Understanding the DNS Client Service and how Name Resolution works

Author: NetworkAdminKB.com
Created: 2008-09-16
Modified: 2009-01-03

Information:

Understanding how name resolution works is very beneficial to troubleshooting issues on the desktop and servers.  There are many subtleties in the name resolution process that are overlooked or misunderstood by network administrators that can be very beneficial when troubleshooting name resolution issues.

 

The basic goal of Name Resolution is to resolve a name to an IP address.  Name resolution in Windows is a combination of DNS and WINS.  Below are the basic rules Name Resolution follows when the default NetBIOS Hybrid (H-node) Node Type configuration is used.

 

Name Resolutions Rules using DNS and WINS

1)      Check local DNS cache

a.       If the record (or NACK of a record) already exists return the cached information then exit

b.      If the record does not exist proceed to the next step.

2)      Query DNS Hosts file

a.       If the record exists return the configured information then exit.

b.      If the record does not exist proceed to the next step.

3)      Query the DNS Servers in order as follows

a.       Query the DNS servers as follows

                                                               i.      If the name contains a period

1.      Query the name as originally entered.

2.      Query the name with the appended DNS suffixes in the order listed.

                                                             ii.      If the name does not contain a period

1.      Query the name with the appended DNS suffixes in the order listed

b.      Process the Query responses as follows

                                                               i.      If a timeout or no response occurs communicating with the DNS server query the next DNS server in the list.  If no more DNS servers are available proceed to the next step.

                                                             ii.      If a positive acknowledgement is received store the information in cache, return the response then exit.

                                                            iii.      If a negative acknowledgement (NACK) is received then store the information in DNS cache, return the response then exit.

                                                           iv.      If “server failure” is received the DNS server was unable to resolve the name.  Query the next name in the suffix search order, if no more suffixes are available proceed to the next DNS server and repeat the queries.  If no more DNS servers are available continue to with the next step.

4)      Check the NetBIOS cache

a.       If the name meets the requirement of a WINS name (15 character max, no periods, etc.) query the name.

b.      If the record already exists, return the cached information then exit.

c.       If the record does not exist proceed to the next step.

5)      Query the WINS servers

a.       Query the WINS servers as follows

                                                               i.      If the name meets the requirement of a WINS name (15 character max, no periods, etc.) query the name.

b.      Process the Query responses as follows

                                                               i.      If a timeout or no response is receive the query the next WINS server in the list.

                                                             ii.      If a positive acknowledgement is received store the information in NetBios cache, return the response, then exit

                                                            iii.      If a negative acknowledgement (NACK) is received then store the information in NetBios cache, return the response, then exit.

                                                           iv.      Since all WINS servers should replicate the same information if the information is not found on the first WINS server (the server was able to respond) all other WINS servers will not be attempted.

6)      Query LMHosts

a.       If the name meets the requirement of a WINS name (15 character max, no periods, etc.) query the name.

b.      If the record exists return the configured information then exit.

c.       If the record does not exist proceed to the next step.

7)      Send NetBIOS Broadcast

a.       If the name meets the requirement of a WINS name (15 character max, no periods, etc.) query the name.

b.      If a response from the broadcast is received return the configured information then exit.

8)      Return a failure code to the program requesting the DNS or WINS information.

a.       Exit

 

When troubleshooting name resolution issues on the desktop it is important to understand these rules and how they apply when troubleshooting applications that request the name resolution services.

 

More Information:

A negative acknowledgement (NACK) results when the queried DNS zone exists but a resource record for the queried record does not exist.  NACK caching is defined in RFC 2308.  To clear the DNS cache of positive and negative cached results run “IPConfig /flushdns”

 

NACK’s caches are not display when viewing the DNS cache via the “IPConfig /displaydns” command.

 

It is important to understand how NACK’s are return because the DNS zone may not be on the desired DNS server or may be incomplete, etc.  If you receive unexpected NACK’s then verify (using NSLookup or Network Monitor) you are receiving information from the correct DNS server with the correct DNS zone records.

 

When troubleshooting, it is important to note that the NSLookup program typically bypasses the DNS client and DNS cache, and as such it simply reports the results of the single DNS server query being asked.  NSlookup will therefore not automatically query another DNS server.  To determine which DNS Server (Primary, Secondary, etc) is returning the DNS information use NSlookup on each server in order until a response is found.

Ping on the other hand relies on the DNS client and will query the DNS servers as outlined above until a response or failure code is returned.  Thus, ping works just like most applications do on the desktop, if you can resolve a DNS name via ping so should any other application.  *This is not 100% always the case, but in general it is true.

 

Below is a screenshot showing how a DNS name and WINS name are indentified when using Ping.  All DNS names are shown as fully qualified based on the DNS zone that was appended to resolve the name.  While a name resolved via WINS is just the name.

 

 

See the following RFCs for more information

RFC 1034 - Domain names - concepts and facilities

RFC 1035 - Domain names - implementation and specification

Article ID: 118, Created On: 9/17/2011, Modified: 9/17/2011