1. Configuring DNS for nslookup
Although you can do some basic checking of records with
nslookup
, some attempts to transfer zone data will fail unless the DNS server is configured to allow zone transfers.
As an example, consider the following code listing. The
ls -d pearson.pub
command queries the DNS server for a listing of all records in the pearson.pub domain. However, it fails because zone transfers are not allowed to the computer where the
nslookup
command is issued from.
C:\>nslookupDefault Server: dc1.pearson.pubAddress: 192.168.1.5> ls -d pearson.pub[dc1.pearson.pub]***
Can't list domain pearson.pub: Query refusedThe DNS server refused to transfer the zone pearson.pub to yourcomputer.
If this is incorrect, check the zone transfer securitysettings for pearson.pub on the DNS server at IP address 192.168.1.5.
Tip
The words “Query refused” are a direct indication that zone transfers aren’t allowed for this computer.
You can resolve this issue by adding the computer to the list of servers where zone transfers are allowed.
Figure 1 shows the screen where you can add a computer to this list. In the figure, a computer named win7pcg has been added.
nslookup
zone transfer commands issued from this computer will now succeed.
You can access the screen shown in
Figure 1
with these steps:
Steps
|
Comments
|
1. Launch the DNS console from the
Administrative Tools
menu.
|
Click
Start
,
Administrative Tools
,
DNS
.
|
2. Expand the server and Forward Lookup Zones. Right-click the zone you want to modify and select
Properties
.
|
The DNS console remembers the last view so this might be expanded already.
|
3. Select the
Zone Transfers
tab.
|
The view will be similar to
Figure 6-4
.
|
4. Ensure
Allow Zone Transfers
is selected.
|
You can choose to allow zone transfers to any server (not recommended for security reasons), only to servers on the
Name Servers
tab (DNS servers with an NS record), or to servers that you add. Click the
Edit
button to add servers if you choose the last option.
|
2. Using nslookup Without PTR Records
If the DNS server doesn’t have a PTR record for the DNS server, you receive an error when using nslookup. Although this looks serious, it isn’t. You’re still able to determine whether records exist on the DNS server with nslookup.
The following table shows what you see if the DNS
server doesn’t include a record for the DNS server but does include an A
record for a queried host.
nslookup Responses Without PTR Records | Comments |
---|
C:\Users\Administrator>nslookup
Default Server: UnKnown
Address: 192.168.1.5
| In
this example, the PTR record for dc1.pearson.pub is deleted. Although
the IP address of the DNS server (192.168.1.5) is still known, it can’t
resolve the IP address to the name of the DNS server, so the default
server is listed as UnKnown. |
>web1
Server: UnKnown
Address: 192.168.1.5
Name: web1.pearson.pub
Address: 192.168.1.41
| However, DNS can still resolve the name (Web1) to an IP address. The results of the Web1
query again show that the name of the DNS server is unknown, but it
successfully shows the correct IP address (1921.68.1.41) of the Web1
server.
If you’re focused only on seeing whether DNS can resolve Web1 to an IP
address, this Unknown response can be ignored. If you’re managing the
DNS server, you might want to create the PTR record for the DNS server. |
3. Using nslookup Without a Reverse Lookup Zone
nslookup works if a
reverse lookup zone doesn’t exist on the DNS server, but it gives some
errors. The following table shows what you can expect if the DNS server
doesn’t have a reverse lookup zone.
nslookup Responses Without a Reverse Lookup Zone | Comments |
---|
C:\Users\Administrator>nslookup
DNS request timed out.
timeout was 2 seconds.
Default Server: UnKnown
Address: 192.168.1.5
| This
DNS request timed out looks like you have serious problems, but it just
indicates that the reverse lookup zone is deleted. Because reverse
lookup zones are optional, this time out message can be ignored.
Your system still has an IP address of the DNS server (192.168.1.5 in
the example), but it can’t resolve it to a name because the reverse
lookup zone (and its associated PTR record) does not exist. |
> web1
Server: UnKnown
Address: 192.168.1.5
Name: web1.pearson.pub
Address: 192.168.1.41
| However,
even if the reverse lookup zone doesn’t exist, DNS still resolves the
name of hosts to IP addresses (as long as it has the associated A
records).
This example shows that the name of the DNS server is unknown but it
still resolves web1 to the correct IP address. |