DNS Troubleshooting Tools: Allegro DNS Analysis

1. What is DNS?

DNS troubleshooting tools play a crucial role in managing DNS, an essential service in IP-based networks and a core component of the Internet. All exchange partners on the Internet rely on IP addresses to communicate, using these numerical labels to network with each other. Users can conveniently make requests by entering domain names instead of remembering the lengthy IP addresses consisting of numbers and dots. When a request is made, DNS servers, with the help of DNS troubleshooting tools, translate the domain name into numbers, directing users to the appropriate source server. The process also operates in reverse, resolving IP addresses to domain names. DNS servers, facilitated by DNS troubleshooting tools, handle this bidirectional query translation through a process known as reverse lookup.

DNS is an abbreviation for “Domain Name System”, and the function of DNS can be likened to a phone book. It manages the assignment between domain names and IP addresses, just like a classic phone book between names and phone numbers.

Figure 1: DNS is the “phone book of IP addresses”

The domain name space has a tree-like structure, as depicted in the left image. The leaves of this tree represent labels, which are strings of characters, each ranging from 1 to 63 bytes, and are separated by dots. DNS troubleshooting tools are invaluable in navigating and resolving issues within this structure. In this setup, a domain technically ends with a dot; although, when typing, this dot is typically omitted. However, formally, this dot is part of a complete domain name. A complete domain name, or fully qualified domain name (FQDN), consists of the concatenation of all labels along a path. For instance, our complete domain name is allegro-packets.com. When including all the dots, it must not exceed 255 bytes. DNS troubleshooting tools help ensure that FQDNs are correctly configured and resolve as expected within this structured system.

Domain names are always parsed from right to left. This means that the further to the right a label is, the higher it is in the tree. The dot at the end of the domain name separates the first level of labels from the root. The first level is the top-level domain. This diagram illustrates the tree structure of domains.

Figure 2: Fully qualified domain name

2. What problems can cause packet loss in DNS?

When a DNS request cannot be resolved, users often say that there is a problem with the network. If an incorrect DNS server is used, even the network administrator will find it difficult to detect this failure. Failures within the network IT infrastructure can lead to considerable costs, and corruption of DNS data can become a starting point for attacks.

DNS is a sensitive protocol when it comes to packet loss. When the “Internet is not working”, DNS can break due to packet loss and cause errors or be the cause of outages in various scenarios. For example, websites cannot be accessed, emails cannot be sent, images cannot be uploaded, or streams cannot be started. This type of error occurs if packet loss from DNS makes it impossible to determine the IP address of the server. Having this basic information will make troubleshooting easier for you, because you can save time, money, and frustration if it is clear where to look for the error.

As a connection protocol for transmitting data, DNS mainly uses UDP, or if the maximum capacity of 512 bytes of UDP packets is exceeded, TCP; this is not uncommon. So why does this limitation still exist? UDP’s payload is related to IPv4.

If an attempt is made to transfer data via TCP, despite TCP being blocked, the request must still be answered via UDP, despite the maximum packet size being exceeded. This becomes a problem and causes packets to be dropped. As a result, there is incorrect DNS name resolution or even unresolvable domains. As a result, services, applications and the “Internet” run slowly or do not work at all.

3. Analyzing DNS with Allegro Network Multimeter

Starting with firmware version 3.0, it is possible to inspect more DNS details, making it easier to detect errors. For example, it is possible to view more statistics about response times, status, frequency of requests and how often they were answered (or not answered). It is no longer necessary to spend a long time inspecting pcaps to find errors. With the Allegro DNS module, the number of searches is reduced and different DNS statistics can be called up directly. DNS analysis can be performed in real time or at selected time intervals.

4. DNS module introduction

The DNS module stores the last announced IP address for each domain name. Due to load balancing mechanisms of content delivery networks, for example, and virtual hosting, one name can be resolved to multiple IP addresses. In addition, one IP address can also be used for multiple names. The Allegro dashboard always shows the latest information seen on the network.

The DNS module consists of five tabs: DNS Server, Resolved Domain Name, Server Response Time, Server Response Code, and DNS Record Type.

4.1. DNS Server

All past and current queries and responses for each server are shown here. The table shows a detailed view of the DNS servers for individual IP addresses and IP connections. For each individual DNS connection, a detailed list can be retrieved, e.g. about response times or unanswered queries.

DNS troubleshooting tools

Figure 3: DNS module can be found in L3-IP

4.2 Resolve domain name

This tab shows a table with all IP addresses and their names. The Expiration Time column contains the time after which the name is no longer valid. Normally, DNS servers are used only for a short period of time so that clients do not store incorrect names for too long. The “DNS Server IP” column lists the IP address of the DNS server that responded to the query. Often, especially in smaller networks, there is only one server, but clients are free to use any other available DNS server.

Figure 4: Requested domain name to IP address

4.3. Server response time


This tab shows global statistics for each DNS server about the time between the client’s request and the server’s response. Individual sections can be selected here for a more detailed view.

Figure 5: Server response time

4.4 Server Response Codes


In the “Server Response Codes” tab, you can view the global response codes. In addition, all codes for individual DNS servers are also displayed in a list. The distribution of different periods is illustrated in different color markers.

Figure 6: Server response code

4.5 DNS Record Types


The last tab shows the global set of DNS record types for all DNS servers. Additional detailed graphs can be retrieved for the most commonly used record types A, AAAA, CNAME and MX.

Figure 7: DNS record types

5. Use case: Identify the DNS servers used and their users

An organization typically maintains a local DNS server for name resolution, which is automatically utilized by client systems through mechanisms such as DHCP. However, not all systems are configured similarly, and occasionally, external DNS servers are intentionally employed. DNS troubleshooting tools, like Allegro Network Multimeter, make it easy to determine which DNS servers are in use. In the “DNS STATISTICS” section, under the “L3-IP” category, the first tab displays a list of all utilized DNS servers. Here, the traffic of these servers is graphically represented, and the list can be sorted, for example, by the number of requests sent to each DNS server. If an unexpected server appears in this list, connections to this server can be conveniently examined. By clicking on “DNS Connections,” a detailed list of all DNS connections to this server is revealed, allowing the identification of systems using this particular DNS server.