none
DNS Resolver Cache and old man "Host"

    Question

  • OK, so I've looked and looked and cannot find a definitive answer, SO I turn to you my enlightened friends.

    On a fully updated Windows 7, 2008, Vista, XP SP3 or 2000 desktop still read the /system32/drivers/etc/host file? Or does the DNS Client service now ignore it completely? (I believe this would be an attempt to stop DNS Cache poisoning!?)

    I have added a new entry to the host file. It is there, I can "type" it  (remember that command?) and see it listed. I do a /flushdns and a /displaydns, then ping it with noresolve.

    I disable DNS Client service and can ping away to my hearts delight, more repsonses than offering free chocolate. Start the DNS Client service again and cannot ping it.

    So, can someone please confirm if this is a MS Update "fix" and if so, where is that stated on the MS site? or is this not by design and should I be picking up my hot-line to Bill and getting his boys to look at it?

    Wednesday, August 11, 2010 1:05 PM

Answers

  • Does the record appear in the list after you enter /flushdns and /displaydns?

    We should note that with DNS Client Service running, programs will not read hosts file directly. The entries in the hosts file are loaded into DNS cache by DNS Client Service and programs looks for DNS cache as the first step on name resolution. With the DNS Client service running, the hosts file is read and parsed only a few times, once at service startup, and thereafter whenever the DNS Client service notices that it has been modified.

    When DNS Client service is disabled, the hosts file will be read and parsed by programs as it makes a DNS lookup.

    Therefore you may check if there is any permission issues when DNS Client Service tries to read Hosts file. You may enable object audit for Hosts file.

    1. Click Start, enter GPedit.msc in the Start Search box.
    2. Open the following branch.

    Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Security

    3. Enable the following policies:

    Audit account logon events
    Audit object access

    4. Open Windows Explorer, open the folder C:\Windows\System32\Drivers\etc.
    5. Right click the Hosts file, choose Properties->Security. Click the Advanced button.
    6. Click the Auditing tab. Click Continue.
    7. Click Add. Then click Advanced.
    8. Click the button Find Now.
    9. Wait for the process finishes. Then from the users list add the following users.

    ANONYMOUS LOGON
    BATCH
    CREATOR OWNER
    Everyone
    Guests
    LOCAL SERVICE
    NETWORK
    NETWORK SERVICE
    SERVICE
    SYSTEM

    10. After selecting each user, choose “Full Control” as the auditing entries.

    If you would like to check which account was trying to remove items in the folder, please open Event Viewer, check the Windows Logs\Security Log for detail information.

    If there is any clues please let us know.

    Additionally we should also notice the size of the Hosts file and DNS cache. If the Hosts file is very large, I suspect that there may be problems when DNS client service tries to load the entries into DNS cache. How does it work if you reduce the size of the Hosts file?

    You may consider to change the size for DNS cache and check the result.

    Increase DNS cache size 

    Important Note: Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information. 


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”
    Friday, September 03, 2010 9:38 AM

All replies

  • The host file is used before using the DNS server resolution. It is the first step of resolution in the DNS resolution procedure.

    The DNS client service provides caching of DNS queries resolved. So, even if it is not running you continue to resolve DNS names but without caching. If you are unable to ping if it is started, this should be a caching problem. Use the nslookup and check the result of the DNS resolutions.

    Wednesday, August 11, 2010 1:27 PM
  • DNS resolution should be localname, host file, DNS, NetBIOS (Always was) but that isn't true anymore. Its Localname, DNS Cache, DNS. NetBIOS. Or it seems to be on our WinXP SP2, SP3, Vista, & and server 2003 and 2008 machines. As I said, if I disable the DNS Client services then host file comes back into play and resolution to names within it work again.

    According to various sources, the DNS cache or Resolver loads the Host file on startup and then caches any queries made in a memory-based table. This is obviously cleared on reboot.

    BUT, this is not the case. We have 20 odd entries in our hosts file and none show in the ipconfig /displayDNS nor can they be resolved. NSloookup queries the DNS servers specified in your IP config to see if they know the address and does not query the machine locally so is kind of redundant in this case

    Wednesday, August 11, 2010 3:41 PM
  • This is the process of name resolutions:

    DNS name cache > Hosts File > DNS system > NetBIOS name cache > WINS service > Broadcast > LmHosts file

    This was token from the Microsoft Official Course 2182A Module 4

    Wednesday, August 11, 2010 4:04 PM
  • OK, I'll look into that. Still, the issue is that 6 different machines are not reading their host file. Permissions are there OK and there is no corruption otherwise the issue would still be there when DNS Client service is disabled.

    So, why would DNS Client service ignore and then block the host file? Really confused. 

     

     

    POS thansk for the help so far. apologies if I sound a little short, just this thing is p....annoying me. :)

    Wednesday, August 11, 2010 4:28 PM
  • The most common solution is to ensure the following registry value is correct, as it may be altered by some software.

    Key: HKLM\system\currentcontrolset\services\tcpip\paramters
    Value: DataBasePath
    Type:REG_EXPAND_SZ
    Data:%SystemRoot%\system32\drivers\etc
    Wednesday, August 11, 2010 4:35 PM
  • Apologies for unmarking your answers, but they were not answers. I have checked the reg key and it's fine. The course module you mention (if it is correct) does not follow in any of the tests we run on up to 3000 machines in our domain. It also contradicts MS own technet articles (http://support.microsoft.com/kb/172218/en-gb)

    MS released an update recently to stop DNS poisoning. I believe (Yet to be confirmed) that this stops windows DNS Client Service from loading the DNS cache from the host file as that is too easy for an attacker to amend.

    Unfortunately this change throws all MS training out of the window and makes targeted DNS changes for system administrators incredibly difficult.

    Wednesday, September 01, 2010 8:22 AM
  • Hi,

    Hosts file is the first thing DNS client queries. In our test computers it works as it should be. We can ping a host name if we add it into the hosts file.

    Please let us know more information. You may check the entry in your hosts files. Please open the files hosts and lmhosts from C:\Windows\System32\drivers\etcDid you configure hosts file or LMhosts file? Did you use FQDN or just a NetBIOS name in hosts file and ping command? Did you configure the DNS suffix search list in DNS server? Is the computer or site you added in the hosts file in your domain or an Internet website? Are you using any proxy server and client such as ISA?

    Additionally, do you configure policies in “Configuration\Policies\Windows Settings\Name Resolution Policy”?

    Arthur Xie
    TechNet Subscriber Support in forum  
    If you have any feedback on our support, please contact tngfb@microsoft.com.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”
    Thursday, September 02, 2010 7:18 AM
  • Entry was placed in hosts file, entered as [NetBios FQDN IP], then [NetBios IP] ping command ran as NetBios then FQDN, both failed. System is on internal domain (Trying to establish an alias for targeted machines) with no firewalls/ISAs in between test machines and target server.

    DNS is set by DHCP or Static as 1) local site PDC then 2) nearest site PDC and DNS suffix is set to current domain, old domain (We are at the end of migrating domains)search

    No Name Resolution Policy settings within GPOs

    This is what gets me, if I stop the DNS Resolver client on the test PCs then I can ping the entries in the hosts file with no issue. As soon as I start the service I can no longer ping it. This is happening on a group of PCs some DHCP, some static on different subnets in different sites and a mix of XP SP3, Windows 7 and Windows Server 2008 R2.

     

    Thanks for your help (and patience!) so far.

    Thursday, September 02, 2010 8:15 AM
  • Does the record appear in the list after you enter /flushdns and /displaydns?

    We should note that with DNS Client Service running, programs will not read hosts file directly. The entries in the hosts file are loaded into DNS cache by DNS Client Service and programs looks for DNS cache as the first step on name resolution. With the DNS Client service running, the hosts file is read and parsed only a few times, once at service startup, and thereafter whenever the DNS Client service notices that it has been modified.

    When DNS Client service is disabled, the hosts file will be read and parsed by programs as it makes a DNS lookup.

    Therefore you may check if there is any permission issues when DNS Client Service tries to read Hosts file. You may enable object audit for Hosts file.

    1. Click Start, enter GPedit.msc in the Start Search box.
    2. Open the following branch.

    Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Security

    3. Enable the following policies:

    Audit account logon events
    Audit object access

    4. Open Windows Explorer, open the folder C:\Windows\System32\Drivers\etc.
    5. Right click the Hosts file, choose Properties->Security. Click the Advanced button.
    6. Click the Auditing tab. Click Continue.
    7. Click Add. Then click Advanced.
    8. Click the button Find Now.
    9. Wait for the process finishes. Then from the users list add the following users.

    ANONYMOUS LOGON
    BATCH
    CREATOR OWNER
    Everyone
    Guests
    LOCAL SERVICE
    NETWORK
    NETWORK SERVICE
    SERVICE
    SYSTEM

    10. After selecting each user, choose “Full Control” as the auditing entries.

    If you would like to check which account was trying to remove items in the folder, please open Event Viewer, check the Windows Logs\Security Log for detail information.

    If there is any clues please let us know.

    Additionally we should also notice the size of the Hosts file and DNS cache. If the Hosts file is very large, I suspect that there may be problems when DNS client service tries to load the entries into DNS cache. How does it work if you reduce the size of the Hosts file?

    You may consider to change the size for DNS cache and check the result.

    Increase DNS cache size 

    Important Note: Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information. 


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”
    Friday, September 03, 2010 9:38 AM
  • well, well, well! You sir are a genius.

    Entry in Sec log:-

    Log Name:      Security
    Source:        Microsoft-Windows-Security-Auditing
    Date:          07/09/2010 09:05:16
    Event ID:      4656
    Task Category: File System
    Level:         Information
    Keywords:      Audit Failure
    User:          N/A
    Computer:      xxxx
    Description:
    A handle to an object was requested.

    Subject:
     Security ID:  NETWORK SERVICE
     Account Name:  xxxx
     Account Domain:  xxxxxx

    Logon ID:  0x3e4

    Object:
     Object Server:  Security
     Object Type:  File
     Object Name:  C:\Windows\System32\drivers\etc\hosts
     Handle ID:  0x0

    Process Information:
     Process ID:  0x308
     Process Name:  C:\Windows\System32\svchost.exe

    Access Request Information:
     Transaction ID:  {00000000-0000-0000-0000-000000000000}
     Accesses:  READ_CONTROL
        SYNCHRONIZE
        ReadData (or ListDirectory)
        ReadEA
        ReadAttributes
        
     Access Reasons:  READ_CONTROL: Not granted
        SYNCHRONIZE: Not granted
        ReadData (or ListDirectory): Not granted
        ReadEA: Not granted
        ReadAttributes: Not granted
        
     Access Mask:  0x120089
     Privileges Used for Access Check: -
     Restricted SID Count: 0
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
        <EventID>4656</EventID>
        <Version>1</Version>
        <Level>0</Level>
        <Task>12800</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8010000000000000</Keywords>
        <TimeCreated SystemTime="2010-09-07T08:05:16.960691600Z" />
        <EventRecordID>78636</EventRecordID>
        <Correlation />
        <Execution ProcessID="568" ThreadID="584" />
        <Channel>Security</Channel>
        <Computer>COMPUTER.DOMAIN</Computer>
        <Security />
      </System>
      <EventData>
        <Data Name="SubjectUserSid">S-1-5-20</Data>
        <Data Name="SubjectUserName">COMPUTER$</Data>
        <Data Name="SubjectDomainName">DOMAIN</Data>
        <Data Name="SubjectLogonId">0x3e4</Data>
        <Data Name="ObjectServer">Security</Data>
        <Data Name="ObjectType">File</Data>
        <Data Name="ObjectName">C:\Windows\System32\drivers\etc\hosts</Data>
        <Data Name="HandleId">0x0</Data>
        <Data Name="TransactionId">{00000000-0000-0000-0000-000000000000}</Data>
        <Data Name="AccessList">%%1538
        %%1541
        %%4416
        %%4419
        %%4423
        </Data>
        <Data Name="AccessReason">%%1538: %%1805
        %%1541: %%1805
        %%4416: %%1805
        %%4419: %%1805
        %%4423: %%1805
        </Data>
        <Data Name="AccessMask">0x120089</Data>
        <Data Name="PrivilegeList">-</Data>
        <Data Name="RestrictedSidCount">0</Data>
        <Data Name="ProcessId">0x308</Data>
        <Data Name="ProcessName">C:\Windows\System32\svchost.exe</Data>
      </EventData>
    </Event>

     

    SO next question is this, How do I resolve this correctly? Do I just give Network Service read access to the host file?

     

    Again, thanks for your help so far. It's nice to feel like progress is being made at last.

    Tuesday, September 07, 2010 8:10 AM
  • forget it, answered my own question. Network service read rights to host file solves the issue. Thanks so much Arthur!
    Tuesday, September 07, 2010 8:28 AM
  • I encountered this issue within the last several weeks and fortunately found this article after quite a bit of troubleshooting.  My specific situation was a Windows 7 x64 Enterprise client in a Windows 2008 R2 Active Directory environment.  If the DNS Client service was running, I could resolve host IPs with direct nslookup, but any service or application (for example the vSphere client) attempting to resolve names failed.  As soon as I stopped the DNS Client service (dnscache), application name resolution would be successful.  Applying read permissions for NT AUTHORITY\NETWORK SERVICE did fix the problem, but I now would like to understand:

    1) What are the default ACEs for the hosts file - on my system and many servers in my environment, the output of CACLS looks like this:

    cacls c:\windows\system32\drivers\etc\hosts
    c:\windows\system32\drivers\etc\hosts NT AUTHORITY\SYSTEM:(ID)F
                                          BUILTIN\Administrators:(ID)F
                                          BUILTIN\Users:(ID)R

    while the CACLS output for the containing folder looks like:

    cacls c:\windows\system32\drivers\etc
    c:\windows\system32\drivers\etc NT SERVICE\TrustedInstaller:F
                                    NT SERVICE\TrustedInstaller:(CI)(IO)F
                                    NT AUTHORITY\SYSTEM:C
                                    NT AUTHORITY\SYSTEM:(OI)(CI)(IO)F
                                    BUILTIN\Administrators:C
                                    BUILTIN\Administrators:(OI)(CI)(IO)F
                                    BUILTIN\Users:R
                                    BUILTIN\Users:(OI)(CI)(IO)(special access:)
                                                              GENERIC_READ
                                                              GENERIC_EXECUTE

                                    CREATOR OWNER:(OI)(CI)(IO)F

    Not aware of any policies in the environment or imaging components / scripts that would have stripped / changed permissions on the hosts file.  Anyone have further information on this (default permissions for HOSTS on Windows 7 / 2008)?

    Regards,

    Levi

    Monday, April 02, 2012 6:36 PM