Tuesday, February 15, 2005

How to Troubleshoot DNS Issues with "dig"

“dig” is the domain information groper. You can use dig to query DNS servers for information concerning hostnames and servers. You may be familiar with nslookup (see the previous blog entry), an older utility that does much the same thing. dig uses a clearer, easier to understand command structure and is generally more stable than nslookup, so it is the recommended tool for querying name servers. At this time, dig is not supported in Windows, but it is supported in most Linux distros and most versions of UNIX.

Using dig

#dig [server to query] [name to be looked up] [type of query (if not specified, dig will perform a lookup for an A RR)].

Common uses of dig

  • #dig [fully qualified domain name] will provide information about the IP address of the specified host as well as information about the nameservers associated with that host.
  • #dig -x [IP address] will do a reverse lookup and provide information about the host at that IP address.

Of course, for more information about dig, check out the man or info pages. As with nslookup, you can get more information about dig and other DNS tools in our BIND DNS one-day seminar. It’s now available for onsite scheduling at your location. Call us at 206.988.5858 to schedule your seminar.

Friday, February 11, 2005

How to Troubleshoot DNS Issues with "nslookup"

Nslookup is a very handy and often underutilized tool for assisting in name resolution issues. Nslookup runs in most (if not all) systems utilizing TCP/IP. It allows you to query a name server for various types of information concerning the name resolution process. Try this command at a command prompt:

nslookup [hostnamefully qualified domain name]
This command will display the nameserver for the domain and the IP address of the host.

Or try this:
The command by itself starts the nslookup service. The prompt is “>”.

>ls [domain name]
This command will display a listing of hosts in the domain with their IP addresses.

Although many in the Linux/UNIX community prefer to use “dig”, nslookup is the most commonly available of all the DNS troubleshooting tools and is supported on most OS platforms.

Want to know more about using nslookup, dig, and other DNS troubleshooting tools? Check out our BIND DNS one-day workshop. It’s now available for onsite scheduling at your location. Call us at 206.988.5858 to schedule your workshop.

Tuesday, February 8, 2005

How to Use "runas" in Windows 2000/XP/2003

You probably know that it’s best practice for an administrator to have two logon accounts: one used for day-to-day, routine tasks that don’t require administrative rights and permissions and one for administering the computer and/or the network.

The “runas” command was introduced in Microsoft Windows 2000 and is supported in Windows XP and Server 2003. “Runas” allows an administrator to run applications under a different user context than the currently logged on user. For example, suppose you’re logged on with your regular user account, but need to perform an administrative task. You can use the “runas” command to perform the task without having to log off from your regular account and log back on with your administrator account.

To use the “runas” command within the GUI, right-click on a .exe, .mmc, or a shortcut and choose Run as… You also use “runas” within command mode. To see syntax, type “runas” at a command prompt.

Learn more about “runas” and other administration and troubleshooting tools in our Windows XP and Windows Server 2003 seminars.

Thursday, February 3, 2005

How to Use "netstate" to Troubleshoot Connectivity Issues

The “netstat” command is included with most TCP/IP-enabled operating systems. Little understood and infrequently used, netstat is a great tool for troubleshooting connectivity issues related to IP address and port configuration.

Netstat displays protocol statistics and current TCP/IP network connections. Use it with any of several switches to display all connections and listening ports, Ethernet statistics, the routing table, and per-protocol statistics. For UNIX and Linux users, there are even more options available.

Run netstat at a command prompt using the following syntax to see the various options available:
“c:>netstat /?”

A commonly used command is “c:>netstat -an” which displays all connections and listening ports in numerical form. By default, the output is displayed on your screen, but you can direct the output to a file by using the following syntax: “c:>netstat -an > netstat.txt”. That sends a list of all connections and listening ports to the file netstat.txt which can be found in the current directory.

Want to know more about netstat and other troubleshooting tools? Schedule our Networking Fundamentals 2-Day Hands-On Workshop for your location. Remember, onsite training makes sense for groups of four or more.

Wednesday, February 2, 2005

How to Configure the Windows XP Firewall, part 2

This entry is about the Advanced tab on the Windows XP SP2 firewall. The Advanced tab allows you to choose the connections that you want firewalled (the default is all of them), configure logging, control ICMP behavior, and reset the firewall to its default state.

As with other settings, if the setting is configured at a domain level through domain policies, you will not be able to configure it locally (the settings will be grayed). You can also specify the specific types of connections that will allowed on a connection by connection basis by selecting a particular connection and choosing Settings. You might, for example, want to disable ICMP on an external connection but allow it on an internal connection.

Security logging allows you to log successful and failed connection attempts, specify the location of the log, and specify the maximum log size.

ICMP settings allows you to configure how the computer responds to various events on the network. According to RFC 792, ICMP (Internet Control Message Protocol) messages are sent in several situations, including when a datagram cannot reach its destination, when the gateway does not have the buffering capacity to forward a datagram, and when the gateway can direct the host to send traffic on a shorter route. ICMP is best known for its use with the PING utility. PING sends an ICMP echo to its target and the target responds with an ICMP echo reply. PING reports on the success and performance of such requests and responses. Although ICMP is a very handy troubleshooting tool in a network, it can also alert an attacker to the presence of a system. It is generally recommended, therefore, that ICMP be disabled (it is by default) on any external interface and internal interfaces on non-trusted networks. You can enable specific ICMP functionality if needed, but in general, it’s best to leave it disabled.

The Restore Defaults button does exactly what the name implies. Want to know more about supporting Windows? Check out our accelerated Windows training, available in both public and onsite seminars and workshops.

Tuesday, February 1, 2005

How to Configure the Windows XP Firewall, part 1

I suppose if I’m going to get on my soapbox about learning how to configure the Windows XP SP2 firewall, I should probably do a “how-to” guide on the subject. You know, “Put up or shut up!”, right? Here goes.

There are several ways to get to the XP firewall. If you have a preferred path, use it. Otherwise, click Start, then Control Panel, then double-click Network and Internet Connections, and click Windows Firewall. There are three tabs on the Windows Firewall Configuration window: General, Exceptions, and Advanced.

The General tab allows you to turn the firewall on or off and to allow or disallow exceptions. Think of exceptions this way: By default, the firewall doesn’t allow any incoming connections except Remote Assistance. As you work, various applications will request to be allowed access from the Internet. If you choose to allow such access, the application will be listed under the exceptions tab. There may be times, however, when you don’t want to allow such exceptions. An example might be when you’re connected to a non-trusted WiFi network at a coffee shop or in an airport. In those types of settings, you can deny pre-configured exceptions by checking the box “Don’t allow exceptions”.

Under the Exceptions tab, you’ll see all of the applications that you’ve allowed to accept incoming connections. You can remove applications from the list or manually add any applications that need to accept incoming connections. You can also allow incoming connections by TCP or UDP port numbers. For example, suppose that you want to allow Cisco devices to connect to a TFTP server on your computer for configuration backup and restore. On the Exceptions tab, click Add port… and enter TFTP for the name, specify 69 for the port number, and push the radio button for UDP. Use similar procedures for any other ports you wish to enable.

I’ll discuss the Advanced tab in my next blog entry. Want to know more about supporting Windows? Check out our accelerated Windows training, available in both public and onsite seminars and workshops.