36.6. DNS diagnostics, statistics and debug

36.6.1. DNS diagnostics

This command reports the current situation of the DNS resource:

[17:49:20] ABILIS_CPX:d d dns

RES:Dns -----------------------------------------------------------------------
       Domain_Name_System                                                      
       STATE:READY     PRI-SERVER:008.008.008.008  SEC-SERVER:008.008.004.004
       ----------------|-- STATE --|--- CUR ---|-- PEAK ---|--- MAX ---|
       CACHE           |READY      |        140|        888|       5000|
       RELAY           |READY      |          0|        500|        500|
       RELAY-BLACKLIST |READY      |         33|          -|       2000|
       SERVER          |READY      |           |           |           |
       -----------------------------------------------------------------

The meaning:

STATE

The DNS driver state:

  • INACTIVE - State set when the configuration parameter ACT:NO and loaded by DNS driver.

  • ACTIVE - The driver is fully ready to work.

PRI-SERVER

Current DNS primary server IP address.

SEC-SERVER

Current DNS secondary server IP address.

CACHE-STATE

The DNS cache state:

  • INACTIVE - The parameter CACHE:NO and loaded by DNS driver, or when the parameter ACT:NO.

  • DOWN - Some internal errors which force CACHE service to be not operation are occurred.

  • READY - The DNS cache is activated and ready to work: (parameter CACHE:YES) and no errors with UDP service and ACT:YES.

RELAY-STATE

The DNS relay state:

  • INACTIVE - The parameter RELAY:NO and loaded by DNS driver, or when the parameter ACT:NO.

  • DOWN - Registration to lower UDP ports fail, better said when the "use" of UDP service is not possible.

  • READY - The DNS relay is fully ready to work: no errors with UDP service and ACT:YES.

RELAY-BLACKLIST

The DNS relay blacklist state:

  • INACTIVE - The parameter RELAY-BLACKLIST:NO and loaded by DNS driver, or when the parameter ACT:NO.

  • DOWN - Registration to lower UDP ports fail, better said when the "use" of UDP service is not possible.

  • READY - The DNS relay blacklist is fully ready to work: no errors with UDP service and ACT:YES.

SERVER-STATE

The DNS local server state:

  • INACTIVE - The parameter SERVER:NO and loaded by DNS driver, or when the parameter ACT:NO.

  • DOWN - Registration to lower UDP ports fail, better said when the "use" of UDP service is not possible.

  • READY - The DNS server is activated and ready to work: (parameter SERVER:YES) and no errors with UDP service and ACT:YES.

CACHE-CUR

Current number of used DNS cache entries.

CACHE-PEAK

The peak of used DNS cache entries.

CACHE-SIZE

Actual number of DNS cache entries available.

RELAY-CUR

RELAY records currently occupied with pending requests.

RELAY-PEAK

The peak of DNS relay requests.

RELAY-SIZE

Actual size of the requests' table.

RELAY-BLACKLIST-CUR

Currently banned domains.

RELAY-BLACKLIST-SIZE

Actual size of the relay-blacklist table.

36.6.2. DNS statistics

This command can help to understand what is happening, in case of troubles:

[11:42:10] ABILIS_CPX:d s dns

RES:Dns -----------------------------------------------------------------------
       Domain_Name_System                                                      
       --- Cleared 3 days 13:06:56 ago, on 19/01/2018 at 21:22:06 -------------
       - Internal (ping, traceroute, drivers) ---------------------------------
       -----------|---INPUT---|--OUTPUT---|-----------|---INPUT---|--OUTPUT---|
       PRI-QUERIES|           |         11|SEC-QUERIES|           |          6|
       PRI-FOUND  |          5|           |SEC-FOUND  |          0|           |
       PRI-UNKNOWN|          0|           |SEC-UNKNOWN|          0|           |
       PRI-RTY-OVR|          0|           |SEC-RTY-OVR|          0|           |
       PRI-TOUT   |          6|           |SEC-TOUT   |          6|           |
       PRI-ERRORS |          0|           |SEC-ERRORS |          0|           |
       NO-PRI-SEC |          0|           |           |           |           |
       OVERFLOW   |          0|           |           |           |           |
       CACHE-HIT  |          6|           |           |           |           |
       SERVER-HIT |          0|           |
       ------------------------------------------------------------------------
       - Relay/Server (requests from clients) ---------------------------------
       -----------|---INPUT---|--OUTPUT---|-----------|---INPUT---|--OUTPUT---|
       REQ-TOTAL  |       1537|           |PRI-REQ    |           |       1266|
       REQ-SUCC   |        995|           |PRI-RSP    |        725|           |
       REQ-FAIL   |         19|           |PRI-TOUT   |          9|           |
       OVERFLOW   |          0|           |SEC-REQ    |           |         44|
       DENIED-PTR |          0|           |SEC-RSP    |          0|           |
       DENIED-IP  |          0|           |SEC-TOUT   |          9|           |
       BLACKLISTED|          0|           |           |           |           |
       CACHE-HIT  |        270|           |           |           |           |
       SERVER-HIT |          0|           |           |           |           |
       REQ-ERRORS |          1|           |RSP-ERRORS |          0|           |
       ------------------------------------------------------------------------

With reference to the shown interval of time («Cleared 3 days 13:06:56 ago») these counters show the number of:

PRI/SEC-QUERIESQueries for primary/secondary DNS server.
PRI/SEC-FOUND Primary/Secondary resolved hostnames.
PRI/SEC-UNKPrimary/Secondary unknown host (answer received from server).
PRI/SEC-RTY-OVRPrimary/Secondary retransmission request without any answer from DNS server.
PRI/SEC-TOUTPrimary/Secondary timed-out server (answer was not received from server).
PRI/SEC-ERRORSPrimary/Secondary errors (e.g. Wrong datagram format).
REQ-TOTALAll the clients' requests that arrived to DNS relay.
REQ-SUCCClient's requests that were successfully processed.
REQ-BADRequests that was malformed or contained formal errors.
OVERFLOWClient's requests that was discarded because the table was full.
CACHE-HITRequest resolved from cache.
SERVER-HITRequest resolved from Abilis local dns server (D DNS RESOLVER DOMAIN or REVERSE).
DENIED-PTRPTR request (reverse lookup) has been denied because the request is for a private IP address and the PRI/SEC DNS server selected for the resolution has NOT a private IP address. IMPORTANT: PTR requests for private IP addresses are forwarded to external DNS server only if the IP address of DNS server is private too.
DENIED-IPDNS requests received from the clients but not processed because requester (the author of this DNS request) is not allowed. The not-allowed requester is a client whose IP address is not present in IPSRC and IPSRCLIST parameters configuration.
BLACKLISTEDRequest negated because domani/fqdn is blacklisted.
PRI/SEC-REQ-RSPIN - responses from primary/secondary DNS that could be sent back to the client. OUT - requests sent to primary/secondary DNS server.
PRI/SEC-NOMATCHResponses from primary/secondary DNS for which a matching request was not found in the table. A record in the table for a response could not found when:

- DNS relay has not received a matching request for this response.

- A record for this response was in the table but it became out of date and was used for other request.

RSP-BADResponses that had to be discarded because they had formal errors that prevents further processing.

36.6.3. DNS debug

Type the following command to view the commands allowed:

[15:03:49] ABILIS_CPX:debug res:dns

RES:Dns -----------------------------------------------------------------------
       Domain_Name_System                                                      
       BufferLength:64512  Date/Time:02/08/2016 15:03:53 TraceTime:99775682

Usage:
   LSN:0                = This help
   LSN:1                = Local statistics
   LSN:2 CMD:<name>     = Query: A (direct name lookup)
   LSN:3 CMD:<ipadd>    = Query: PTR (reverse ip lookup)
   LSN:4 CMD:<name>     = Query: MX (mail exchange)
   LSN:5 CMD:<ipadd>    = Query: MX (mail exchange)
   LSN:9                = Show DNS server's addresses

   LSN:20               = Load the blacklist from the file
   LSN:21               = Save the blacklist into the file
   LSN:22 CMD:<PAGE>    = Show the DNS blacklist table PAGE (1...9)
   LSN:23 CMD:<domain>  = Add the <domain> to the blacklist
   LSN:24 CMD:<domain>  = Remove the <domain> from the blacklist
   LSN:25 CMD:<FQDN>    = Test the FQDN against the blacklist
   LSN:29               = Print blacklist status

   LSN:40 CMD:<PAGE>    = Show the FQDN log table PAGE (1...9)
   LSN:41 CMD:<PAGE>    = Show the FQDN log table PAGE (1...9) with ageing order
   LSN:42 CMD:<PAGE>    = Show the FQDN log hash table PAGE (1...9)
   LSN:43 CMD:<FQDN>    = Add the <FQDN> to the log table
   LSN:47               = Clear FQDN log list
   LSN:48               = Show FQDN log statistics
   LSN:49               = Clear FQDN log statistics
[Note]Note

To use these commands you need to have administrator or super user rights.

Example: Type the following command to do a reverse IP lookup query.

[15:03:53] ABILIS_CPX:debug res:dns lsn:3 cmd:8.8.8.8

RES:Dns -----------------------------------------------------------------------
       Domain_Name_System                                                      
       BufferLength:64512  Date/Time:02/08/2016 15:05:09 TraceTime:99852319

Host: 8.8.8.8
Name: google-public-dns-a.google.com