Solved

Does "ping <FQDN>" attempt to use the local hosts file for resolution of <FQDN> when the DNS Client service is not running?

Posted on 2008-06-10
11
1,704 Views
Last Modified: 2008-07-26
Hello DNS Experts:

I am trying to get broader confirmation for something that I have tested on a couple of platforms, and for which the online documentation seems to be either somewhat vague or in error. Perhaps someone can correct me if this assumption is incorrect.

I have tested this on Windows XP with SP2, and on Vista, and have concluded that 'ping <name>' uses the hosts file even when the DNS Client service ('dnscache') is not running. If someone can definitively prove this to be false, that would be sufficient as an answer.

Otherwise, what I am looking for is either:

  a) is the behavior different for Windows Server 2003, Windows Server 2008 or for XP or Vista with a different service pack level? I.e. - show me a case where name resolution *does not* use the hosts file when the DNS Client service is stopped.
or,
  b) Is there some registry setting or other condition on the DNS client that would prevent the DNS APIs from using the hosts file when dnscache is not running?

I am making the assumption that ping relies on the standard DNS resolution process for <name>, and that this implies that the DNS APIs are used. I am only in interested in the case where NetBIOS name resolution is not a factor - i.e. a FQDN is used.

I am familiar with the following articles, which either do not address the question directly or seem to imply the opposite - that the hosts file is not used when the dnscache service is not running:

TCP/IP Fundamentals for Microsoft Windows - Chapter 7 - Host Name Resolution:
http://technet.microsoft.com/en-us/library/bb727005(TechNet.10).aspx  

"How DNS query works" (Windows Server 2003)  http://technet2.microsoft.com/windowsserver/en/library/0bcd97e6-b75d-48ce-83ca-bf470573ebdc1033.mspx?mfr=true

I did the following test to arrive at the conclusion that the query for <name> *can succeed* even when the DNS Client service is stopped (where <name> is an FQDN and there is not a valid local DNS server setting).

Platform/environment: Windows XP, Service Pack 2

// Start with a machine that has a hosts file with no user-defined entries. In a command window do the following (not all steps are essential)

cd C:\WINDOWS\system32\drivers\etc
type hosts // verify that it only contains the following entry:
    127.0.0.1       localhost
ipconfig /flushdns  // verify that it responds with "Successfully flushed the DNS Resolver Cache."
ping ns1.google.com   // save the IPv4 address (216.239.32.10)
ping ns2.google.com   // verify that this succeeds
ipconfig /displaydns  // verify that there are A (Host) records for ns1.google.com and ns2.google.com
ipconfig /flushdns  // (redundant)
net stop dnscache  // verify that it responds with "The DNS Client service was stopped successfully."
// Now add the following entry to the hosts file ('notepad hosts') and save the file to its original location:
    216.239.32.10       ns1.google.com
ipconfig /all   // get the name of the relevant interface, e.g. "Local Area Connection"
netsh interface ip show dns "Local Area Connection"
// if it shows "DNS servers configured through DHCP:" do the following:
  netsh interface ip set dns "Local Area Connection" static 1.0.0.0  // or use any IP that is not a valid DNS server address
// else  // static, not dhcp
  netsh interface ip delete dns "Local Area Connection" all
ipconfig /all   // verify the DNS server setting
ping ns2.google.com  // this should fail with "Ping request could not find host ns2.google.com. Please check the name and try again."
ping ns1.google.com  // if this succeeds in resolving the name ("Pinging ns1.google.com ...) -->> ** THEN THE HOSTS FILE MUST HAVE BEEN USED **
// Test completed: restore local settings:
// Restore DNS server setting for "Local Area Connection"
netsh interface ip set dns "Local Area Connection" dhcp
// Start the DNS Client service
net start dnscache
// ** end of test **

Thanks,
Glenn
0
Comment
Question by:GlennH759
11 Comments
 
LVL 11

Expert Comment

by:CMYScott
ID: 21755985
http://en.wikipedia.org/wiki/Microsoft_DNS

answers SOME of your questions
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 21756045
Windows name resolution for DNS uses numerous methods. The order is as follows as I recall:
DNS name resolution:
Hosts file | DNS | DNS cached names | WINS | Broadcasts | LMHosts file
NetBIOS name resolution:
NetBIOS name cache | WINS | Broadcasts | LMHosts file | Hosts file | DNS

So to answer your question ping will use Hosts file.
0
 
LVL 2

Author Comment

by:GlennH759
ID: 21757000
CMYScott:

Thanks for the link, however I am looking for documented sources - either from Microsoft that I have overlooked, or from DNS experts that can confirm this behavior based on their experiences in troubleshooting with this technique across Windows platforms, i.e. stopping the DNS cache service.

RobWill:

My question was not about the general name resolution order when dnscache is available. To rephrase:  is 'hosts' used when dnscache has been stopped?
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 334 total points
ID: 21757019
>>"To rephrase:  is 'hosts' used when dnscache has been stopped?"
Yes, but presumably there are no entries present to use, unless you have added them.
0
 
LVL 2

Author Comment

by:GlennH759
ID: 21757133
That's exactly the point - see my test steps above - e.g. I added an entry for ns1.google.com to 'hosts'.

Perhaps I can clarify my purpose in asking the question:

First, to give correct advice to some of the askers on this forum who have run into specific problems with resolution where they are using a hosts file and where there may be problems with the dnscache service. Is it sound to advise them to stop the dnscache service so that they can determine if resolution is failing or succeeding when only the hosts file is a factor? (besides NetBIOS, remote DNS, etc.)

Frankly I believe that the earlier Microsoft documentation has caused some confusion in this area so that people assume that they must have the DNS cache service running in order to do name resolution. Thus you see people overusing 'ipconfig /flushdns', restarting, etc. when they could simply 'net stop dnscache', in order to eliminate this as a factor/possible cause of the problem.

Secondly this relates to a software project that is currently under development - I need confirmation of exactly what happens in the scenario I outlined above.
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 2

Author Comment

by:GlennH759
ID: 21757170
Here are two of the questions where stopping the dnscache service but knowing for sure that the hosts file is used could be helpful for troubleshooting:

DNS Not reading Hosts file  
http://www.experts-exchange.com/Networking/Protocols/DNS/Q_23463501.html

Host file not read. After reboot it's ok again  
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/XP/Q_23238660.html
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 21757199
I am not sure I follow. Have you found a problem with basic resolution?
You do not need DNS cache, for that matter you could eliminate several services. DNS name resolution tries to resolve a name in the order I provided above. If one fails, it moves to the next. Also in this day and age, though a Hosts file works, why would anyone use it?
0
 
LVL 77

Assisted Solution

by:Rob Williams
Rob Williams earned 334 total points
ID: 21757211
I think you will find most times when a Hosts file is not read it is due to being improperly configured. The hosts file is quite fussy and simple things like failure to add a carriage return will cause it to fail.
http://msmvps.com/blogs/robwill/archive/2008/05/10/lmhosts-and-hosts-files.aspx
0
 
LVL 2

Author Comment

by:GlennH759
ID: 21757442
"Have you found a problem with basic resolution?"
- No, please see above.

Can anyone else confirm what I am looking for based on their experiences in this area? I would like an anwer in specific terms that responds to the question as I originally described it.


0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 166 total points
ID: 21785466
Perhaps I can throw some technical information into this thread as an outside observer....I think I understand the question, but if I'm off base, then please forgive me...

Microsoft is what it is and has never been consistent or adhered to RFC standards. Ping uses a different mechanism for name resolution than applications like IE does. If I can ping something by name but can't open a web page to it, it's an application issue with IE. There are examples all over the net on how to fix IE if it won't resolve.
Ping uses windows sockets whereas an application calls the API gethostbyname (as in the case of Internet Explorer).
Stopping the dnscache doesn't stop the system from resolving. Earlier versions of Windows prior to 2000 didn't even have a dnscache service (answers question a). Windows Vista and Server 2008 have totally re-written TCP/IP stacks, but as you witness, the behavior is the same.

So, this also answers question b) in that there is not any condition at all that will prevent the use of the hosts file, therefore actually proving that Glenn is right in his initial assumptions.

Rob's response here was also right on the money and direct to the point. "YES" is the answer. Period.
      >>"To rephrase:  is 'hosts' used when dnscache has been stopped?"
      Yes, but  . . .

Rob was also right on the money when he pointed out that errors in configuring the hosts file contribute to unexpected behavior. Little things like forgetting the carriage return at the end, or forgetting to remove the .txt extension. The Wikipedia article also addressed the fact that the hosts file is loaded into cache at startup and even after a /flushdns it is re-loaded into cache based on some registry settings

Glenn, you might find something more definitive in one of these links
http://support.microsoft.com/kb/318803
http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/distrib/dsbi_add_xvuo.mspx?mfr=true

Good section on troubleshooting name resolution:
http://technet.microsoft.com/en-us/library/bb457118(TechNet.10).aspx#EBAA

In all my years of being a top-gun network troubleshooter, I've never run into a situation where it made any difference whether or not the Microsoft system in question exhibited what I think you believe to be anomolous behavior, and no, I've never tried your experiment because I've never had a reason to. There are better tools like netdiag, as long as you understand that ping and other standard TCP/IP applications use a different resolver method than do applications that use gethostbyname API.

0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Trying to figure out group policy inheritance and which settings apply where can be a chore.  Here's a very simple summary I've written which might help.  Keep in mind, this is just a high-level conceptual overview where I try to avoid getting bogge…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now