected to the Internet, the latest operating system updates are available at Microsoft Update (https://go.microsoft.com/fwlink/?LinkId=284).