Mark Minasi's Windows Networking Tech Page
Issue #94 Late November 2011

What's Inside

News
- Learn with My Seminars, Audio Recordings and More!
Tech Section
- Getting and Using DIG, a Great DNS Troubleshooter That Runs Rings Around NSLOOKUP
Conferences
To Subscribe, Unsubscribe, Read Old Newsletters or Change Your Email Address

News

Hi all —

Just about anybody who’s maintained networks for any time at all knows that when DNS stops working, so does just about everything else, and that's why most of us network troubleshooter types spend at least some time in every work year troubleshooting DNS. Furthermore, anyone who's ever tried to troubleshoot anything knows that trying to fix things with lousy tools takes longer and is more frustrating than trying to fix it with good tools... which is why it's so sad that the main troubleshooting tool built into Windows is nslookup. A fairly lame tool, nslookup isn't smart enough to use your alternate DNS server when your preferred DNS server is offline, is completely DNSSEC-dumb, and offers you essentially nothing in the way of useful packet-level information, to name just a few of its sins. If only there were a better tool... but aha, there is... and thereby hangs this tale. Before I can tell that tale, however, a word from our sponsor...

Current Seminars

The Complete Two-Day "Running an R2-Based Active Directory" Seminar Comes to Charlotte, San Francisco and Chicago in February, March and April at a Discount Rate, then Philadelphia and Phoenix

After a very successful one-day "beta" version of my new AD class (many thanks to our December attendees!), I got some material shaken down and found out what topics I needed to add to create a two-day AD class that you'll find a cost-effective use of your time. To kick off the new complete version of the class, I'm running sessions in Charlotte, SF and Chicago and knocking $100 off every seat.

As Active Directory enters its "tweens," most AD admins and managers have moved from "how do I design and set this up?" to "now that I'm in charge of somebody else's 10-year-old AD, how can I most easily and cheaply manage it, fix it, and streamline it?" I get (and answer) those questions all the time, and now I can answer them for you. Join me for a fun, fast-paced two day of AD setup, management, upgrading and troubleshooting. The course includes some in-depth DNS and AD troubleshooting, expert advice on safely virtualizing DCs, a practical, example-rich dive into solving AD admin problems with PowerShell, a quick review of the latest thinking on AD design and R2 upgrade, and in-depth discussions of R2's most significant "hey, I want that!" AD-related features. Everyone who's been asking for this class over the past year have been so patient that as a small "thank you," I'm running the first three sessions at $100/seat below the normal rate. The first run takes place in Charlotte (Feb 20-21), San Francisco (March 19-20), and Chicago (2-3 April), and if you're thinking of signing up, consider doing so early -- I was surprised to find that I had to close registration on the Seattle and New York classes last December. (The classes outgrew the hotel conference rooms we'd booked and there wasn't any place to move them to at that point.)

After those three "final intro" sessions, we're at the normal $995/seat price for the Philadelphia (May) and Phoenix (June) sessions. Phoenix, you keep telling me that you want me to bring a class to Arizona, you got your wish! Thanks.

Find the course outline here and then you can sign up here. I hope to see you in Charlotte, San Fran, or Chicago!

Three New Audio Sets

Many of you couldn't make it to my Win 7, R2 or Cloud Computing talks, so we've got them available as audio sets:

With the holidays just around the corner, could you possibly imagine a better stocking stuffer?

My Free Replacement for Steady State... Steadier State

I know that a lot of you really miss Steady State, the tool that lets you essentially create virtual machine "snapshots," but on a physical copy of Windows like a classroom lab PC, public library workstation, kiosk PC etc, and that lets you un-do all of the mess done to a Windows box in under four minutes with no admin interaction needed. So I created what I call Steadier State. Put it on a PC, get it the way you like it, and snapshot the machine. Then turn it loose on the public for as long as you like, and reboot it. One of the reboot options will be "Roll Back Windows," and if you choose that, then in under four minutes everything that the users did is completely un-done. Give it a try at http://www.steadierstate.com.

Getting and Using DIG, a Great DNS Troubleshooter That Runs Rings Around NSLOOKUP

For years, I’d always heard of a much more powerful DNS troubleshooting tool called DIG that the Unix folks used while looking down their noses and snickering at we poor Windows admin fools. (It's spelled like that because "DIG" stands for Domain Internet Groper." Don't ask.) The tales claimed that DIG made nslookup look pathetic and that Microsoft was going to include DIG in Windows Server 2003, which never happened, and then that it was to appear in Windows Server 2008, which never happened, and then in Windows Server 2008 R2, and, well, you see where this was going. So in early 2009, I thought it was just about time to see if I couldn't find a version of DIG that ran on Windows so that I could try it out for myself.

Here's what I found, and how to get started with DIG. (In case you haven't guessed, it's pretty neat.)

Getting DIG

You can't play with DIG until you get a copy of it, so here's where to find it, and by the way, it's free. DIG is part of the BIND suite of software, which is a free DNS server whose source code is hosted at isc.org. (The chances are good that most of you know this already, but forgive me for filling in to those who don't know it that BIND is by far the most popular DNS server software around, and comes both in Unix and Windows flavors. I did mention that it's free, right?) Our interest in the BIND software is not, however, to run a BIND server (although we could, even on an XP box) but instead to download the BIND software files and pick out just the files we need for DIG. Here's what to do.

Go to www.isc.org/downloads.
Look down the page a bit and locate the latest production version. As I write this, it's BIND 9.8.1-P1, but they update it regularly, so you may see a newer one. Look just below that for the hyperlink that says "Windows Download." Click on that and you'll be able to download a ZIP file.
Create a folder to receive the BIND files. I created and used a folder named C:\DIG, but you can use any folder name.
Put that folder on your system's path. If you haven't updated a path in a while, look (on Windows 7 and R2) in Control Panel / System and Security / Security / Advanced system settings / Environmental Variables, then under "System variables," find "PATH,"click "edit..." and, in the resulting dialog box, go the end of the current PATH string, type a semicolon and then the name of the folder that you just created, and then click OK.
Copy the BIND files to the folder that you just created. (C:\DIG in my example.)
Delete all but the following files:
- DIG.exe
- DIG.html
- lib*.dll (there will be eight of them in the latest version)
- vcredist_x86.exe
Run vcredist_x86.exe -- if you don't, you'll get an error about how DIG can't run because of a side-by-side error.

Your First DIG

Next, let's try it out by resolving the address for my Web site, www.minasi.com. The DNS address of my Web server is a tiny bit tricky as there aren't actually any machines on the web exactly named "www.minasi.com," just a machine with the name "web2.minasi.com" to which I've added a second name of www.minasi.com. (For those who haven't messed with DNS recently, recall that DNS calls any extra names that you give to a machine not its "host name" but instead "aliases" or "canonical names." Remember also that DNS abbreviates "canonical name" as CNAME, which is usually written in all caps.)

To try DIG out, just open a new command prompt window (so it's got the new path), and just type

DIG www.minasi.com

And, so long as you've followed the above steps, you'll see some output like this:

C:\>DIG www.minasi.com

; <<>> DIG 9.7.3-P1 <<>> www.minasi.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21888
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 0

;; QUESTION SECTION:
;www.minasi.com. IN A

;; ANSWER SECTION:
www.minasi.com. 3600 IN CNAME web2.minasi.com.
web2.minasi.com. 3600 IN A 70.165.73.5

;; AUTHORITY SECTION:
minasi.com. 163676 IN NS netdoor.minasi.com.
minasi.com. 163676 IN NS web2.minasi.com.

;; Query time: 140 msec
;; SERVER: 24.178.162.3#53(24.178.162.3)
;; WHEN: Mon Jun 06 18:32:33 2011
;; MSG SIZE rcvd: 122

Yes, that's a lot of output, much of it fairly ugly, and I will explain it in this and future newsletters, but as you'll soon see, it's largely useful ugly output. If, however, you want "just the facts, ma'am," then add the optional value "+short," as in this output:

C:\>DIG www.minasi.com +short
web2.minasi.com.
70.165.73.5

I know that some of you are thinking, "hey, I want that '+short' option to be the default all the time, how do I do that?," and fortunately I have some good news. The DIG documentation says that you should be able to create a text file called "DIGrc" and fill it with any desired options and then place that in your home directory, and afterwards DIG will read and use those options. It doesn't exactly work that way, but it does work. Here's how you'd tell your copy of DIG to always use the +short option (and any others you like):

Create a file called ".digrc" and notice that it starts with a period and does not have an extension. Just to keep track of things, I put it in the same folder as I've got the DIG files which was, recall, C:\DIG.
Edit it as you'd edit any text file -- Notepad works fine -- and put an options on a line by themselves. To try it out, just put "+short" on a line by itself in .digrc.
Tell DIG where to find .digrc by creating another environment variable, "home," and point it to the folder containing .digrc, as in "set home=c:\dig" to point it (obviously) to the C:\DIG folder.

Run "dig www.minasi.com" again, and you'll see output as if you'd used +short. (My thanks to reader Ed Plate, who straightened me out on how to use digrc on Windows systems.)

Oh, and hey, just for comparison's sake and comic relief, let me include nslookup's output:

C:\>nslookup www.minasi.com
Server: vip01spbgsc.spbg.sc.charter.com
Address: 24.178.162.3

Non-authoritative answer:
Name: www.minasi.com.minasi.com
Addresses: 184.106.31.166
204.232.162.92

Nope, I didn't fake that and in truth most of the blame for that ridiculous result must be laid at the feet of some nimrod at my ISP who configured their DNS server, but their misconfiguration didn't confuse DIG ... just poor dumb nslookup.

Reading DIG Output: What to Watch, What to Ignore (for Now)

Yes, the output from the DIG command is a mite scary at first, as it has the Unix-y air of "if you don't immediately understand this, you're probably not meant to be using this tool and you probably don't even have a ponytail like all good Unix administrators do," but I promise, it won't be all that bad once we've picked it apart, which we're about to do. I will dissect all of the output in future newsletters -- trust me, to know DIG is to love it -- but for now, here are the high points to look for:

Two items, "got answer" and "status: NOERROR," that tell you that the mission was accomplished.
The answer to your question, which was after all the point of the command.
The server that got you the answer.

Here's where to find those things on a DIG output of a more interesting DNS lookup, for www.microsoft.com:

Fairly high up on the DIG output, we see the first bit of good news, "Got answer" instead of something like "connection timed out; no servers could be reached." Thus, if we were to query DIG for information about some nonexistent domain like www.aslfkheoiwfh.com and DIG found a working DNS server that said, "nope, there's no domain like that," then we'd still get the response of "Got answer."

The second bit of useful information is "status: NOERROR," which means pretty much what it says. If I'd queried for a DNS record that didn't exist like the www.aslfkheoiwfh.com example I cited before, then again I'd see a "Got answer" but the status would be "NXDOMAIN" which means "nonexistent domain." (Yes, www.whatever is an A record, not a domain, but that's the name of the error that the low-level DNS protocol specifies when you ask for pretty much anything that doesn't exist, and DIG's output cleaves close to the the low-level DNS output.)

Third, there's the answer to your question, which appears in something called the "answer section," which seems, well, kind of well-named. It offers three aliases -- CNAMEs -- chained together, as the actual answer to "what's the IP address associated with www.microsoft.com?" is apparently not a simple one, as

Looking up "www.microsoft.com" yields the answer that it's actually an alias for toggle.www.ms.akadns.net
Looking up toggle.www.ms.akadns.net yields the answer that it is actually an alias for g.www.ms.akadns.net
Looking up g.www.ms.akadns.net reveals that it is an alias for yet another name, lb1.www.ms.akadns.net
Finally, looking up lb1.www.ms.akadns.net returns that is (finally) not an alias but instead a true "A" (address) record, pointing to 207.46.131.43.

Lastly, "SERVER: 10.50.50.4#53..." shows that the DNS server that answered DIG's request lives at that IP address. The "#53" means that DIG communicated with that DNS server on the server's port number 53, the standard DNS port.

DIG knew to query that DNS server because, again by default DIG sends any DNS requests to your computer's preferred DNS server first, then its first alternate DNS server (if any), then the second alternate (if any), and so on. As I've mentioned before, that's one way that DIG's more useful than nslookup. Nslookup just tries your preferred DNS server and if that one's not available, nslookup just gives up. Once, a friend called me up in a panic, explaining that he'd configured two DNS servers for his company -- call them dns1.bigfirm.com and dns2.bigfirm.com -- and that he'd set up DHCP to make dns1.bigfirm.com everyone's preferred DNS server and dns2.bigfirm.com everyone's alternate DNS server. He then explained that "at that point, everything was working fine, but I wanted to be sure that I'd set up DNS right, so I shut down dns1.bigfirm.com and tried looking up the IP address of www.google.com ... and it failed. Why isn't my workstation knowing to use dns2.bigfirm.com?" I thought about it for a moment and asked him how he'd looked up the Google IP address, and by now you've guessed that he used nslookup. Had he merely fired up a copy of Internet Explorer and pointed it at www.google.com, then IE -- which is built atop Windows components that are smarter than nslookup's -- would have seen that the preferred DNS server wasn't available and would have seamlessly moved to the alternate DNS server.

Specifying a Different DNS Server

There's much more that you can do with DIG than just simple lookups like "DIG www.microsoft.com." A more general description of its syntax looks like

DIG [@dns-server-to-use] record-to-look-up [type-of-record-to-look-up] [options]

And in case you've forgotten your Backus-Naur formats, the stuff in square brackets is optional. As you've already read, you don't have to tell DIG what DNS server to send its queries to, as it uses the ones you got from DHCP or that someone statically assigned. But if you wanted to tell DIG to do that microsoft.com query on a particular server, like my DNS server at 70.165.73.5, then you'd override its choice of DNS servers by specifying that server prefixed by an "@," like this:

DIG www.microsoft.com @70.165.73.5

DIG doesn't care about the order of the "@server" and the query, and so this syntax works just as well:

DIG @70.165.73.5 www.microsoft.com

In the unlikely event that your DNS server doesn't receive requests on the standard port 53, you can tell DIG to query the DNS server on an alternate port with the -p option. So if my DNS server listened on port 60 -- it doesn't -- then you could query it like this:

DIG -p 60 www.microsoft.com @70.165.73.5

Of course, this would work:

DIG -p 53 www.microsoft.com @70.165.73.5

As before, you can rearrange the -p 53, the www.microsoft.com, and the @70.165.73.5 in any order that you like. I use the @server option now and then when I need to test changes I've made to my DNS servers from the point of view of an outside visitor. For example, I recently decommissioned one of the minasi.com DNS servers. As I run those servers, any workstations that I sit down at will use the actual authoritative minasi.com DNS servers as their preferred DNS server, which means that any sort of name resolution tests on changes to minasi.com are always going to work, even if I've screwed up something over on the .com DNS servers. In that case, I should try to resolve www.minasi.com for test purposes, but to do that, I've got to run the tests from a DNS server outside of my network, and the @server feature lets me do that easily. (By the way, nslookup lets you do this as well by following the query with the name or IP address of the desired DNS server, as in "nslookup www.minasi.com 70.165.73.5" -- again, the order doesn't matter.)

Telling DIG to Query a Particular Record Type

Most of the time, we're looking for an address ("A") record, the type that reports the IP address corresponding to a particular host name. But sometimes we want to find MX, SOA, CNAME or the like records. In that case, type the desired record type after the record you're querying. For example, the following two queries return the SOA record and then the MX records for minasi.com:

DIG minasi.com SOA

DIG minasi.com MX

Getting More DIG Help

Normally you'd expect a command-line tool to return help if you typed something like "DIG /?," "DIG -?" or something of the like, but DIG wants -h as in

DIG -h

I hope that'll get you a good start in using and understanding DIG. I'll cover more DIG in the next newsletter... see you then!

Mark's upcoming conference appearances

Conferences

TechDays SF -- March 22 in San Francisco

The Pac IT Pros guys and in particular my buddy Ed Horley have invited me to talk at their neat two-day talk in late March. I'll be doing "10 Things You Don't Know About Windows Server 2008 R2," my Windows Server 8 talk and the award-winning DNS troubleshooting talk. Info here:

http://techdays.org/2012/01/techdays-sf-march-22-and-23rd-2012/

Windows Cloud Connections, Las Vegas March 26-29 2012

The Connections folks have assembled a show that is, as you can tell, cloud-focused, featuring folks like my friends Brian Desmond, Paul Thurrott, Sean Deuby, Don Jones, Jim McBee and others (as well as me) talking about cloud and cloud-related technologies. I'll be doing my "Windows 8: A Report from the Future" keynote, as well as my DNS troubleshooting talk (just try to get your cloud stuff working when DNS is broken, as, um, Microsoft found out last year in their cloud offering) and my popular IPv6 talk (where do you think we're going to get the addresses we'll need for all those cloud servers now that we're out of IPv4 addresses?).

Find out more at http://cloudconnections.com/shows/sp2012/default.aspx?s=187.

The 6th Annual Minasi Forum Conference, Virginia Beach April 29-May 2 2012

We took a year off but we're back! Ten years ago, I started my online forum at www.minasi.com/forum and am blessed with a globe-spanning array of very smart and helpful folks. Six of the past seven years, we've met in Virginia Beach to network and present some great topics. We've got some big names -- Mark Russinovich will Skype in to talk to us about Azure, PowerShell Gods Don Jones (who's keynoting and doing some PS stuff) and Ed Wilson, The Scripting Guy will talk about, well, PowerShell -- but that's not all. This conference is also a chance for some of our forum members, most of whom aren't "big names" but who spend their days in the trenches, to talk about the things that they know inside and out. You may not yet know James Summerlin, Anne O'Day, Stacy Hein, Dennis Olidis, Curt Spanburgh, Jim Vigotti, Dave Bison, Eric Rux and others ... but you will once you've heard their great coverage of SQL, SharePoint, Sysinternals system repair tools, AppV and other topics. (There's also a rumor that I'm going to do a session or two.) What you may like best of all, however, is the price -- $450. Find out more at www.minasiconference.com.

Microsoft TechEd Orlando June 11-14 2012

Microsoft's big show returns to Orlando with lots and lots of sessions about Windows 8, the cloud, and a bunch of developer stuff that I only kind of understand. This year, they've tapped me to do my "Clouds and Your Organization: A (Former) Professional Economist's View for IT Pros" talk, so if you're in Orlando, please come by and say hi!

http://northamerica.msteched.com

To Subscribe/Unsubscribe, Read Old Newsletters or Change Your Email Address

To subscribe, visit http://www.minasi.com/nwsreg.htm. To change e-mail or other info, link to http://www.minasi.com/edit-newsletter-record.htm. To unsubscribe, link to http://www.minasi.com/unsubs.htm. Visit the Archives at http://www.minasi.com/archive.htm. Please do not reply to this mail; for comments, please link to http://www.minasi.com/gethelp.

Mark Minasi's Windows Networking Tech Page Issue #94 Late November 2011