Troubleshooting DNS – DNSLint

By | June 9, 2014

DNSLint is a very robust tool provided for free by Microsoft that allows you to troubleshoot DNS issues more effectively.  It has many options, and can even pull useful information from external zones (not just AD integrated zones).  When you pull information using this tool, it will create an HTML report in your working directory that is easily readable.  The tool can be downloaded here:

DNSLint download page

Here are some useful switches:


Verifies domain name registration and DNS records


dnslint /d domain_name | /ad [LDAP_IP_address] | /ql input_file
[/c [smtp,pop,imap]] [/no_open] [/r report_name]
[/t] [/s DNS_IP_address] [/v] [/y]

Required parameters:

/d used to request domain name tests
– must specify domain name to test
– cannot be used in conjunction with /ad

/ad used to request Active Directory tests
– resolves DNS records used for AD forest replication
– default is to use local system’s LDAP service
– can specify remote LDAP server IP address (optional)
– only valid IP addresses accepted – names not accepted
– typically this is an Active Directory Domain Controller
– must be used with /s option where /s specifies the
IP address of a DNS server that is authoritative for
the _msdcs subdomain in the root domain of the AD forest
– cannot be used in conjunction with /d or /c

/ql used to request DNS query tests from a list
– sends the DNS queries specified in a text input file
– must specify the path and name of the input file
– A, PTR, CNAME, SRV and MX record queries supported
– create a sample input file by running:
dnslint /ql autocreate
– cannot be used in conjunction with /d, /ad, or /c

– /d /ad /ql cannot be used together
– /c cannot be used together with /ad or /ql
– when using /ad, /s must also be specified

Optional parameters:

/c used to request connectivity tests on e-mail servers
– tests SMTP, POP, and IMAP ports on e-mail servers found
– default is to check all three, can specify one or combination
– use comma seperated list: /c pop,imap,smtp

/no_open used to prevent report from automatically opening
– useful in scripts

/r used to specify the name of the report file created
– .htm extension is automatically added to report names
– report is created in HTML format – default name is dnslint.htm
– default location is the current directory

/t used to request output to a text file
– shares same name as .htm report but with a .txt extension
– created in the same directory as the .htm report file

/test_tcp used to request that TCP port 53 be tested
– by default only UDP port 53 is tested
– this option checks if TCP port 53 is responding to queries
– cannot be used with /ql

/s used by-pass InterNIC whois lookup
– specify tested domain’s authoritative DNS server’s IP address
– does not query InterNIC for registered name servers
– starts checking DNS records using supplied IP address
– only valid IP addresses accepted – names not accepted
– use to check domain names not supported by InterNIC
– when /ad is used, /s must be used to specify a DNS server
that is authoritative for the subdomain called:
_msdcs.<root of the AD forest>
– when /ad is used, /s localhost can be run to determine if
the local system can resolve records used for AD replication

/v used to request verbose output to screen

/y used to overwrite existing report file without being prompted
– useful in scripts

Press Ctrl-c to terminate prematurely


dnslint /d
dnslint /v /y /d
dnslint /v /y /r ms_report /d
dnslint /v /y /no_open /s /d
dnslint /v /y /c /t /d
dnslint /d /c smtp,pop
dnslint /ad /s /v
dnslint /ad /s localhost /v
dnslint /ql mylist.txt /v
dnslint /ql autocreate