Does "ping <FQDN>" attempt to use the local hosts file for resolution of <FQDN> when the DNS Client service is not running?

Hello DNS Experts:

I am trying to get broader confirmation for something that I have tested on a couple of platforms, and for which the online documentation seems to be either somewhat vague or in error. Perhaps someone can correct me if this assumption is incorrect.

I have tested this on Windows XP with SP2, and on Vista, and have concluded that 'ping <name>' uses the hosts file even when the DNS Client service ('dnscache') is not running. If someone can definitively prove this to be false, that would be sufficient as an answer.

Otherwise, what I am looking for is either:

  a) is the behavior different for Windows Server 2003, Windows Server 2008 or for XP or Vista with a different service pack level? I.e. - show me a case where name resolution *does not* use the hosts file when the DNS Client service is stopped.
  b) Is there some registry setting or other condition on the DNS client that would prevent the DNS APIs from using the hosts file when dnscache is not running?

I am making the assumption that ping relies on the standard DNS resolution process for <name>, and that this implies that the DNS APIs are used. I am only in interested in the case where NetBIOS name resolution is not a factor - i.e. a FQDN is used.

I am familiar with the following articles, which either do not address the question directly or seem to imply the opposite - that the hosts file is not used when the dnscache service is not running:

TCP/IP Fundamentals for Microsoft Windows - Chapter 7 - Host Name Resolution: 

"How DNS query works" (Windows Server 2003)

I did the following test to arrive at the conclusion that the query for <name> *can succeed* even when the DNS Client service is stopped (where <name> is an FQDN and there is not a valid local DNS server setting).

Platform/environment: Windows XP, Service Pack 2

// Start with a machine that has a hosts file with no user-defined entries. In a command window do the following (not all steps are essential)

cd C:\WINDOWS\system32\drivers\etc
type hosts // verify that it only contains the following entry:       localhost
ipconfig /flushdns  // verify that it responds with "Successfully flushed the DNS Resolver Cache."
ping   // save the IPv4 address (
ping   // verify that this succeeds
ipconfig /displaydns  // verify that there are A (Host) records for and
ipconfig /flushdns  // (redundant)
net stop dnscache  // verify that it responds with "The DNS Client service was stopped successfully."
// Now add the following entry to the hosts file ('notepad hosts') and save the file to its original location:
ipconfig /all   // get the name of the relevant interface, e.g. "Local Area Connection"
netsh interface ip show dns "Local Area Connection"
// if it shows "DNS servers configured through DHCP:" do the following:
  netsh interface ip set dns "Local Area Connection" static  // or use any IP that is not a valid DNS server address
// else  // static, not dhcp
  netsh interface ip delete dns "Local Area Connection" all
ipconfig /all   // verify the DNS server setting
ping  // this should fail with "Ping request could not find host Please check the name and try again."
ping  // if this succeeds in resolving the name ("Pinging ...) -->> ** THEN THE HOSTS FILE MUST HAVE BEEN USED **
// Test completed: restore local settings:
// Restore DNS server setting for "Local Area Connection"
netsh interface ip set dns "Local Area Connection" dhcp
// Start the DNS Client service
net start dnscache
// ** end of test **

Who is Participating?
Rob WilliamsConnect With a Mentor Commented:
>>"To rephrase:  is 'hosts' used when dnscache has been stopped?"
Yes, but presumably there are no entries present to use, unless you have added them.

answers SOME of your questions
Rob WilliamsCommented:
Windows name resolution for DNS uses numerous methods. The order is as follows as I recall:
DNS name resolution:
Hosts file | DNS | DNS cached names | WINS | Broadcasts | LMHosts file
NetBIOS name resolution:
NetBIOS name cache | WINS | Broadcasts | LMHosts file | Hosts file | DNS

So to answer your question ping will use Hosts file.
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

GlennH759Author Commented:

Thanks for the link, however I am looking for documented sources - either from Microsoft that I have overlooked, or from DNS experts that can confirm this behavior based on their experiences in troubleshooting with this technique across Windows platforms, i.e. stopping the DNS cache service.


My question was not about the general name resolution order when dnscache is available. To rephrase:  is 'hosts' used when dnscache has been stopped?
GlennH759Author Commented:
That's exactly the point - see my test steps above - e.g. I added an entry for to 'hosts'.

Perhaps I can clarify my purpose in asking the question:

First, to give correct advice to some of the askers on this forum who have run into specific problems with resolution where they are using a hosts file and where there may be problems with the dnscache service. Is it sound to advise them to stop the dnscache service so that they can determine if resolution is failing or succeeding when only the hosts file is a factor? (besides NetBIOS, remote DNS, etc.)

Frankly I believe that the earlier Microsoft documentation has caused some confusion in this area so that people assume that they must have the DNS cache service running in order to do name resolution. Thus you see people overusing 'ipconfig /flushdns', restarting, etc. when they could simply 'net stop dnscache', in order to eliminate this as a factor/possible cause of the problem.

Secondly this relates to a software project that is currently under development - I need confirmation of exactly what happens in the scenario I outlined above.
GlennH759Author Commented:
Here are two of the questions where stopping the dnscache service but knowing for sure that the hosts file is used could be helpful for troubleshooting:

DNS Not reading Hosts file

Host file not read. After reboot it's ok again
Rob WilliamsCommented:
I am not sure I follow. Have you found a problem with basic resolution?
You do not need DNS cache, for that matter you could eliminate several services. DNS name resolution tries to resolve a name in the order I provided above. If one fails, it moves to the next. Also in this day and age, though a Hosts file works, why would anyone use it?
Rob WilliamsConnect With a Mentor Commented:
I think you will find most times when a Hosts file is not read it is due to being improperly configured. The hosts file is quite fussy and simple things like failure to add a carriage return will cause it to fail.
GlennH759Author Commented:
"Have you found a problem with basic resolution?"
- No, please see above.

Can anyone else confirm what I am looking for based on their experiences in this area? I would like an anwer in specific terms that responds to the question as I originally described it.

lrmooreConnect With a Mentor Commented:
Perhaps I can throw some technical information into this thread as an outside observer....I think I understand the question, but if I'm off base, then please forgive me...

Microsoft is what it is and has never been consistent or adhered to RFC standards. Ping uses a different mechanism for name resolution than applications like IE does. If I can ping something by name but can't open a web page to it, it's an application issue with IE. There are examples all over the net on how to fix IE if it won't resolve.
Ping uses windows sockets whereas an application calls the API gethostbyname (as in the case of Internet Explorer).
Stopping the dnscache doesn't stop the system from resolving. Earlier versions of Windows prior to 2000 didn't even have a dnscache service (answers question a). Windows Vista and Server 2008 have totally re-written TCP/IP stacks, but as you witness, the behavior is the same.

So, this also answers question b) in that there is not any condition at all that will prevent the use of the hosts file, therefore actually proving that Glenn is right in his initial assumptions.

Rob's response here was also right on the money and direct to the point. "YES" is the answer. Period.
      >>"To rephrase:  is 'hosts' used when dnscache has been stopped?"
      Yes, but  . . .

Rob was also right on the money when he pointed out that errors in configuring the hosts file contribute to unexpected behavior. Little things like forgetting the carriage return at the end, or forgetting to remove the .txt extension. The Wikipedia article also addressed the fact that the hosts file is loaded into cache at startup and even after a /flushdns it is re-loaded into cache based on some registry settings

Glenn, you might find something more definitive in one of these links

Good section on troubleshooting name resolution:

In all my years of being a top-gun network troubleshooter, I've never run into a situation where it made any difference whether or not the Microsoft system in question exhibited what I think you believe to be anomolous behavior, and no, I've never tried your experiment because I've never had a reason to. There are better tools like netdiag, as long as you understand that ping and other standard TCP/IP applications use a different resolver method than do applications that use gethostbyname API.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.