none
DNS Query Question

    Question

  • We have a system that has some issues I would like some help with.  When we lose contact with our DNS server, which is on another network, EVERYTHING slows down.  I ran Wire Shark on the interface of one of our clients while disconnected and found that it kept trying to query crl sites but it would never time out.  We changed the DNS settings to include one address that was ping-able, but not running DNS Server services, and one fictious IP address that would not be reachable and ran Wire Shark again.  This time we found queries to both addresses.  The site which we could ping would reply instantly saying "Destination Unreachable".  The fictious site would not reply at all (obviously) and the client would continue to query it.  It would wait for the time out and query it again.  Almost 100 times this would happen.  The program which would normally take 2-3 minutes to load, was now taking 20-30 minutes to load.  I went into the Host file on the client and added the crl websites to a new pingable address and loaded the program again.  This time it was back to normal.  So lets say my DNS server is 10.10.10.10 and my client is on 100.100.100.100.  I set primary DNS to 10.10.10.10 and secondary DNS to 100.100.100.105.  The secondary DNS is not a a DNS server, but a machine that is ping-able with the entries made in the HOSTS file.  So if my primary goes down, it will look to the secondary and get a "Destination Unreachable" response and carry on as usual. 

    My question is two fold.  First, is this ok to do?  And second, what will happen when the primary comes back on-line?

    • Moved by Santosh BhandarkarMVP Friday, May 03, 2013 2:58 AM Moved from Server General forum to more appropriate one
    Thursday, May 02, 2013 7:31 PM

Answers

  • That's correct the local computer will always check HOST file first. I may have misread your question I though that the local computer was pointing to a different computer as its other DNS server and in that case when Primary comes back online it will use that.

    If you are going to use local hosts then it will always use that file before querying DNS


    8B17

    • Marked as answer by Gkrinsky Wednesday, May 15, 2013 12:30 PM
    Friday, May 03, 2013 2:01 PM
  • For pictures, you have to up them to a photo sharing site, then open it there, copy it, and paste it here.

    As for the question, you're talking about the DNS client side resolver service. I do not recommend putting any non-DNS addresses on a client, since that will be taking into account into the resolver's algorithm. The algorithm checks the cache BEFORE the hosts file, but anything in the hosts file will get loaded into the client resolver's cache anyway.

    • Checks it's own name.
    • Local hostname (DNS client side resolver) cache
    • HOSTS file
    • DNS (this is where the search suffix comes in play if a single name query)
    • NetBIOS name cache
    • WINS
    • Broadcast
    • LMHOSTS

    Read more on the whole process:

    This blog discusses:
    WINS NetBIOS, Browser Service, Disabling NetBIOS, & Direct Hosted SMB (DirectSMB). Troubleshooting the browser service.
    Client side resolution process chart.
    The DNS Client Side Resolver algorithm.
    If one DC or DNS goes down, does a client logon to another DC or use the other DNS server in the NIC?
    DNS Forwarders Algorithm and multiple DNS addresses (if you've configured more than one forwarders or more than one IP in the NIC's DNS list)
    Client side resolution process chart
    Published by Ace Fekay, MCT, MVP DS on Nov 29, 2009 at 10:28 PM  1764  1
    http://msmvps.com/blogs/acefekay/archive/2009/11/29/dns-wins-netbios-amp-the-client-side-resolver-browser-service-disabling-netbios-direct-hosted-smb-directsmb-if-one-dc-is-down-does-a-client-logon-to-another-dc-and-dns-forwarders-algorithm.aspx


    DNS Clients and Timeouts (Part 1 & Part 2)
    karammasri [MSFT] Dec 2011 6:18 AM
    http://blogs.technet.com/b/stdqry/archive/2011/12/02/dns-clients-and-timeouts-part-1.aspx
    http://blogs.technet.com/b/stdqry/archive/2011/12/15/dns-clients-and-timeouts-part-2.aspx

    -

    What worries me is, "... When we lose contact with our DNS server, which is on another network. ..." That must addressed. You can't obsficate or bandaid the client side resolver process to overcome connectivity problems. If the resource is an absolute necessity, if I may suggest, fire up a DC with DNS on it locally instead of relying on unreliable WAN communications. Thsi will insure resolution for the CRL (or whatever it is) app/service, as well as AD client-DC communications.

    -


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Saturday, May 04, 2013 5:03 PM

All replies

  • I have not come across this sort of issue before as in the norm your DNS is normally always accessible. in answer to your question when the primary comes back online the next dns query will point to it and get an answer, in face while it is offline it will try to contact this server first before trying the secondary.


    8B17

    Thursday, May 02, 2013 9:34 PM
  • It's actually a "blackhole".  The traffic is being dropped and not reporting back.  So the system does not know the DNS server is not there.  So if I am reading your answer correctly, if machine "A" is set to use 10.10.10.10 for Primary DNS (an actual DNS server) and 100.100.100.105 (random, ping-able address) and has entries in the HOST file that say website 1 is at 100.100.100.105.  What is checked first?  DNS or local HOST.  I thought it was local HOST first in which case it will come back with "Destination Unreacable" even if the actual DNS server is up.  If it fails with the HOST file, will it then check DNS or will it not try since it already got a destination unreachable message?
    • Edited by Gkrinsky Friday, May 03, 2013 1:36 PM
    Friday, May 03, 2013 1:36 PM
  • That's correct the local computer will always check HOST file first. I may have misread your question I though that the local computer was pointing to a different computer as its other DNS server and in that case when Primary comes back online it will use that.

    If you are going to use local hosts then it will always use that file before querying DNS


    8B17

    • Marked as answer by Gkrinsky Wednesday, May 15, 2013 12:30 PM
    Friday, May 03, 2013 2:01 PM
  • But will it check DNS if it gets a failure from the host file?
    Friday, May 03, 2013 2:18 PM
  • I want to upload a picture so you can see what I am talking about, but it won't let me.

    <meta content="text/html; charset=UTF-8" http-equiv="Content-Type" /><meta content="http://schemas.microsoft.com/intellisense/ie5" name="vs_targetSchema" /><link href="visio.css" rel="stylesheet" type="text/css" /><title>Drawing1</title> <style type="text/css">v\:* { behavior: url(#default#VML); } </style> <script language="jscript" type="text/jscript"> var pageID = 0; var viewMgr = null; if (parent.g_FirstPageToLoad != null && parent.g_FirstPageToLoad.length > 0) { if (parent.g_FileList[parent.g_CurPageIndex].PageID != pageID) { location.replace(parent.g_FileList[parent.g_CurPageIndex].PriImage); } parent.g_FirstPageToLoad = null; } function getPNZ() { var rawHTML = VMLDiv.innerHTML; var strReturn = "" strReturn = rawHTML.slice( rawHTML.indexOf( '<v:group' ), rawHTML.indexOf( "</v:shape>" ) ); strReturn += "</v:shape></v:group>\n"; return strReturn; } function load() { viewMgr = new parent.CViewMgr("ConvertedImage", "arrowDiv"); viewMgr.put_Location = ViewMgrSetVMLLocation; viewMgr.visBBoxLeft = 0.195000; viewMgr.visBBoxRight = 10.005000; viewMgr.visBBoxBottom = 0.695000; viewMgr.visBBoxTop = 8.024999; viewMgr.Zoom = VMLZoomChange; viewMgr.setView= VMLSetView; viewMgr.SupportsDetails = true; viewMgr.SupportsSearch = true; parent.viewMgr = viewMgr; fit(); } function unload() { viewMgr = null; parent.viewMgr = null; } function fit() { if(parent.frmToolbar) { if (parent.g_WidgetsLoaded) { var zoom100 = parent.frmToolbar.document.all('a100'); if (zoom100) { parent.viewMgr.PostZoomProcessing = PostZoomProcessing; zoom100.click(); } else { parent.viewMgr.PostZoomProcessing = PostZoomProcessing; viewMgr.Zoom(100); } } else { window.setTimeout("fit()", 500); } } else { parent.viewMgr.PostZoomProcessing = PostZoomProcessing; viewMgr.Zoom(100); } } function PostZoomProcessing (newZoomLevel) { parent.viewMgr.PostZoomProcessing = null; var pageIndex = parent.PageIndexFromID (pageID); parent.viewMgr.getPNZ = getPNZ; parent.CurPageUpdate (pageIndex); } var isUpLevel = parent.isUpLevel; var OnShapeClick = parent.OnShapeClick; var OnShapeKey = parent.OnShapeKey; var UpdateTooltip = parent.UpdateTooltip; var clickMenu = parent.clickMenu; var toggleMenuDiv = parent.toggleMenuDiv; var toggleMenuLink = parent.toggleMenuLink; var GoToPage = parent.GoToPage; window.onload = load; window.onunload = unload; document.onclick = clickMenu; </script>
    Friday, May 03, 2013 2:35 PM
  • For pictures, you have to up them to a photo sharing site, then open it there, copy it, and paste it here.

    As for the question, you're talking about the DNS client side resolver service. I do not recommend putting any non-DNS addresses on a client, since that will be taking into account into the resolver's algorithm. The algorithm checks the cache BEFORE the hosts file, but anything in the hosts file will get loaded into the client resolver's cache anyway.

    • Checks it's own name.
    • Local hostname (DNS client side resolver) cache
    • HOSTS file
    • DNS (this is where the search suffix comes in play if a single name query)
    • NetBIOS name cache
    • WINS
    • Broadcast
    • LMHOSTS

    Read more on the whole process:

    This blog discusses:
    WINS NetBIOS, Browser Service, Disabling NetBIOS, & Direct Hosted SMB (DirectSMB). Troubleshooting the browser service.
    Client side resolution process chart.
    The DNS Client Side Resolver algorithm.
    If one DC or DNS goes down, does a client logon to another DC or use the other DNS server in the NIC?
    DNS Forwarders Algorithm and multiple DNS addresses (if you've configured more than one forwarders or more than one IP in the NIC's DNS list)
    Client side resolution process chart
    Published by Ace Fekay, MCT, MVP DS on Nov 29, 2009 at 10:28 PM  1764  1
    http://msmvps.com/blogs/acefekay/archive/2009/11/29/dns-wins-netbios-amp-the-client-side-resolver-browser-service-disabling-netbios-direct-hosted-smb-directsmb-if-one-dc-is-down-does-a-client-logon-to-another-dc-and-dns-forwarders-algorithm.aspx


    DNS Clients and Timeouts (Part 1 & Part 2)
    karammasri [MSFT] Dec 2011 6:18 AM
    http://blogs.technet.com/b/stdqry/archive/2011/12/02/dns-clients-and-timeouts-part-1.aspx
    http://blogs.technet.com/b/stdqry/archive/2011/12/15/dns-clients-and-timeouts-part-2.aspx

    -

    What worries me is, "... When we lose contact with our DNS server, which is on another network. ..." That must addressed. You can't obsficate or bandaid the client side resolver process to overcome connectivity problems. If the resource is an absolute necessity, if I may suggest, fire up a DC with DNS on it locally instead of relying on unreliable WAN communications. Thsi will insure resolution for the CRL (or whatever it is) app/service, as well as AD client-DC communications.

    -


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Saturday, May 04, 2013 5:03 PM
  • We finally figured it out.  It was .NET that was sending out requests to CRL sites.  These programs we are using are supposed to be designed as a stand-alone, dis-connected from the network, application.  But, since our DNS design is less than correct to begin with, we have the issue and no one else.  These programs are querying the CRL sites and, if DNS is functioning, the system recieves a "Destination unreachable" return because DNS has no way to get off the network to find it.  This is normal.  But, since we do not have a local DNS, when the link to the network where our DNS is goes down, the system has no where to look and just drops the packets with no return.  Hence, the black-hole.  There are a few ways to fix this.  First, insert the information into the host tqable that will always point to a computer on our network that we can ping.  This will allow that machine to send the "Destination unreachable" response.  Second, install DNS on our side of the network as a secondary DNS site and disable DNS replication, or at least set if for a time that does not conflict with operations.  Third, and this is the option we selected, edit the registry to prevent the computers from doing Certificate checking.  We chose this option because, like I said, our netwrok is not connected to the internet which makes certificates unnecessary, and we have other reasons for not wanting DNS on or side of the network. 

    Thank you for all the help, this issue has been going on for two years before I came here .  I only got handed the issue two weeks ago. 

    Wednesday, May 15, 2013 12:29 PM