DNS Client side Resolver Service and DNS Forwarders Query Algorithm

As many of you that follow my blogs, I had originally blogged about the client side resolver a few years ago. That can be found here:

http://msmvps.com/blogs/acefekay/archive/2009/11/29/dns-wins-netbios-amp-the-client-side-resolver-browser-service-disabling-netbios-direct-hosted-smb-directsmb-if-one-dc-is-down-does-a-client-logon-to-another-dc-and-dns-forwarders-algorithm.aspx

I think that many readers may have missed this portion because of the size of the blog, since after all it’s buried in one of the sections. Therefore, I thought to just specifically blog about it and get right to the point.

Background:

An internal DNS infrastructure is usually designed to support internal host name resolution fir internal hosts only. This is the goal whether it’s for any AD infrastructure or non-AD infrastructure, otherwise, why bother with DNS internally?

This is of course, especially true with AD. AD uses DNS. DNS stores AD’s resource and service locations in the form of SRV records, hence how everything that is part of the domain will find resources in the domain.

If the ISP’s DNS is configured in the any of the internal AD member machines’ IP properties, (including all client machines and DCs), the machines will be asking the ISP’s DNS ‘where is the domain controller for my domain?” whenever it needs to perform a function, such as for a logon request, DC to DC replication communications requests, querying and applying GPOs, and more. Unfortunately, the ISP’s DNS does not have that info and they reply with an, “I dunno know” response, and things just fail.

Using an ISP’s DNS, or the router as a DNS address, is analogous to asking the first passerby on the street, “Hey, where’s that case of beer that was in my refrigerator last night?” He’ll either not have an answer, or he’ll tell you his friends took it, which is the wrong answer anyway.

The Client Side Resolver Service algorithm on all Windows 2000 and newer machines:

If you mix the internal DNS and an external DNS, such as the DC as the first DNS entry, and the ISP’s DNS, or even using your router’s IP address as the second entry, will do the same thing. This because of the way the client side resolver service works on all machines (DCs and clients). The following should help better understand the client side service algorithm when attempting to resolve DNS names.

To summarize:

If a DNS query has already occurred and the client had already received a response, then the response is cached in the local resolver cache for the TTL of the DNS host record.  You can run “ipconfig /displaydns” to show what’s in cache and the remaining TTL of the host record. YOu can repeatedly repeat the command to see the TTL count down to 0, at which point it will disappear from the cache.

If there was no prior query and it’s not cached or the TTL has expired, and if there are multiple DNS entries on a machine’s NIC (whether a DC, member server or client), it will ask the first entry first.

  • If it receives a response, but say if the DNS server does not have the zone data (such as if you were to use your ISP’s DNS or your router as a DNS address, and expect that to work with AD), then it will be an NXDOMAIN or NACK response, meaning it got a response, even though it was wrong, and it will not go to the next DNS entry in the NIC’s list.
  • If it doesn’t respond, which is evident of a NULL response (no response, such as if the DNS server is down), it will go to the second entry after a time out period, which can last 15 seconds or more as it keeps trying the first one, at which then it REMOVES the first entry from the eligible resolvers list, and won’t go back to it for another 15 minutes (or forcing it by restarting the DNS Client service). This can also happen when a DC/DNS is down, or taken offline purposely for some reason, such as performing DC maintenance during production hours, it may cause issues within AD when accessing a resource such as a printer, folder, getting GPOs to function, etc. You can also reset the eligible resolvers list by:
  • If using Windows 2008/Vista and newer, restart the DNS Client Service
  • If using Windows 2000, 2003 or XP, restart the DHCP Client Service
  • Configure a registry entry to force the TTL to reset the list after each query.
  • Run an ipconfig /flushdns
  • Restart the machine.

If the ISP’s is the first one in the list in the NIC’s properties, obviously it will be knocked out when a client is trying to login.

This will be be noticed by a significantly long logon time period the client will experience before it goes to the second one, your internal DNS. So now the first one is knocked out for 15 minutes. Then say the client decides to go to an internet site. It will be querying the internal DNS at this point. As long as the internal DNS is configured with forwarders to an outside DNS, or use it’s Roots, it will resolve it.

Specifics on the resolver process:

Understanding the DNS Client Service and how Name Resolution works
http://networkadminkb.com/KB/a118/understanding-dns-client-service-how-name-resolution-works.aspx

Don’t Use your ISP’s DNS or your Router as a DNS Address on any Machine

So why even bother with an ISP in the client? This is another good reason to ONLY use the internal DNS server in the VPN’s DHCP service for VPN clients. Keep in mind, the client will probably be configured with an ISP’s anyway if outside the network. Fine, otherwise it can’t find the VPN server on the internet anyway. But once the VPN authenticates and is connected, the VPN interface will be the first on the binding order, which now you WANT to only have the internal DNS servers in that interface.

DNS Client side resolver service
http://technet.microsoft.com/en-us/library/cc779517.aspx

The DNS Client Service Does Not Revert to Using the First Server in the List in Windows XP (applies to Vista and newer, too)
http://support.microsoft.com/kb/320760

Therefore, the ISP’s DNS, some other external DNS server, or using the router as a DNS address, should not be used in any internal AD client or any other machine that is part of the AD infrastructure that must find a domain controller in order to function.

Ipconfig examples:

  • BAD EXAMPLE

In this BAD example, there are mixture of internal and external DNS servers. On top of that, there are just way too many DNS servers, which the client side resolver time out will never see beyond the third one, if lucky.

C:\>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : Computer1
   Primary Dns Suffix  . . . . . . . : contoso.com
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : contoso.com

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . : contoso.com
   Description . . . . . . . . . . . : Intel(R) Centrino(R) Advanced-N 6250 AGN
   Physical Address. . . . . . . . . : 64-80-98-11-5C-24
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::81ba:f421:cced:8826%11(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.10.100.58(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Monday, March 24, 2014 10:07:18 AM
   Lease Expires . . . . . . . . . . : Saturday, April 05, 2014 10:45:58 PM
   Default Gateway . . . . . . . . . : 10.10.100.1
   DHCP Server . . . . . . . . . . . : 10.10.100.20
   DHCPv6 IAID . . . . . . . . . . . : 308576409
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-E1-F4-6D-04-11-22-67-01-15-21
  DNS Servers . . . . . . . . . . . : 10.10.100.20
                                               208.67.222.222
                                              208.248.240.23
                                             4.2.2.2
                                             4.3.4.4

                                             10.10.100.30
   NetBIOS over Tcpip. . . . . . . . : Enabled

  • GOOD EXAMPLE – You can see only the internal DNS servers are specified.

C:\>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : Computer1
   Primary Dns Suffix  . . . . . . . : contoso.com
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : contoso.com

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . : contoso.com
   Description . . . . . . . . . . . : Intel(R) Centrino(R) Advanced-N 6250 AGN
   Physical Address. . . . . . . . . : 64-80-98-11-5C-24
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::81ba:f421:cced:8826%11(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.10.100.58(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Monday, March 24, 2014 10:07:18 AM
   Lease Expires . . . . . . . . . . : Saturday, April 05, 2014 10:45:58 PM
   Default Gateway . . . . . . . . . : 10.10.100.1
   DHCP Server . . . . . . . . . . . : 10.10.100.20
   DHCPv6 IAID . . . . . . . . . . . : 308576409
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-E1-F4-6D-04-11-22-67-01-15-21
  DNS Servers . . . . . . . . . . . : 10.10.100.20
                                               10.10.100.30

   NetBIOS over Tcpip. . . . . . . . : Enabled

Configure a Forwarder Using your ISP’s DNS

That’s your best bet. It’s easy.

  • Open the DNS console
  • Right-click the DNS server name
  • Choose Properties
  • Click the Forwarder tab.
  • Enter the ISP’s DNS address in the Forwarders list.

And also, keep in mind, that if you have more than two or three Forwarders, the third one will probably never get checked because of the time-out of the client side resolver service *waiting* for a response to a query.

Router’s IP as a DNS Service

Don’t do it! Your router is NOT a DNS server. If you do, what the router will do is it will proxy the query request to its outside interface, which it will more than likely be using the ISP’s DNS. So that won’t work. Remove it from any machines as a DNS address.

Summary

I hope that helps understand why not to use an ISP’s DNS in your internal network.

Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP – Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

This posting is provided AS-IS with no warranties or guarantees and confers no rights.

FaceBookTwitterLinkedIn

Should I Disable IPv6? No…

12/11/2014 – Ace here again. I’ve revamped this blog bringing it up to date, but you know what, there was nothing really to change, because guess what? It’s not recommended to disable IPv6. Period.

I hope you find this helpful.

Preface

This topic has been discussed numerous times. Previously in this article I wrote:

There are known issues regarding IPv6 affecting communications in certain scenarios, such as with errors when using Outlook Anywhere such as to fix an Exchange 2007 running on WIndows 2008 when there is a DC NSPI port 6004 communication issue.

Read the link in the “Related Links” section below for more information on this issue. Therefore, to eliminate communications issues regarding whether this is a factor or not, it is recommended to disable IPv6 in registry on the Exchange server, as well as on the domain controllers, or any server for that matter, especially if there are no plans in using IPv6. For the same reasons, it is also recommended to disable the RSS TCP Chimney Offload feature on the same servers.

IPv6 provides a robust means for IP addressing that offers additional information in the IP address. However, if the current network does not have the necessary supporting hardware to support it, such as a router, nor if IPv6 is currently in use, some say it’s additional overhead on the machine, which many have claimed, including myself in the past, to recommend disabling it. There is also an incompatibility with using IPv6 with UNC paths, such as mapping a drive using an IPv6 address, but I don’t think that’s relevent to the context of this article.

However, things have changed

The only time to disable IPv6 is with the above scenario using Exchange 2007 on a Windows 2008 server. At no other time should you disable IPv6. It must be kept enabled, or it will break many features in Windows. Read the next section…

 

Should I Disable IPv6? Nope

.

When I originally wrote this article, my original recommendations to disable IPv6 were based on a problem I found back in 2008 with an Exchange 2007 installation on Windows 2008 and DSAccess communications to a Windows 2008 DC/GC. I couldn’t figure out what was causing it. I finally called Microsot PSS. After some digging around, the support engineer recommended disabling IPv6, which he said was causing the issue. It actually fixed the communications problem. He referenced an article explaining the issue:

The installation of the Exchange Server 2007 Hub Transport role may be unsuccessful on a Windows Server 2008-based computer
http://support.microsoft.com/?kbid=952842

However, that article has been retired and is no longer available. Microsoft is now recommending to keep IPv6 enabled. You can read more about it in this article, which I highly suggest reading it:

The Cable Guy – Support for IPv6 in Windows Server 2008 R2 and Windows 7, by Joseph Davies, Microsoft, Inc.
http://technet.microsoft.com/en-us/magazine/2009.07.cableguy.aspx

Basically, Joseph Davies in the above article, said (quoted directly from the article):

The Argument against Disabling IPv6

It is unfortunate that some organizations disable IPv6 on their computers running Windows Vista or Windows Server 2008, where it is installed and enabled by default. Many disable IPv6-based on the assumption that they are not running any applications or services that use it. Others might disable it because of a misperception that having both IPv4 and IPv6 enabled effectively doubles their DNS and Web traffic. This is not true.

From Microsoft’s perspective, IPv6 is a mandatory part of the Windows operating system and it is enabled and included in standard Windows service and application testing during the operating system development process. Because Windows was designed specifically with IPv6 present, Microsoft does not perform any testing to determine the effects of disabling IPv6. If IPv6 is disabled on Windows Vista, Windows Server 2008, or later versions, some components will not function. Moreover, applications that you might not think are using IPv6—such as Remote Assistance, HomeGroup, DirectAccess, and Windows Mail—could be.

Therefore, Microsoft recommends that you leave IPv6 enabled, even if you do not have an IPv6-enabled network, either native or tunneled. By leaving IPv6 enabled, you do not disable IPv6-only applications and services (for example, HomeGroup in Windows 7 and DirectAccess in Windows 7 and Windows Server 2008 R2 are IPv6-only) and your hosts can take advantage of IPv6-enhanced connectivity.

.

Ipconfig /all shows IPv6 “::1” Loopback address as the First DNS Entry

In some cases, there may be some issues with IPv6 because it is the default protocol. When you run an ipconfig /all, you may find that the IPv6 “::1” Loopback address shows up as a DNS address when you run an ipconfig /all. Because it’s at the top of the DNS addresses, some say it slows down resolution because the resolver is trying to use an IPv6 address to resolve it first before attempting to resolve the IPv4 address.

Who cares. Leave it alone. What harm is it doing? Just because it doesn’t look right?

Well, if you really want to remove the ::1, you can, although to me, it’s really a cosmetic thing when running nslookup. If it will make you feel warm and fuzzy not to see it, and rather see the IPv4 address, you can remove it using the following steps.

.

You can delete the “::1” IPv6 loopback address by the following method.

Run an ipconfig /all. Determine the “Local Area Connection” name. In the example below, I used “Local Area Connection” for the interface name:

netsh interface ipv6 delete dnsserver “Local Area Connection” ::1

You can add it back in, if you like: 

netsh interface ipv6 add dnsserver “Local Area Connection” ::1

.

For more info on the netsh command reference for Windows 2008 & 2008 R2, see the following. For command info on IPv6, click on “Netsh Command for Interface IPv4 and IPv6,” then click on ” Netsh commands for Interface IPv6.” :

Netsh Command Reference
(Comprehensive Command Reference) – Updated: July 2, 2009 – Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista
http://technet.microsoft.com/en-us/library/cc754516(WS.10).aspx

.

Originally, I illustrated in this blog to do it in the following fashion from a previous post (provided below), however this appears to not work for some. I suggest running the method above.

You can eliminate that from showing up on that specific interface. One way to do that is to find the IDX# of the interface by running:

netsh interface ipv6 show interfaces

Once you’ve identified the IDX# for that interface, you can delete it on that specific interface by running:

netsh interface ipv6 delete dnsserver name=”IDX#” address=::1

You’ll find resolution will be quicker, as well as not getting that familiar nslookup initialization error message saying it “can’t find server…”

Originally posted in:

Windows 2008 R2 with AD integerated DNS
http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/29b204fd-fabc-4715-9891-95eb86bd1d32/?prof=required

.

.

Windows 2008 R2, and Windows 7 will use IPv6 as the first preferred protocol.

In my opinion, if you just leave things as default, things will work fine.

However, for whatever reason you want to alter these settings, whether real or imagined, that is your choice.

That disclaimer out of the way, if you still need to force the TCP stack to use IPv4 first instead of IPv6, you can do so in the registry. The following procedure in this section was quoted from the following Microsoft KB article:

How to disable IP version 6 (IPv6) or its specific components in Windows 7, in Windows Vista, in Windows Server 2008 R2, and in Windows Server 2008
http://support.microsoft.com/kb/929852

.

To force the system to use IPv4 first, before IPv6

The key you are looking for is HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\DisabledComponents. If it doesn’t exist, you have to created it.

Or if you do not want to do this manual procedure, you can now use the Microsoft “Mr Fix It” script to automatically do it for you. The scripts are in the KB929852 article above.

  1. In Registry Editor, locate and then click the following registry subkey:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters \

  2. Double-click DisabledComponents to modify the DisabledComponents entry.
    Note If the DisabledComponents entry is unavailable, you must create it. To do this, follow these steps:
    1. In the Edit menu, point to New, and then click DWORD (32-bit) Value.
    2. Type DisabledComponents, and then press ENTER.
    3. Double-click DisabledComponents.
  3. Type 0x20 to prefer IPv4 over IPv6 by modifying entries in the prefix policy table.

.

.

Again, do not disable IPv6

However, if you still need to disable IPv6, the following steps show how To Disable IPv6 on 2008 (non-SBS 2008), Vista or Windows 7.

Note: You can now use the Microsoft “Mr Fix It” script to automatically disable it, see:

How to disable certain Internet Protocol version 6 (IPv6) components in Windows Vista, Windows 7 and Windows Server 2008
http://support.microsoft.com/kb/929852

You can also do it manually: The following steps are from:

How to disable certain Internet Protocol version 6 (IPv6) components in Windows Vista, Windows 7 and Windows Server 2008
http://support.microsoft.com/kb/929852

The installation of the Exchange Server 2007 Hub Transport role is unsuccessful on a Windows Server 2008-based computer
(This article is no longer available. It originally recommended to disable IPv6 to overcome Exchagne 2007 installed on Windows 2008 (not 2008 R2) that have DSAccess NSPI to GC Communications issues.)
http://support.microsoft.com/?id=952842

Paul Berg also has a good article on disabling IPv6, too:
Disabling IPv6 on Windows 2008 or Vista
http://blogs.dirteam.com/blogs/paulbergson/archive/2009/03/19/disabling-ipv6-on-windows-2008.aspx

 

  1. Uncheck IPv6 in NIC properties
  2. Uncheck the two LinkLayer Topology Discovery components
  3. Then Navigate to:
  4. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters
    • In the details pane, click New, and then click DWORD (32-bit) Value.
    • Type in DisabledComponents , and then press ENTER.
    • Double-click DisabledComponents,
    • Type 0xffffffff in Hexadecimal.
    • It should look like this if you’ve entered it correctly:
      • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters
      • “DisabledComponents”=dword:ffffffff

.

Or more specifically, and with a complete list of values this key supports:

 

In Registry Editor, locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters \

  1. Double-click DisabledComponents to modify the DisabledComponents entry.

    Note If the DisabledComponents entry is unavailable, you must create it. To do this, follow these steps:

    1. In the Edit menu, point to New, and then click DWORD (32-bit) Value.
    2. Type DisabledComponents, and then press ENTER.
    3. Double-click DisabledComponents.
  2. Type any one of the following values in the Value data: field to configure the IPv6 protocol to the desired state, and then click OK:
    1. Type 0 to enable all IPv6 components. (Windows default setting)
    2. Type 0xffffffff to disable all IPv6 components, except the IPv6 loopback interface.
    3. Type 0x20 to prefer IPv4 over IPv6 by modifying entries in the prefix policy table.
    4. Type 0x10 to disable IPv6 on all nontunnel interfaces (on both LAN and Point-to-Point Protocol [PPP] interfaces).
    5. Type 0x01 to disable IPv6 on all tunnel interfaces. These include Intra-Site Automatic Tunnel Addressing Protocol (ISATAP), 6to4, and Teredo.
    6. Type 0x11 to disable all IPv6 interfaces except for the IPv6 loopback interface.

.

Disabling IPv6 on SBS 2008 & 2011

Don’t do it. But if you must, to disable IPv6 on SBS 2008 is slightly different.

Read the reasons why, and the instructions in the following link, but as noted above, it’s no longer recommended to disable IPv6.

Issues After Disabling IPv6 on Your NIC on SBS 2008
http://blogs.technet.com/sbs/archive/2008/10/24/issues-after-disabling-ipv6-on-your-nic-on-sbs-2008.aspx

.

.

Related Links

TCP Chimney and RSS Features May Cause Slow File Transfers or Cause Connectivity Problems:
http://msmvps.com/blogs/acefekay/archive/2009/08/20/tcp-chimney-and-rss-features-may-cause-slow-file-transfers-or-cause-connectivity-problems.aspx

.

.

==================================================================

Summary

I hope this helps!

Original Publication Date: 11/1/2011
Updated 12/11/2014

Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP – Directory Services

clip_image00262[2][2] clip_image00462[2][2] clip_image00662[2][2] clip_image00862[2][2] clip_image01062[2][2] clip_image01262[2][2] clip_image01462[2][2]

Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

This posting is provided AS-IS with no warranties or guarantees and confers no rights.