DNS Troubleshooting Lab

1

DNS Record Types

Beginner

Objective: Understand the purpose of common DNS record types and when each is used.

Common DNS Record Types

Type	Purpose	Example
A	Maps hostname to IPv4 address	example.com → 93.184.216.34
AAAA	Maps hostname to IPv6 address	example.com → 2606:2800:220:1::
CNAME	Alias pointing to another hostname	www.example.com → example.com
MX	Mail exchange server for domain	example.com → mail.example.com (priority 10)
PTR	Reverse DNS (IP to hostname)	34.216.184.93.in-addr.arpa → example.com
NS	Authoritative nameserver for domain	example.com → ns1.example.com
TXT	Arbitrary text (SPF, DKIM, verification)	"v=spf1 include:_spf.google.com ~all"
SOA	Start of Authority - zone parameters	Primary NS, admin email, serial, refresh intervals
SRV	Service location record	_sip._tcp.example.com → sipserver.example.com:5060

Q1: What record type would you query to find a domain's mail server?

Q2: What record type maps an IP address BACK to a hostname?

Q3: What is the difference between an A record and a CNAME record?

2

Querying DNS with nslookup

Beginner

Objective: Read nslookup output and extract DNS information for troubleshooting.

nslookup Output - Standard Query

$ nslookup www.hexworth.edu Server: 192.168.1.1 Address: 192.168.1.1#53 Non-authoritative answer: www.hexworth.edu canonical name = hexworth.edu Name: hexworth.edu Address: 10.50.25.100

nslookup Output - MX Record Query

$ nslookup -type=MX hexworth.edu Server: 192.168.1.1 Address: 192.168.1.1#53 Non-authoritative answer: hexworth.edu mail exchanger = 10 mail1.hexworth.edu hexworth.edu mail exchanger = 20 mail2.hexworth.edu Authoritative answers can be found from: mail1.hexworth.edu internet address = 10.50.25.110 mail2.hexworth.edu internet address = 10.50.25.111

Q1: What DNS server answered the query?

Q2: What type of record is www.hexworth.edu? (A, CNAME, etc.)

Q3: Which mail server has the highest priority (lowest number)?

Q4: Why does the response say "Non-authoritative answer"?

3

Advanced DNS with dig

Intermediate

Objective: Interpret dig command output including flags, sections, and query statistics.

dig Output

$ dig hexworth.edu ANY +noall +answer +stats ;; ANSWER SECTION: hexworth.edu. 300 IN A 10.50.25.100 hexworth.edu. 300 IN AAAA 2001:db8::1 hexworth.edu. 3600 IN NS ns1.hexworth.edu. hexworth.edu. 3600 IN NS ns2.hexworth.edu. hexworth.edu. 3600 IN MX 10 mail1.hexworth.edu. hexworth.edu. 3600 IN SOA ns1.hexworth.edu. admin.hexworth.edu. 2025021501 3600 900 1209600 86400 hexworth.edu. 300 IN TXT "v=spf1 ip4:10.50.25.0/24 -all" ;; Query time: 23 msec ;; SERVER: 192.168.1.1#53(192.168.1.1) ;; WHEN: Sun Feb 16 10:30:00 UTC 2026 ;; MSG SIZE rcvd: 312

dig Tip: The number after the hostname (300, 3600) is the TTL (Time To Live) in seconds. It tells caching resolvers how long to keep this record before re-querying the authoritative server.

Q1: What is the TTL of the A record (in seconds)?

Q2: What is the admin email from the SOA record? (in email format)

Q3: What does the SPF TXT record "-all" mean?

Q4: What is the serial number in the SOA record?

4

Fixing DNS Misconfigurations

Intermediate

Objective: Diagnose and identify fixes for common DNS problems from troubleshooting output.

Scenario: Website Down

Users report they cannot reach intranet.hexworth.edu. The web server is running and accessible by IP. You investigate with DNS tools.

Investigation Output

$ nslookup intranet.hexworth.edu ** server can't find intranet.hexworth.edu: NXDOMAIN $ nslookup intranet.hexworth.edu 10.50.25.2 Server: 10.50.25.2 Address: 10.50.25.2#53 Name: intranet.hexworth.edu Address: 10.50.25.200 $ ping 10.50.25.200 PING 10.50.25.200: 64 bytes from 10.50.25.200: icmp_seq=0 ttl=64 time=1.2 ms $ cat /etc/resolv.conf nameserver 8.8.8.8 nameserver 8.8.4.4

Q1: Why does the first nslookup fail but the second one succeeds?

Q2: What is the root cause? (check resolv.conf)

Q3: What should the nameserver entry be changed to?

5

Advanced DNS Issues

Advanced

Objective: Identify CNAME loops, zone transfer vulnerabilities, and DNS cache poisoning indicators.

Scenario A: CNAME Loop

A developer reports that app.hexworth.edu is "timing out on DNS." You investigate.

$ dig app.hexworth.edu ;; ANSWER SECTION: app.hexworth.edu. 300 IN CNAME portal.hexworth.edu. portal.hexworth.edu. 300 IN CNAME web.hexworth.edu. web.hexworth.edu. 300 IN CNAME app.hexworth.edu. ;; WARNING: CNAME loop detected

Scenario B: Zone Transfer Leak

During a security audit, you test whether zone transfers are properly restricted.

$ dig @ns1.hexworth.edu hexworth.edu AXFR ;; ANSWER SECTION: hexworth.edu. 3600 IN SOA ns1.hexworth.edu. admin.hexworth.edu. ... hexworth.edu. 3600 IN NS ns1.hexworth.edu. hexworth.edu. 3600 IN NS ns2.hexworth.edu. hexworth.edu. 300 IN A 10.50.25.100 admin-portal.hexworth.edu. 300 IN A 10.50.25.150 vpn.hexworth.edu. 300 IN A 10.50.25.5 db-master.hexworth.edu. 300 IN A 10.50.25.50 staging.hexworth.edu. 300 IN A 10.50.25.201 hexworth.edu. 3600 IN SOA ns1.hexworth.edu. admin.hexworth.edu. ... ;; XFR size: 45 records

Security Best Practice: Zone transfers (AXFR) should be restricted to authorized secondary DNS servers only. Configure your DNS server with allow-transfer { trusted-servers; }; in BIND or equivalent ACLs.

Q1: In Scenario A, what is the problem?

Q2: How would you fix the CNAME loop? (which record needs to point to an IP?)

Q3: In Scenario B, what security risk does AXFR zone transfer expose?

Q4: What sensitive internal hostname was exposed that an attacker would target?