Home/Toolchest

DNS and DHCP Health Check

A read-only DNS and DHCP triage checklist that captures client-side evidence, compares DNS paths, and narrows the failure domain before anyone flushes caches or changes records.

Good For

  • Windows DNS issues
  • small-office DHCP
  • VPN name resolution
  • mystery connectivity failures

How to Use It

  1. Capture the affected client's IPv4 address, interface, default gateway, and assigned DNS servers before changing anything.
  2. If the client has no usable gateway or the gateway is unreachable, stay in the local-network, VLAN, Wi-Fi, VPN, or DHCP-path lane before blaming DNS.
  3. Resolve the target through the client's default DNS path and again through a known-good internal DNS server.
  4. If default DNS fails but the direct internal DNS query works, investigate VPN DNS assignment, interface priority, split DNS, or public DNS leakage.
  5. If both lookups succeed but return different answers, compare stale records, duplicate A records, load balancer answers, and conditional forwarders.
  6. If DNS succeeds but the application still fails, move to service-port testing instead of flushing caches as a reflex.
  7. Compare the existing DHCP lease context with the expected subnet, reservation, VLAN, or VPN pool. Keep the evidence pass read-only.
  8. Flush DNS or renew DHCP only after the failing evidence has been recorded and the action is actually justified.

Execution Modes

  • local

Inputs and Outputs

Inputs

  • target hostname
  • known-good client
  • expected DNS servers
  • expected DHCP scope

Outputs

  • verbose-console
  • operator-notes

Command Starter

Safe to run: read-only

# ---------------------------------------------------------------------
# Operator inputs
# ---------------------------------------------------------------------
# Hostname that should resolve from the affected client.
$Target = 'server01.contoso.com'

# Known-good internal DNS server for direct comparison.
$ExpectedDnsServer = '10.10.10.10'

# ---------------------------------------------------------------------
# Capture the local client path before changing anything
# ---------------------------------------------------------------------
$ClientConfig = Get-NetIPConfiguration |
    Where-Object { $_.IPv4Address -and $_.IPv4DefaultGateway } |
    Select-Object -First 1

$ClientDns = Get-DnsClientServerAddress -AddressFamily IPv4 |
    Where-Object { $_.ServerAddresses }

# Test the client gateway only when one is present.
$Gateway = $ClientConfig.IPv4DefaultGateway.NextHop
$GatewayReachable = if ($Gateway) {
    Test-Connection -ComputerName $Gateway -Count 2 -Quiet
} else {
    $false
}

# ---------------------------------------------------------------------
# Compare the client's normal DNS path with a direct internal lookup
# ---------------------------------------------------------------------
$DefaultLookup = Resolve-DnsName -Name $Target -ErrorAction SilentlyContinue
$DirectLookup = Resolve-DnsName -Name $Target -Server $ExpectedDnsServer -ErrorAction SilentlyContinue

# Present one concise evidence object for ticket notes or escalation.
[pscustomobject]@{
    Target                = $Target
    ClientIPv4            = ($ClientConfig.IPv4Address.IPAddress -join ', ')
    InterfaceAlias        = $ClientConfig.InterfaceAlias
    Gateway               = $Gateway
    GatewayReachable      = $GatewayReachable
    ClientDnsServers      = (($ClientDns.ServerAddresses | Sort-Object -Unique) -join ', ')
    DefaultLookupAnswers  = ($DefaultLookup.IPAddress -join ', ')
    DirectLookupAnswers   = ($DirectLookup.IPAddress -join ', ')
}

Validation

  • The client resolves the expected host to the expected address, or the mismatch is documented clearly.
  • The direct DNS-server lookup and the default client DNS lookup agree, or the difference is captured as the finding.
  • Gateway reachability and assigned DNS servers are recorded so the failure domain is not guessed.
  • If a later DHCP renew or cache flush is approved, the before-and-after result can be compared against this evidence.

Reporting

  • Copy the summary object into ticket notes or an escalation update.
  • Attach the gateway, assigned DNS servers, and lookup comparison when a network or identity team needs the evidence.
  • For multi-client or multi-site recurrence, promote this flow into a CSV/HTML DNS triage report pack.

Safety Notes

  • Capture failing answers before flushing caches.
  • Do not change DHCP reservations or DNS records during the evidence pass.