none
Windows 2016 server DNS Client cache strange behaviour RRS feed

  • Question

  • A user with software running on a Windows 2016 server noticed an unusual DNS resolution problem.

    When trying to ping a host by its FQDN, we would get an immediate 'host not found'. If we tried to ping it just by its hostname, we would get an IP address and the FQDN is returned as normal.

    The DNS server is running on Windows 2008. It has the appropriate A record for hostname. The client DNS machine has the DNS suffixes in TCP/IP properties for domain.com.

    When we look at IPCONFIG /DISPLAYDNS, I noticed the following:

        hostname
        ----------------------------------------
        Record Name . . . . . : hostname.domain.com
        Record Type . . . . . : 1
        Time To Live  . . . . : 2819
        Data Length . . . . . : 4
        Section . . . . . . . : Answer
        A (Host) Record . . . : 192.168.1.5

        hostname.domain.com
        ----------------------------------------
        Name does not exist.

    Has anyone seen anything like this before? The entry eventually times out of the local cache and name resolution works the way we expect.

    Thanks in advance.

    Wednesday, July 8, 2020 2:10 AM

All replies

  • Hi,

    Would you please disable DNS client-side caching on DNS clients? Windows contains a client-side DNS cache. The client-side DNS caching feature may generate a false impression that DNS "round robin" load balancing is not occurring from the DNS server to the Windows client computer. When you use the ping command to search for the same A-record domain name, the client may use the same IP address.

    Please refer this document:

    https://docs.microsoft.com/en-us/windows-server/networking/dns/troubleshoot/disable-dns-client-side-caching

    Best regards,

    Cherry


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, July 8, 2020 6:24 AM
  • Thanks for your reply Cherry,

    In this situation the windows 016  servers (DNS clients) are in a remote site linked by VPN connection to the company DNS servers. I believe if we disable client side DNS caching, the performance will be degraded significantly as DNS responses will be quite slow all of the time.

    Also, I want to clarify when I say hostname and hostname.domain.com these are talking about an actual server name. I have changed it to mail01 to clarify. mail01.domain.com is a real a record on our internal DNS server that points to 192.168.1.5

    For example. We ran ipconfig /displaydns and saw it like the below:

        mail01
        ----------------------------------------
        Record Name . . . . . : mail01.domain.com
        Record Type . . . . . : 1
        Time To Live  . . . . : 2819
        Data Length . . . . . : 4
        Section . . . . . . . : Answer
        A (Host) Record . . . : 192.168.1.5

        mail01.domain.com
        ----------------------------------------
        Name does not exist.

    As though the FQDN is cached as a negative response, but the hostname only is cached correctly, resolving to the FQDN..

    Also, we have changed the NEGATIVE CACHE TIMEOUT value from default 5 minutes to 10 seconds on the DNS client machine. We hope this will clear out situations like the above faster on the local DNS cache.

    Thanks in advance for any more advice you can give.


    • Edited by Darrkon Wednesday, July 8, 2020 10:51 PM
    Wednesday, July 8, 2020 10:36 PM
  • Hi,

    Thanks for your update, please try following ways:

    Remove the public IP address form dns and add internal DNS setting IP address as meinolf as suggest.Refer below link for DC/member server/Client dns setting recommendation.

    DNS configuration on domain controller:
    ------------------------------------------
    1. Each DC / DNS server points to its private IP address as primary DNS server and other internal/remote DNS servers as secondary DNS in TCP/IP property.
    2. Each DC has just one IP address and one network adapter is enabled (disable unused NICs).
    3. If multiple NICs (enabled and disabled) are present on server, make sure the active NIC should be on top in NIC binding.
    4. Contact your ISP and get valid DNS IPs from them and add it in to the forwarders, Do not set public DNS server in TCP/IP setting of DC.

    DNS configuration on clients and member servers:
    -----------------------------------
    1. Each workstation/member server should point to local DNS server as primary DNS and other remote DNS servers as secondary.
    2. Do not set public DNS server in TCP/IP setting of client/member server.

    Once you are done with above, run "ipconfig /flushdns & ipconfig /registerdns", restart DNS server and NETLOGON service on each DC.

    The ipconfig details you posted  I've noticed the DC has no Primary DNS Suffix. This is a condition called a "Disjointed Namespace." You can easily fix that.In Computer Properties, Computer Name, "More" button. You must put back domainname( eg Contoso.com) into that field.The machine must be restarted for this to take effect. 

    The Primary DNS Suffix is what the DNS Client Service (partly the DNS Dynamic Update Service) on the DC uses to register the AD information into DNS looking for a matching zone name, which is domainame( eg Contoso.com) zone. If this is missing, AD (specifically the netlogon service) can't regsiter its data into DNS.

    Then run the commands:
    ipconfig /flushdns
    ipconfig /registerdns
    net stop netlogon
    net start netlogon
    This action insures your DC registers the proper records into DNS so AD can function.

    Hope this helps.

    Best regards

    Cherry


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, July 9, 2020 2:05 AM
  • Hi,

     

    Just checking in to see if the information provided was helpful. Please let us know if you would like further assistance.

     

    This "IPAM, DHCP, DNS" Forum will be migrating to a new home on Microsoft Q&A, please refer to this sticky post for more details.

    Best Regards,

    Cherry


    "IPAM, DHCP, DNS" forum will be migrating to a new home on Microsoft Q&A!

    We invite you to post new questions in the "IPAM, DHCP, DNS"  forum's new home on Microsoft Q&A!

    For more information, please refer to the sticky post.


    Monday, July 13, 2020 1:36 AM
  • Hi,

     

    Just want to confirm the current situations.

    Please feel free to let us know if you need further assistance.

    This "IPAM, DHCP, DNS" Forum will be migrating to a new home on Microsoft Q&A, please refer to this sticky post for more details.

    Best Regards,

    Cherry


    "IPAM, DHCP, DNS" forum will be migrating to a new home on Microsoft Q&A!

    We invite you to post new questions in the "IPAM, DHCP, DNS"  forum's new home on Microsoft Q&A!

    For more information, please refer to the sticky post.



    Wednesday, July 15, 2020 2:59 AM
  • Hi

     

    As this thread has been quiet for a while, we will mark it as ‘Answered’ as the information provided should be helpful. If you need further help, please feel free to reply this post directly so we will be notified to follow it up. You can also choose to unmark the answer as you wish.

     

    BTW, we’d love to hear your feedback about the solution. By sharing your experience you can help other community members facing similar problems. Thanks for your understanding and efforts.

    This "IPAM, DHCP, DNS" Forum will be migrating to a new home on Microsoft Q&A, please refer to this sticky post for more details. 

    Best regards

    Cherry


    "IPAM, DHCP, DNS" forum will be migrating to a new home on Microsoft Q&A!

    We invite you to post new questions in the "IPAM, DHCP, DNS"  forum's new home on Microsoft Q&A!

    For more information, please refer to the sticky post.


    Friday, July 17, 2020 5:30 AM
  • Thanks for everyones feedback.

    In the end we reduced the negative DNS cache time to 10 seconds so that timeouts were not hanging around too long. The user also changed their testing software to not retry ping by name every 10 seconds, but adjusted it to make the retry delay get longer and longer.

    Finally, we changed the TTL for a few crucial DNS records to longer (I think 1 hour or 1 day).

    Between these adjustments, the problem seems to have largely disappeared.

    Kind regards,

    Luke

    Friday, July 17, 2020 6:28 AM
  • Hi,

    I am glad to hear that your issue was successfully resolved. If there is anything else we can do for you, please feel free to post in the forum.

    This "IPAM, DHCP, DNS" Forum will be migrating to a new home on Microsoft Q&A, please refer to this sticky post for more details. 

    Best Regards,

    Cherry


    "IPAM, DHCP, DNS" forum will be migrating to a new home on Microsoft Q&A!

    We invite you to post new questions in the "IPAM, DHCP, DNS"  forum's new home on Microsoft Q&A!

    For more information, please refer to the sticky post.


    Friday, July 17, 2020 6:44 AM