Key Points
- Create a DNS Diagnostics Baseline: Use PowerShell commands like Get-DnsServerDiagnostics and export data in CSV/JSON formats.
- Enable Targeted DNS Diagnostics: Activate only necessary diagnostic flags (-Query, -Send, -Receive, -ZoneTransfer) to prevent log overload while identifying DNS issues.
- Capture and Export DNS Evidence: Use PowerShell cmdlets (Get-WinEvent, Get-DnsServerZone, Export-Csv) to collect logs, correlate events, and document root causes.
- Revert DNS Servers to Baseline: Safely disable diagnostics and restore default settings using Set-DnsServerDebugLog and Set-DnsServerDiagnostics.
- Automate DNS Health Monitoring: Schedule recurring diagnostics and alerts via PowerShell or RMM tools like NinjaOne to reduce MTTR.
While available through its graphical interface, learning PowerShell commands for Windows DNS and how to check diagnostics enables your MSP to automate processes and perform root cause analysis with minimal disruption, increasing your resilience against DNS attacks.
This article explains how to enable targeted diagnostics, create a baseline, record evidence, and revert server changes with specialized PowerShell commands and RMM capabilities.
How to use PowerShell to resolve DNS issues
The steps below provide a structured framework to answer the question “How do you troubleshoot a DNS problem?”
📌Prerequisites:
- Administrative PowerShell on a system with the DNS Server module (remote or on the DNS host).
- Access to the DNS Server role and relevant event channels.
- Change the Windows or Safe-to-Enable Diagnostics policy.
- Versioned repository for baseline JSON/CSV exports.
Method 1: Triage the endpoint path first
Before diving into server-side DNS diagnostics, you must first rule out any client misconfigurations that may be affecting uptime and server reliability. Do the following before continuing on:
- Verify that the client’s network adapter can establish a connection to the gateway and DNS servers.
- Check if domain record types correspond to their respective IP addresses (e.g., an AAAA record maps a domain name to an IPv6).
- Parse your DNS cache for any useful troubleshooting signals (e.g., wrong query paths, quick time-to-live behavior).
Method 2: Capture a DNS diagnostics baseline
Capture what your DNS server settings look like before you apply any changes. Doing so ensures traceability and clean reversions in case you need to return to a previously working state.
📌 Use Cases: To compare against future incidents and restore consistent DNS settings.
📌 Prerequisites: PowerShell 5.1, administrator privileges.
- Press Win + R, type PowerShell, and press Ctrl + Shift + Enter.
- Run this command to verify you have the DNS server module:
Get-Module -ListAvailable -Name DnsServer
- If it hasn’t been installed, run the following:
Install-WindowsFeature -Name RSAT-DNS-Server
- To export DNS and “how to check” diagnostics settings, use the following:
- As a CSV file:
Get-DnsServerDiagnostics | Export-Csv -Path “C:\DNS_Baseline\DnsDiagnostics.csv” -NoTypeInformation
“`
- As a JSON file:
Get-DnsServerDiagnostics | ConvertTo-Json | Out-File “C:\DNS_Baseline\DnsDiagnostics.json”
💡Tip: Store these in a special folder for Quarterly Business Review (e.g., QBR/incident ticket folder).
- Check the DNS event tracking and save it to a text file:
Get-WinEvent -ListLog *DNS* | Format-Table LogName, LogType, IsEnabled | Out-File “C:\DNS_Baseline\ETW_Status.txt”
“
- Save everything in your change management folder for easy access.
Method 3: Enable targeted diagnostics (least necessary)
Enable only relevant diagnostics to prevent log overload and minimize the impact on production environments. This focused approach helps pinpoint the root cause of DNS failures without overwhelming your server.
📌 Use Cases: To efficiently debug DNS servers using powerful diagnostic commands.
📌 Prerequisites: PowerShell 5.1, administrator privileges, and the DNS server module
- Press Win + R, type PowerShell, and press Ctrl + Shift + Enter.
- Determine which DNS layer is causing problems:
💡Tip: Use logs, error messages, or nslookup/Resolve-DnsName to narrow down your search.
| Layer | Symptoms | Diagnostic focus |
| Query resolution | Clients can’t resolve names | Query, Receive, Send |
| Zone transfers | Secondary DNS isn’t syncing | ZoneTransfer, Update |
| Dynamic updates | DHCP clients not registering | Update, Write |
| Forwarding issues | External lookups failing | Forwarding, Query |
- To view currently enabled diagnostic flags, run the following:
- To enable the specific flags you need (e.g., Query and Send diagnostics), run the following:
Set-DnsServerDiagnostics -Query $true -Send $true
- For deeper insights, enable debug logging temporarily as you apply DNS and how to check:
Set-DnsServerDebugLog -WriteDebugLog $true -MaxMBFileSize <MaxMBFile> -MaxMBPerDirectory <MaxMBDirectory>
“
Replace <MaxMBFile> with the max size per log file (e.g., 10).
Replace <MaxMBDirectory> with the total size of all log files (e.g., 50).
- To document your changes, run these commands:
- To save your changes:
Get-DnsServerDiagnostics | Export-Csv “C:\DNS_Baseline\Diagnostics_After.csv” -NoTypeInformation
- To document debug log status:
Get-DnsServerDebugLog | Out-File “C:\DNS_Baseline\DebugLog_Status.txt”
Method 4: Correlate events, zones, and operations
Link your diagnostics data to specific DNS zones or processes to trace and fix specific DNS issues. These can help explain internal web services indexing errors or user access failures in your client’s network infrastructure.
This step requires technicians to manually monitor DNS event logs, reproduce issues, and validate recursion settings with multiple scripts. NinjaOne streamlines this process on a single platform using pre-built scripts for zone-level insight and alert triggers for DNS-related conditions.
🥷🏻| Utilize proven and efficient scripts for faster resolution times and better ROI.
Method 5: Export evidence and revert to baseline
Once you’ve collected evidence, save your findings for clean rollbacks and faster fixes in case the issue repeats itself in the future.
📌 Use Cases: To create a repeatable playbook and improve response times for DNS-related issues.
📌 Prerequisites: PowerShell 5.1, administrator privileges, and the DNS server module
- Press Win + R, type PowerShell, and press Ctrl + Shift + Enter.
- Export your logs:
- DNS event logs into your QBR/incident ticket folder:
Get-WinEvent -LogName “Microsoft-Windows-DNS-Server/Audit” -MaxEvents 500 | Export-Csv “C:\DNS_Incident\Evidence_DNS_Events.csv” -NoTypeInformation
- DNS debug log status:
Get-DnsServerDebugLog | Out-File “C:\DNS_Incident\DebugLog_Status.txt”
- Current diagnostics settings:
Get-DnsServerDiagnostics | Export-Csv “C:\DNS_Incident\Diagnostics_After.csv” -NoTypeInformation
- Zone info:
Get-DnsServerZone | Export-Csv “C:\DNS_Incident\ZoneInfo.csv” -NoTypeInformation
- To disable any temporary diagnostic logging, run the following:
Set-DnsServerDebugLog -WriteDebugLog $false
- To manually reset your diagnostics to baseline, run this command:
Set-DnsServerDiagnostics -Query $false -Send $false -Receive $false -ZoneTransfer $false -Update $false
- Execute this script to capture your state before reverting back to baseline:
Get-DnsServerDiagnostics | Export-Csv “C:\DNS_Incident\Diagnostics_Final.csv” -NoTypeInformation
- Document root cause and fix in a text file summary:
“
Date: 2025-10-31
Server: DNS01
Issue: DNS resolution failure for external domains
Root Cause: Misconfigured forwarder and stale records in AD-integrated zone
Fix Applied: Updated forwarder settings, enabled scavenging, cleared stale records
Diagnostics Used: Get-DnsServerDiagnostics, Event Logs, Zone Analysis
“@ | Out-File “C:\DNS_Incident\Incident_Summary.txt”
Method 6: Operationalize DNS and how to check diagnostics (scheduled health & alerts)
Lastly, set up ongoing alert triggers for DNS issues like NXDOMAIN spikes or recursion timeouts to reduce your MTTR (or Mean Time to Resolution) metric. You can schedule these scripts to run via built-in tools like Task Scheduler, or employ streamlined solutions like NinjaOne.
Besides keeping your domains healthy and responsive, proactive weekly checks can also improve visibility across client networks and prepare QBR-worthy data, giving your MSP more time to focus on different projects.
How NinjaOne troubleshoots DNS and how to check
NinjaOne’s platform grants a birds-eye view of all your endpoints, including virtual DNS servers, from a centralized dashboard. Here’s how remote monitoring capabilities can enhance the efficiency of your DNS and “how to check” diagnostics.
| Step | Without NinjaOne | With NinjaOne |
| Triage the endpoint path first. | Manual checks on adapter config, gateway, and DNS servers | NinjaOne agent automates endpoint performance and health checks. |
| Capture a DNS diagnostics baseline. | Scripts run manually and results are stored in shared folders. | NinjaOne scripts and storage streamlines scheduled exports. |
| Enable targeted diagnostics (least necessary). | Flags need to be toggled and checked by technicians; risk of overlogging. | Deploy scoped diagnostic scripts with retention controls. |
| Correlate events, zones, and operations. | Manually cross-reference logs and settings across multiple consoles. | NinjaOne insights help you gather logs and correlate DNS events. |
| Export evidence and revert to baseline. | Hands-on log export and rollback; risk of human error. | Proven NinjaOne scripts automate evidence capture and rollbacks. |
| Operationalize (scheduled health & alerts). | Needs custom scripts and multiple external monitoring tools. | Built-in alerting, scheduled diagnostics, and continuous health monitoring. |
Automate PowerShell to resolve DNS server issues
Utilizing PowerShell scripts enables IT staff to quickly deploy and record DNS server troubleshooting. By harnessing these scripts with a structured playbook and best-in-class MDM, MSPs can build trust with business partners, provide around-the-clock overwatch, and refine DNS diagnostics.
Related topics:
- How to Find DNS Servers Used in Windows 11
- What Is a DNS Resolver & How to Set It Up
- What the “DNS Server Not Responding” Error Is and How to Fix It
- How to Create Custom RMM Remediation Scripts to Correct DNS, Patching, and BitLocker Issues Automatically
- Mastering DNS Cache Management: Flush DNS with PowerShell
