How can I verify Windows DNS forwarders are working?

Question

I thought I knew how to do this, but I guess not.

Even the d2 debugging in nslookup doesn't show the actual forwarder being queried.

So...let's say I set up DNS forwarders in a Windows DNS server and then query using nslookup (or something else?) that server for an external FQDN like "www.purpleflowers.com".

Can I actually see where the Windows DNS server is querying its forwarder, which forwarder it ended up using, and the response from that forwarder?

Why would you expect debugging in `nslookup` to show this? The forwarding is being done by the server, not the client. — Barmar, Jun 06 '17 at 18:26
Can you turn on query logging on the servers you're forwarding to? — Barmar, Jun 06 '17 at 18:27
@Barmar - the forwarders are at OpenDNS...not something I can administer. — TheCleaner, Jun 06 '17 at 18:49
Try this using ETW: https://stackoverflow.com/a/34518185/843000 haters gonna hate. — mbrownnyc, Jun 06 '17 at 19:17

score 8 · Answer 1 · edited Jun 02 '17 at 18:39

8

Can I actually see where the Windows DNS server is querying its forwarder, which forwarder it ended up using, and the response from that forwarder?

I am not aware of any logs that would give you that detail. But you could always start a packet capture filtering for DNS traffic. You should see the requests come in from your clients, and requests going out to your configured forwarders for requests that couldn't be answered from the cache.

edited Jun 02 '17 at 18:39

Mark Henderson

68,316
31
175
255

answered Jun 02 '17 at 17:04

Zoredache

128,755
40
271
413

Thanks Zoredache...that's what I figured but had a little hope that my Google-Fu was failing me. I'll grab a packet capture and edit your answer with that info sometime this week. (BTW, in my particular case, we were switching to OpenDNS and Umbrella. They have a "verify" page that basically verifies they are receiving DNS queries from your WAN IP. That's good enough for me, but the question is still relevant for others that don't use them) – TheCleaner Jun 05 '17 at 12:37

score 2 · Answer 2 · answered Jun 02 '17 at 16:52

DNS packages doesn't contain information about its source and destination they are doing automatically using the DNS query cascade.

What you can do to know if it's working the forwarders or not is to set up a client with the Windows Server DNS IP as only DNS.

Make sure to clean up the cache by executing (ipconfig /flushdns) on client.

Then try without any forwarder configured it, you should have issues to hit external sites. (remember that there's cache information involved in client and in server too that needs to be cleaned up).

Then try using one forwarder like 8.8.8.8 and you should be able to reach the sites, but the specific ip of what DNS server is being queried you won't be able to get that information since in the networking level there's no such information.

Here's an interesting question related to what you want: https://www.experts-exchange.com/questions/24079211/How-can-I-trace-the-DNS-forwarder-query-from-my-Server.html

Jose, I appreciate the answer but this part `Then try without any forwarder configured it, you should have issues to hit external sites.` isn't true. Most of our DNS servers aren't configured with forwarders but simply use the Root Hints servers as their non-authoritative lookup. You should edit that part out (or I can) to not confuse others. — TheCleaner, Jun 05 '17 at 12:34

How can I verify Windows DNS forwarders are working?

2 Answers2