In any enterprise, DNS services are a crucial backbone for network connectivity. DNS is used for name resolution, allowing one client to locate another client. If DNS fails, it will disrupt connectivity to the Internet. In this article, we’ll consider some common issues caused by misconfiguration of DNS.
Incorrect Configuration of Primary/Secondary Zones
Creating a new zone, whether primary or secondary, is just a matter of few clicks. However there are other settings that you might want to check to ensure that DNS is working properly.
Zones are not replicating
You have created a new zone, but for some reason it is not replicating with the primary zone. There might be many reasons for this, but here are some possibilities:
- Zone Transfers are enabled and the secondary DNS server IP is not specified. As a best practice, it is always recommended to specify the IP addresses of the servers that will need to download the zone data from the primary zone. See Figure 1.
- Secure Dynamic Updates are enabled, and the secondary zone does not have Active Directory DNS Integrated Zones configured. Secure Dynamic Updates only works if both DNS servers are running in Active Directory Integrated DNS Zones. If either the DNS server is not on Active Directory Integrated DNS Zones, or running on BIND (Linux), then Dynamic Updates need to be set to Non-Secure. See Figure 2.
Figure 1: Zone Transfers is enabled and only replicating to a specific server.
Figure 2: Dynamic Updates is set to Secure by default for Windows Server DNS.
Users are not able to do DNS queries from your DNS Server
You have done the basic troubleshooting, and users were able to ping to the DNS server with response. However when they tried to query specific DNS zones which is hosted on your DNS server, it fails. In this case, you might want to check:
- The “Everyone” group does not have read permission for the zone. Due to misconfiguration, the “Everyone” group might not have the necessary permission entries for the DNS zone. See Figure 3.
Figure 3: Everyone group has permission to read and list the content of the Zone
User PCs are not registering into the DNS zone
A user’s PC is able to connect to the network, but the computer name does not get registered in the DNS server. Three common possibilities are:
- The TCP/IP settings properties window does not have Register this connection’s addresses in DNS selected. This option will ask the DNS client to register the computer name into the DNS server. See Figure 4.
- Authenticated Users group does not have the correct permission set for the DNS zone. Authenticated Users group needs to have the permission to create child objects for the DNS zone. See Figure 5.
- DNS Dynamic Updates is not enabled in DHCP settings. To be exact, the DNS client will ask the DHCP Server to create an A and PTR record in the DNS Server. Hence, the DHCP Server will need to have the Enable DNS dynamic updates according to the settings below selected. See Figure 6.
Figure 4: Register this connection’s addresses in DNS must be selected.
Figure 5: Authenticated users group must have permission to Create All Child Objects, else it will not create an A record in the DNS Server.
Figure 6: Enable DNS Dynamic Updates in DHCP settings.
DNS Server configuration
If the DNS server is not configured properly, the entire DNS service will be affected. Here are some common configuration issues administrators should look out for:
DNS queries not responding with any response
Assuming that Internet connectivity from the DNS server to the outside world is still good, the problem could lie with the forwarder or root hints. Here’s why:
- Forwarder DNS servers are down. Depending on your network configurations, you might have set up forwarder DNS. If all of the forwarder DNS servers are down, this will affect the DNS server at your site. See Figure 7.
- Root Hints are missing. Or root hints servers are down. Root hints allow DNS queries to be resolved by using the Root DNS Server, without using an intermediate DNS server, or a forwarder. See Figure 8.
Figure 7: Configure Forwarders in DNS Server.
Figure 8: Root Hints name servers are shown in this list.
DNS is Important
DNS is crucial in every corporate environment, whether for internal or external hostname resolution. The above configuration issues are not exhaustive, but do include some of the most common problems administrators miss during routine monitoring and troubleshooting. Do you have any other DNS tips that you would like to share? Post them below!