2004/10/28

Don't cache 'negative' DNS lookups on Windows systems

This one is a little bit esoteric. Scenario:
  1. You try to connect to somesystem.yourdomain.com and fail - the name cannot be looked up.
  2. You discover that the DNS record is missing in your DNS server, and you fix it by adding the correct record.
  3. ... but you still can't connect to somesystem.yourdomain.com from your workstation!

What's happening here is that your system has cached a 'negative lookup'. Your local DNS cache basically doesn't think the DNS name exists - and it will go on thinking that until the cached entry expires.

Here is an example:

C:\Tools>ipconfig /displaydns

Windows IP Configuration
1.0.0.127.in-addr.arpa
----------------------------------------
Record Name . . . . . : 1.0.0.127.in-addr.arpa.
Record Type . . . . . : 12
Time To Live . . . . : 0
Data Length . . . . . : 4
Section . . . . . . . : Answer
PTR Record . . . . . : localhost

nosuchmachine.cojones.org
----------------------------------------
Name does not exist.

adminfoo.net
----------------------------------------
Record Name . . . . . : adminfoo.net
Record Type . . . . . : 1
Time To Live . . . . : 308
Data Length . . . . . : 4
Section . . . . . . . : Answer
A (Host) Record . . . : 67.15.36.7

localhost
----------------------------------------
Record Name . . . . . : localhost
Record Type . . . . . : 1
Time To Live . . . . : 0
Data Length . . . . . : 4
Section . . . . . . . : Answer
A (Host) Record . . . : 127.0.0.1

Here we see that the machine nosuchmachine.cojones.org was looked up, and found to be nonexistent. Now, even if I go and create a DNS record for nosuchmachine, my host will not resolve that name until the 'negative result' entry is flushed from my cache. I can manually flush it with an ipconfig /flushdns command.

Or I could put the following registry entries into my system:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters]
"NegativeCacheTime"=dword:00000000
"NetFailureCacheTime"=dword:00000000
"NegativeSOACacheTime"=dword:00000000


Essentially this will tell my system to never cache 'negative lookups'.

3 comments:

Tom said...

Why Microsoft decided this was a good idea is beyond me. There is absolutely no purpose in caching a negative DNS entry (short of possible DNS poisoning, which this isn't going to fix anyway).

What, to save a few bytes on our fiber optic network backbone infrastructure? Maybe back in '89 when people still used dial-up it made since to not keep trying, but come on. Make this not a default Microsoft.

1up said...

According to RFC 2038, negative DNS responses should be cached, unless they have no SOA records.

erkko said...

just stumbled upon such problem with win7pro. dnsflush to clean cache. retry with curl against certain url. curl cannot find such domain... at same time tcpdump runs at nameserver, win7pro asks no questions at this period. and yet, right after curl's unsuccessful attempt, displaydns shows negative result at dns cache... flush again, registerdns - then all of the sudden it works - curl works, windows asks from dns...

happens intermittently, not all the time ofcourse. disabling dnscache service also works.