I wrote this article to explain some important DNS concepts that should be known to avoid some typical configuration errors I often see in forums.
I assume that what is described here is the typical behavior of Microsoft DNS client. I don't know other DNS client implementation on other platforms to tell you that this applies everywhere, so other experts please feel free to comment about it.
Saying "Microsoft DNS client" I mean the DNS client service on any Microsoft platform. This is true for workstations, for servers, for domain controllers.Concept #1: The DNS "Preferred" server
When you configure DNS servers in the IP settings of a NIC on a Windows machine, you may configure what is called a "primary" and "secondary" DNS servers.
In my opinion these terms ("primary" and "secondary") are a very bad choice from Microsoft because in fact the DNS server list can contain more than 2 DNS servers, as you may have already seen if you went to see in the "DNS" tab of the "Advanced" IP settings.
Basically the DNS servers list is an ordered list of as many as you want DNS servers.
Also, the term "primary" make you think that this DNS server has a specific role or function against other "secondary" servers", that this server may have some priority against other servers in the list, which is not the case as I'll try to explain now.
Ok, so what happens when a Windows machine have to resolve a DNS name for the first time after a startup ?
Very simple: the DNS Client service (which is in charge to interrogate DNS servers) takes the ordered DNS servers list from IP settings and takes the first DNS server in the list and sends a DNS request to this server.
Well ! Isn't that the role of a "primary" server ? Isn't that a sort of priority for this "primary" DNS server ?
Yes, it is ! At this time, at the startup, the first DNS server of the list will be the first interrogated DNS server… But after that, the concept of "primary" DNS server is over, and the concept of "PREFERRED" DNS server appears.
Ok, so now, which DNS server will be interrogated first on the next DNS request ? The "primary" ?
No ! The "Preferred" DNS server will be interrogated first on next request !
What is the "preferred" DNS server ? At each time the "preferred" DNS server is the last DNS server that has been interrogated successfully. That's it ! That is the definition of the "preferred" DNS server. And the "preferred" DNS server stays the preferred one until it stops to answer fast enough to the requesting DNS client.
Let's take an example. Let's suppose you have a client computer that is configured with 4 DNS servers in the IP settings with this order:
DNS A (called "primary" in the IP settings),
At startup, for its first DNS request the computer will try to interrogate the first DNS server in the list, which is DNS A (the primary DNS server). If this DNS server is alive and its answer is received it becomes the "preferred" DNS server and next DNS requests will be sent to this preferred DNS server until it stops to respond.
Let's suppose the DNS A is rebooted or becomes unreachable for a while. The client computer needs to resolve a DNS name and send the request to its "preferred" DNS server which at this time is DNS A. DNS A does not respond… The client computer will then resend its DNS request to the next DNS server in the ordered list, which is DNS B. DNS B responds and then it becomes the new "preferred" DNS server for the client computer.
The next DNS requests from the client computer will now be automatically sent to this new "preferred" DNS server WITHOUT attempting to reach the "primary" server ! THIS IS IMPORTANT ! The client computer has no need to retry the primary DNS server because its "preferred" DNS server is alive and asnwers to requests !
As you can see the term "Primary" is no more justified here !
Ok, let's continue on this little scenario where "DNS B" has become the preferred DNS server for my client computer.
Let's now suppose DNS B is rebooted or become unreachable for any reason while the client computer needs it to resolve a DNS name. Which new DNS server will be interrogated next by the computer if DNS B becomes unreachable ? The primary DNS A server ??? NOOOO !!!!
The next DNS server that will be interrogated if DNS B becomes unreachable will be the next DNS server in the ordered list, which is DNS C ! And if DNS C is reachable it becomes the new "preferred" DNS server !
As you can see, the "primary" DNS server is in fact a primary server ONLY at startup ! After that the "primary" concept is inexistent ! Only the concept of "preferred" DNS server is always used !
This concept #1 is important to understand and will permit you to diagnose some DNS issues.Concept #2: "Authoritative" answers and "Non-Authoritative" answersNote : before explaining this concept I must emphasise that you must not confuse DNS "authoritative" answer with DNS "authoritative" server which is another concept not connected with this concept #2 I'm about to explain.
In this chapter I'll use the term of "positive" DNS answer and "negative" DNS answer.
A "positive" DNS answer is the result of a successful DNS query, to be more clear it's a successful DNS resolution (the name exists and the IP address is in the answer) . A "negative" DNS answer is a failure in DNS resolution (the name could not be found and could not be resolved to an IP address).
Basically an "authoritative" answer is a way for the DNS server to tell the requesting client that the answer is sure, certain, definitive, and that interrogating any other DNS server would be a waste of time because the answer will be (should be) the same.
A positive DNS answer is always an authoritative answer. Of course ! If a DNS server gives you the response you need you won't try any other DNS server !
A negative DNS answer may be "authoritative" or may be "non authoritative". To be as clear as I can with my poor english, to the DNS question "What IP address is associated with a given DNS name ?" the negative authoritative answer is "This DNS name does not exist, nowhere, no need to ask someone else !" and the non-authoritative negative answer is "I don't know but you should ask someone else…".
Ok, so now what is the difference between a negative authoritative answer and a negative non-authoritative answer for my DNS client computer ?
A big one !
If the client computer receives a non-authoritative DNS answer to its DNS request it will try to ask the same question to the next DNS server in the ordered list, and by the way the "preferred" DNS server will change as the client will try the next DNS server and so on…
If the client computer receives an authoritative DNS answer to its DNS request it will stop to search and will consider that the name can not be resolved ! The "preferred" DNS server stays the preferred one, no need to change that.
That's a big difference in behavior, isn't it ?Concept #3: The client DNS cache
Another thing that is sooooo important to remember when you try to diagnose DNS issues is that the DNS client on the computer maintains a DNS cache that stores the last received DNS authoritative answers for a while to avoid being forced to interrogate DNS servers each time a DNS name as to be resolved.
When the DNS client obtains an authoritative answer from a DNS server it will store this answer in the cache as long as it is declared in the TTL (Time To Live) attribute of the answer. The TTL is an attribute of the DNS record on the DNS server, it is not a setting on the client side.
By default, DNS records on Microsoft DNS servers have a TTL of 1 hour.
Did you note that I said that authoritative answers were stored in the client DNS cache, and that I did not differentiate between "negative" or "positive" ? I did not say "negative" or "positive" because ALL AUTHORITATIVE answers are stored in the client DNS cache ! Yes ! Even negative answers !
This is important because if you don't take time to empty your DNS cache when you diagnose some DNS issue you're almost sure to follow a bad track.
So, remember to use the IPCONFIG /FLUSHDNS command on your DNS client each time you want to check the DNS resolution. It's a requirement for a good diagnose, but it is not enough as I'll try to explain in the next concept.Concept #4: The server DNS cache
Or course, one unique DNS server can not host all the DNS names that exist in the world. That's obvious.
But if you interrogate any public DNS server on Internet for any DNS name that exists you'll get an answer from this DNS server, even if this server does not host a copy of the requested DNS record.
That is because DNS servers are member of a hierarchical DNS structure and each public DNS server is able to forward a DNS request to the DNS server that is supposed to host the DNS zone.
Well… as this article is not a DNS course I won't detail the principle of DNS forwarders and DNS delegations, what I just want to tell is that a DNS server may be able to obtain an answer from other DNS servers in the hierarchy.
When an interrogated DNS server had to get an answer from another DNS server before giving the answer to the requesting client, the interrogated DNS server keeps a copy of the answer in its own DNS cache.
If by any chance another DNS client ask the same question to this DNS server this one will then be able to answer immediately with no need to re-ask other DNS in the hierarchy.
This is very efficient.
Like the client DNS cache, the DNS server keeps all authoritative answers in its cache.
This is also important to remember if you diagnose some DNS resolution issue, because even if you take time to empty the client DNS cache as I mentioned in the previous chapter, you may have trouble with the DNS server cache.
If you can, you should empty the DNS server cache also before each diagnosis test.Concept #5: Internet DNS servers always give authoritative answers
The title of this chapter is by itself quite explicit ! Yes, all DNS servers on Internet will always give you an authoritative answer, positive or negative, but AUTHORITATIVE anyway.
This is because the DNS Internet hierarchy is built so that it contains a root DNS zone and that by definition the root DNS zone is supposed to know all existing public DNS domain name and is supposed to know how to reach the public DNS server that hosts the DNS zone associated if the requested DNS domain.
Remember that: Internet DNS servers always give you authoritative answers.
This is VERY VERY VERY important and explains a lot of DNS issues I can see on forums when admins make a bad DNS configuration in the IP settings of their computers or servers !Example of typical "little disaster"
As an example, let's suppose I have a client computer that is member of my internal Active Directory domain. Let's suppose I configure IP settings on that computer so that my internal DNS server is set as the primary DNS server and an external public DNS server in set as the secondary DNS server.
This a very BAD configuration but it's a typical error that is made by some admins that think that adding more DNS servers will help to resolve more DNS names. This is wrong, having more DNS server in the IP settings will not help to resolve more DNS names. It's only useful for high availability of DNS resolution just in case one DNS server becomes unreachable.
All the DNS servers you declare in the IP settings must be able to resolve the same names.
So what happens to my computer if I configure it to use internal DNS server as primary and external DNS server as secondary ? Let's see it:
I start the computer. To resolve DNS names it will firstly use the first DNS server in the list, the one that is called "primary". The first DNS name resolutions my computer needs to do is to locate the internal Active Directory domain. As the primary DNS server is the internal DNS server it is able to resolve all internal names requested by the client computer to reach to domain.
Until now all is OK. The computer has been able to reach internal AD domain.
I now need to go on a web page. Let's suppose I open IE and go to www.microsoft.com
The DNS client on my computer will at first ask the current DNS "Preferred" server that at this time is the primary internal DNS server and ask for the name "www.microsoft.com
The internal DNS server does not host this DNS zone. The internal DNS server is only made to resolve internal AD domain names and let's suppose I've not added any DNS forwarder. The internal DNS server does not host a DNS root zone also.
So, the internal DNS server will give a negative answer and added to that it will be a negative non-authoritative answer. This answer will in fact mean "I don't know this name but you should ask to another DNS server". As the answer is not authoritative the DNS client on my computer will try with the next DNS server in the list (the one that is called "secondary" in the IP settings).
This secondary DNS server is an external DNS server on Internet. Of course, this DNS server will give me a positive answers and my computer will be able to resolve "www.microsoft.com
". I can reach the web page, all seems ok to me, but the DISASTER HAS ALREADY BEGUN !
Because if you have read previous concepts in this article, you should know now that the DNS client on my computer has changed its "preferred" DNS server. My computer had to interrogate the secondary DNS server because the primary DNS server could not give an authoritative answer. As the secondary DNS server was reachable and gave an authoritative answer this secondary DNS server is now considered as the "preferred" DNS server and it will be asked first for next DNS requests.
As this new preferred DNS server is an external DNS server on Internet it will ALWAYS give authoritative answers ! And because of that the DNS client on my computer will NEVER re-ask the primary (internal) DNS server until the external DNS server becomes unreachable !!!
That is catastrophic for my client computer, because now for any internal DNS name my computer will need to resolve the answer from the external DNS server will be "this domain does not exist !" and the asnwer will be authoritative so the DNS client on my computer will not try to resolve it anymore !
My computer is now unable to resolve internal DNS name, unable to locate domain controllers, unable to authenticate a user, etc…
Of course because of the client DNS cache on the computer the troubles will not appear immediatly. While the internal DNS names are still in the cache the computer will locate DCs, one by one the names in the cache will expire and servers and DCs will become unreachable.
I hope this article will help you in your DNS issues diagnosis. Please feel free to comment or suggest modifications on this article, would like to hear from you.