ping -a w.x.y.z
Should resolve the name from the IP address if the reverse lookup zone has been set up properly. If the reverse lookup zone does not have an entry for the record, the -a will just ping without a name.
ping -a w.x.y.z
Should resolve the name from the IP address if the reverse lookup zone has been set up properly. If the reverse lookup zone does not have an entry for the record, the -a will just ping without a name.
nslookup <ip>
Does what you're looking for. It will tell you the server you're querying and the result.
For example:
c:\>nslookup 192.168.101.39
Server: dns1.local
Address: 192.168.101.24
Name: enigma.local
Address: 192.168.101.39
Quickly determine what Windows process or program is making DNS queries
How to query a URL (DNS lookup) using Windows terminal? - Stack Overflow
How to check my dns server on windows 11
How Windows DNS actually works
Videos
Enable Debug Logging on the DNS server for this.
- Open DNS Manager from the Tools menu of Server Manager
- Right-click the DNS server in the left pane and click Properties
- Click the Debug Logging tab and check the Log packets for debugging checkbox
- To minimize the amount of data being logged, uncheck the following checkboxes:
- Packet direction - Outgoing
- Transport protocol - TCP
- Packet contents - Updates
- Packet type - Response
- In the Log file section, type a path and file name for the log. Alter the Maximum size (bytes) value if necessary.
- Click OK.
When the client queries the DNS server, you will see a line like the following in the log file (in this case the client performed a query for superuser.com):
16-07-2017 19:51:55 0DB4 PACKET 000000FA30FDFB60 UDP Rcv 10.10.10.100 000a Q [0001 D NOERROR] A (9)superuser(3)com(0)
The IP address after Rcv (10.10.10.100) is the IP address of the client that performed the query.
REMEMBER to disable Debug Logging on the DNS server when it is no longer needed, as it can affect the performance of the server.
DNS Logging and Diagnostics
We have been able to use this to log DNS activity on our DCs. We paired it with hourly log rotation based upon information found at http://support.moonpoint.com/blog/blosxom/2014/12/07#rotatednslog
We experienced issues with many of the DNS logs ending up as 0 byte files, and it didn't appear to be based upon activity because it could be in the middle of the night. I bumped up the DC from 4 to 6 GB RAM (kept 2 vCPU) and it hasn't been a problem for the 8 days since, so I think we're okay.
We store the logs on a dedicated volume in a NTFS compressed directory to save space. The size of each hourly log is ~ 300 MB before compression, and ~ 115 MB after NTFS compression.
Today I was trying to figure out what program was making so many blocked queries, Seems that I left uTorrent running in the background for day's and forgot it was still running.
In the screen shot above you will notice that all the queries were a success but the only queries that were allowed was actually Onedrive and the localhost of my Win 10 machine.
If your interested in this program it's called DNSLookupView.
http://www.nirsoft.net/utils/dns_lookup_view.html
DNSLookupView is a DNS tracing tool for Windows 10 that allows you to view the details of every DNS query sent through the DNS Client service of Windows. For every DNS query, the following information is displayed: Host Name, Query Type (A, AAAA, and so on), Query Status (Error or succeeded), Query Result, Query Timestamp, ID and name of the process that requested the DNS lookup.
Nirsoft makes several freeware tools you can check them out here
https://www.nirsoft.net/
More reading on DNSLookupView here
https://www.ghacks.net/2021/08/12/log-all-dns-activity-on-your-windows-pcs-with-dnslookupview/
Windows queries DNS in this order:
- Hosts file
- Local DNS cache
- Preferred DNS servers
- Other DNS servers (Secondary, Tertiary, ...)
You can find out more about this behavior over at Microsoft (How DNS query works, Client features). Additionally, there's also a list of timeouts for DNS requests:
Value Default Value Attempt
-------------------------------------------------------------------------------------
1st limit 1 second Query the preferred DNS server on a preferred connection.
2nd limit 2 seconds Query the preferred DNS server on all connections.
3rd limit 2 seconds Query all DNS servers on all connections (1st attempt).
4th limit 4 seconds Query all DNS servers on all connections (2nd attempt).
5th limit 8 seconds Query all DNS servers on all connections (3rd attempt).
6th value (Must be 0.)
Windows may log a DNS query timeout somewhere in the Event Viewer, I'm not sure about that. Wireshark mentioned by @BBlake probably is your best bet to quickly get your answer.
I guess the best solution is to go to dnsleaktest and click on Standard test. I use this method personally all the time.
Edit: Another method that I've recently started using is Cloudflare's DNS help page. Here, you can see the DNS server being used next to AS Name.
I have an isp provided dns server , but i would like to know its ip address . How do i do that on win11
As mentioned in u1686_grawity's answer, nslookup from Windows Command Prompt does not work with mDNS.
To get the IP address of a device you can use the PowerShell command Resolve-DnsName <hostname>.
> Resolve-DnsName gp800-49d1a
Name Type TTL Section IPAddress
---- ---- --- ------- ---------
gp800-49d1a.local AAAA 120 Answer fe80::e700:63f:1807:adf2
gp800-49d1a.local A 120 Answer 169.254.93.130
nslookup is exclusively a DNS client, not an mDNS client nor a generic hostname lookup tool. It completely ignores the whole "hostname lookup" system that the OS has, instead manually sending DNS packets to one server (the first server it finds in the OS-provided list).
The only reason it works in WSL is because you're talking to the DNS service ('Dnscache') running on the Windows host, which then proxies queries to all mechanisms it supports (including mDNS which is handled by 'Dnscache' on Windows).
Even in this case, however, the Linux nslookup still bypasses normal Linux hostname lookup, instead doing DNS manually, and it still thinks it is only talking unicast DNS to one specific server that it finds in /etc/resolv.conf โ it only happens that that server performs this translation without nslookup's knowledge.
When you run it directly on Windows, however, that doesn't happen โ nslookup talks to the DNS server at 8.8.8.8, and that server has no clue about your .local mDNS hostnames.
Spent all morning cleaning up a customers misconfigured corporate DNS setup that was causing all sorts of havoc on their network. It wasn't behaving the way they expected with their domain causing issues like not being able to access resources like printers or shares or it only working randomly.
The root issues is they were attempting to add an external DNS entry as a backup DNS to the desktops, and that's what broke everything. (the actual problem they were trying to resolve was that their DCs were too slow and weren't reliable enough due to a hardware problem that we've now fixed)
It's a common misconception that in Windows the DNS entries on the network adapters are active/passive when that's not actually the default behavior. It's actually more akin to a broadcast, if the primary DNS doesn't answer then Windows doesn't just send the request to the secondary, it will send the request to ALL DNS servers on adapters and see who responds.
If you have an external DNS like 8.8.8.8 listed as secondary or tertiary it can cause problems with the Domain. If the external DNS responds more quickly than your Domain Controllers (which was the case here) then windows will start prioritizing sending requests to that external DNS server instead of to the DCs.
Since this customers AD domain is the same as their website, the external DNS would respond with a public IP instead of the IP of the servers internally. That response then gets added to the DNS cache on the machine and stays there until it times out or is cleared.
Domain joined PCs should never use external DNS on their adapters, if you need redundancy you should have 2 Domain Controllers instead. (unless you're working remote obviously, but even then the VPN should force the machine to use internal DNS)
From the documentation:
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd197552(v=ws.10)?redirectedfrom=MSDN
The DNS Client service queries the DNS servers in the following order:
The DNS Client service sends the name query to the first DNS server on the preferred adapterโs list of DNS servers and waits one second for a response.
If the DNS Client service does not receive a response from the first DNS server within one second, it sends the name query to the first DNS servers on all adapters that are still under consideration and waits two seconds for a response.
If the DNS Client service does not receive a response from any DNS server within two seconds, the DNS Client service sends the query to ALL DNS servers on ALL adapters that are still under consideration and waits another two seconds for a response.
If the DNS Client service still does not receive a response from any DNS server, it sends the name query to all DNS servers on all adapters that are still under consideration and waits four seconds for a response.
If it the DNS Client service does not receive a response from any DNS server, the DNS client sends the query to all DNS servers on all adapters that are still under consideration and waits eight seconds for a response.
If the DNS Client service receives a positive response, it stops querying for the name, adds the response to the cache and returns the response to the client.
If the DNS Client service has not received a response from any server within eight seconds, the DNS Client service responds with a timeout. Also, if it has not received a response from any DNS server on a specified adapter, then for the next 30 seconds, the DNS Client service responds to all queries destined for servers on that adapter with a timeout and does not query those servers.
If at any point the DNS Client service receives a negative response from a server, it removes every server on that adapter from consideration during this search. For example, if in step 2, the first server on Alternate Adapter A gave a negative response, the DNS Client service would not send the query to any other server on the list for Alternate Adapter A.
The DNS Client service keeps track of which servers answer name queries more quickly, and it moves servers up or down on the list based on how quickly they reply to name queries.