Windows – How to trace the route of a DNS query

dnswindows 7

… up to the DNS server that answers it? When I use the public DNS server provided by Google (8.8.8.8), this is the DNS server reported by "nslookup" (8.8.8.8), however the www.dnsleaktest.com website shows a different IP number, actually two, 74.125.189.22 and 74.125.189.23. Is there a way to trace the route taken by the DNS query from 8.8.8.8 to 74.125.189.22, including other DNS servers eventually queried in-between? I tried nslookup's debug options, but there is no reference to 74.125.189.22 in the debug info.

Best Answer

Yes you can use dig +trace but it only works externally.

I do this on a daily basis at work. And I can tell you there is no tool that will 'trace' the path of DNS forwarding that happens in Enterprise environments.

There are two models of DNS traversal.

Root Hints and Zone Delegation
Conditional and Global Forwarding

Number 1 is how the public internet works. This is easy to trace. You can use

dig +trace

Number 2 is how internal DNS at companies works. This cannot be traced with a command

When I have to trace #2, I do it manually

Check ipconfig /all to identify my first hop DNS servers
Log in to the first hop DNS server (linux or windows)
Map out the zone specific forwarding rules, and the global forwarding
Use above rules to identify where queries go, for the domain I'm troubleshooting
Log in to the next server (in the forwarding path) and repeat
Until I hit the Authoritative Nameserver

Related Solutions

Windows using the DNS suffix search list on all lookups, even valid FQDNs. How to stop this

Well, I'm no expert, but here's what I found:

This registry entry works for both Windows XP and Windows Vista

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient]
"AppendToMultiLabelName"=dword:00000000

HKLM\Software\Policies\Microsoft\Windows NT\DNSClient\AppendToMultiLabelName
Type = DWORD

Data:

0 (Do not Append Suffix)
1 (Append suffix)

If the registry entry is not present, the default in Windows XP is 1, and 0 in Windows Vista.

Note: This registry changes and its effect apply only to the ping command, they do not apply to the nslookup tool. This is because nslookup contains its own DNS resolver and does not rely on the resolver built into the operating system (DNS Client). The DNS (multi-label) query packets sent by the nslookup tool will append the domains listed in the suffix search order irrespective of the registry key settings mentioned here.

Reference: http://blogs.technet.com/networking/archive/2009/04/16/dns-client-name-resolution-behavior-in-windows-vista-vs-windows-xp.aspx

Networking – Google Public DNS is not used in trace route

You don't see the DNS request in traceroute. To see which DNS server is used, try nslookup:

# nslookup www.google.com
Server:         10.0.0.100
Address:        10.0.0.100#53

Non-authoritative answer:
Name:   www.google.com
Address: 173.194.75.106
Name:   www.google.com
Address: 173.194.75.147
Name:   www.google.com
Address: 173.194.75.99
Name:   www.google.com
Address: 173.194.75.103
Name:   www.google.com
Address: 173.194.75.104
Name:   www.google.com
Address: 173.194.75.105

Or:

# dig www.google.com |grep SERVER
;; SERVER: 10.0.0.100#53(10.0.0.100)

The Name and Address (or SERVER) part is your DNS server. Traceroute gives you the route from your IP to google, which of course will go through your ISP.

Best Answer

Related Solutions

Windows using the DNS suffix search list on all lookups, even valid FQDNs. How to stop this

Networking – Google Public DNS is not used in trace route

Related Question