How can I see why some DNS queries are failing?

DNS is a reasonably simple system, although it does have some specific quirks that can make troubleshooting difficult.

One way to troubleshoot DNS problems is to use Network Monitor or a similar packet-capture tool to capture the client's DNS queries. Also look for the DNS server's replies. If your network has a firewall, attempt to capture the requests and replies on both sides of the firewall. Figure 25.1 shows a sample DNS communication in Network Monitor; the top pane shows the flow of responses and queries, and the bottom pane shows the detail of one response.

Figure 25.1: Sample DNS query response.

Fortunately, there's not much that can go wrong with DNS, and examining these packets will allow you to quickly narrow the source of the problem. Check the following:

  • Is the packet making it through the firewall? Check captures from both sides for both the query and response. Queries will usually, although not always, be sent on UDP port 53; replies may come back on either UDP or TCP port 53. The DNS specification talks mostly about UDP for queries and responses, and so some firewalls might only allow UDP responses to come in. In the sample packet that Figure A shows, the IP line shows that this was sent via Proto=UDP, not TCP.
  • Is any response coming back? If not, there's obviously a DNS configuration problem. If negative (empty) responses are coming back, it's possible that one or more servers in a chain of forwarders isn't working. Try to capture packets from your internal DNS server to wherever it forwards packets, and check for responses.
  • Is the request properly formed? It's rare for it not to be, but compare suspect requests to those from computers that are working. Request packets are usually quite short.
  • Is the response properly formed, and does it contain accurate data? You can use the response that Figure A shows as a sample. The response should contain the original query (DNS Question Section) and a reply (DNS Answer section). The reply should contain at least one entry with a valid IP address; you can use ping or another utility to verify the IP address returned.


Nslookup is a command-line tool that is included with every Windows NT-based Windows operating system (OS) from NT 4.0 on up, and can be used to verify the workings of DNS. As Figure 25.2 shows, you can simply type any host or domain name to receive a list of records through DNS. This query shows a non-authoritative answer, meaning that the answer was provided from a DNS server other that's own authoritative one. The server delivering the answer was, which looks suspiciously like a gateway. The gateway probably forwarded the request to an ISP, which returned the reply. The actual record came from, which is a DNS hosting service that probably helps Microsoft load-balance its DNS requests. This illustration shows how most replies on most corporate networks are received.

Figure 25.2: Nslookup results.

Notice that the reply returned five unique IP addresses. It's likely that the DNS server is using round-robin to reorder these addresses on each query, helping to balance incoming traffic to this busy Web site. A second query, which Figure 25.3 shows, confirms this—notice that the first IP address in the second query was the second address in the first query.

Figure 25.3: Seeing round robin in action.

Nslookup can be a valuable tool for seeing the details of how DNS is working. You can type ? at any Nslookup prompt (>) for a list of available commands.