The DNS Client service riddle

If you believe Microsoft’s description for the DNS Client service, it’s needed to resolve and cache DNS names. They emphasize that if the service is stopped, the computer will not be able to resolve DNS names and locate Active Directory domain controllers. Well, I can’t say anything about the Active Directory domain controllers, but as far as the DNS resolutions go, this descriptions appears to be plain wrong.

I first found out about this a while after installing a Windows XP machine, with SP1, if I recall that correctly (it doesn’t matter). I have my own DNS server running on a Linux machine, using PowerDNS and working as a “resolution proxy”. The same server machine also has a web proxy, a Socks proxy and a mail server setup, which I use from the client. Therefore, browsing the web, reading my email, using Messenger and so forth, I never noticed anything out of the ordinary, because all these services never required my client machine to do any DNS lookups itself.

The problems started when I tried to access news servers from the client machine. No proxy was used for that, so the client needed to resolve DNS names itself, and this behaved highly unreliably. One time it would work, the next time not. Then maybe it would work for quite a while, allowing me to read a newsgroup. Then, when I wanted to post, it wasn’t working once again.

With a network analyzer and the log file of my own DNS server, I was able to find out what the Windows machine was doing: it was actually contacting the DNS server only every 15th time or so (not really a reproducible value). In that single instance, everything would work as expected. The client was reliably misbehaving in this way when I repeatedly executed nslookup and ping commands from the command line. After a long while of fiddling around, I found out about the DNS Client service. After an even longer time, I found that once I switched off that service, everything was completely normal, with the client contacting the DNS server for every single lookup.

So, does that service resolve DNS names? Well, sometimes. Does it cache DNS name resolutions? No, I’ve never seen that.

I decided to blog about this because I wasn’t able to find any comprehensive information on this topic on the net. I did actually find a page at The Elder Geek where the service is described to behave in a similar way to what I’ve seen, so I know I’m not the only one.

To this day I have no idea why that service is misbehaving for me. After I had initially thought it had something to do with my particular setup, I’ve since had reports from three different friends who have seen the same problem in their network setups, which are all distinctly different from mine. In each of these cases I was able to help them by suggesting they switch off the DNS Client service. The reason remains a riddle, though…

14 Comments on The DNS Client service riddle

  1. I had a problem on my compter only getting a network speed of 4600 on a 5000 line, while another computer got 5000. Difference? DNS Client. Stopped that and now I get 5000. A speed increase of >10%. What is this?

    Like

  2. Hi,Yeah I have no idea waht the service does either. I’ve stopped it and I appear to be resolving names fine. Recently I’ve been having odd issues with XP not resolving addresses, the DNs servers work fine as I can try it on another PC on the LAN and it’s ok. seems to happen at random… Will see how i go with the DNS client stopped I think. Odd.

    Like

  3. Dan Pope // May 4, 2008 at 3:37 pm // Reply

    I had exactly the same issue. Like you, I was under the misapprehension that the service was a DNS cache service, which would return IP info for recently cached domains, or request said information from the real DNS server when the cache didn’t contain it. After all, this *is* what DNS services are supposed to do. Aren’t they?I have two machines on a network here, and having run a fairly detailed network traffic analysis I found similar to you, no actual DNS requests were reaching my gateway more often than not. One machine gave more trouble than the other, but given time both suffered the issue. Initially I issued ‘net stop "DNS Client"’ followed by ‘net start "DNS Client’ and things would work fine again for quite a while. It was a few days before I realised it would work perfectly the moment the service was stopped.Since almost everyone these days has their internet connection provided by a DSL router, which acts as an internet gateway and handles DNS itself, I guess our best bet is simply to stop and permanently disable the DNS service, set your DNS addresses on all client machines to the IP of the router/gateway and forget about it. The number of services you can actually remove with no ill effect is enormous. Far more than you actually need running. On XP anyway…<i>Praise Microsoft! For their immense bloatware has made memory cheaper than it ever would have been under Risc OS. ;)</i>

    Like

  4. Peter da Silva (of peter.hates-software.com) pointed out a couple of years ago that the "dns client" actually caches any traffic it sees on the local net. This means that it can be poisoned by local traffic. Conversely, it means that it is necessary for compatibility with some obscure or failed network set-up where there is no proper hosts file or netbios or dns or dhcp service on the local net, and your login server is advertising itself by some obscure means.

    Like

  5. What the heck does this sentence mean?

    “So, does that service resolve DNS names? Well, sometimes. Does it cache DNS name resolutions? No, I’ve never seen that.”

    the DNS Client resolves names “…sometimes…” but you’ve never seen it cache a resolution?

    Like

  6. Hi Chris,

    I wonder what sort of misunderstanding you see in these sentences. Yes, what I meant back then (and I haven’t looked into it again in a huge long time, so I have no idea how true this is today) is that while you can sometimes see the DNS Client do resolving work for you, it never seems to do any caching. Rereading my above description, it seems that the service prevents certain resolution requests from going through (which is of course the behavior of a cache), but unfortunately this doesn’t happen (exclusively?) in cases where the resolution is already known (so perhaps I should say it does behave like a cache, albeit a broken one?).

    Oliver

    Like

  7. Nothing personal, I just didn’t understand what appears to me to be a contradictory statement.

    I performed some tests myself and was able to see the dnscache (DNS Client) service cache individual lookups and prevent repeated external DNS lookups for the same name resoution.

    The dnscache service isn’t all that special. From my estimation (aside of the auto-registration) it simply tries to lesson the network traffic and speed up resolution by caching and responding to repeated DNS queries that have previously been cached.

    In my tests I ran Wireshark and watched for DNS queries with the dnscache service enabled and disabled. As expected when the dnscache was enabled Wireshark displayed only an initial dns lookup entry and then subsequent requests did not generate any entries.

    When the dnscache service was disabled, as expected, every lookup would produce an entry in Wireshark…

    Back to your statement:

    “So, does that service resolve DNS names? Well, sometimes. Does it cache DNS name resolutions? No, I’ve never seen that.”

    Does that service resolve names? Not exactly. It doesn’t resolve names, rather it caches the response (both positive and negative) from the targeted DNS server.

    Does it cache DNS name resolutions? Yes, that’s the primary purpose of this service and looking at the dns cache (ipconfig /displaydns) clearly shows what has been inserted into cache after the initial lookup has been performed.

    Like

  8. Oh yeah, noticed one other thing… NSLookup bypasses the dnscache service and goes straight to the Primary DNS Server. Ping, however, does use the dnscache service. Not exactly sure why but that is evident when using network captures and when enabling the dnscache log file.

    In addition, the command “IPConfig /registerdns” does not use the dnscache service, nor does the DNS Locator Service that is used by Active Directory aware applications that are looking for the closest directory resource (ala SRV record search).

    Like

  9. Hey Chris,

    I appreciate your comments as a different point of view/experience. As I said, I haven’t looked into this issue for a long time, and of course it’s always possible that the precise behavior depends on Windows/SP/Whatever versions. But the (lack of?) behavior that I’ve been seeing is documented not only by other commenters on this post, but also elsewhere all over the internet. I have solved connection problems for friends and family countless times with the simple recommendation of switching off the DNS Client.

    Unfortunately I have no motivation to hunt this issue down again now, in order to have a really good discussion with you about it 🙂 So all the above are the only 2p I’m going to give on this, and my observation stands: the DNS Client service on Windows is not required for DNS lookups (since they obviously work just fine without the service) and experience shows that the service is often source of connection trouble.

    Like

  10. I had a clients PC that wouldnt let me use the windows update site or download anything from the download centre. ipconfig /flushdns gave an error that led me to the DNS Client service, which was disabled. I reenabled it and now everything works again.

    Like

  11. DNS service if stopped will only stop a DNS query from using cache. The DNS query will directly go upstream only ignoring cache. Normally a DNS query will first look for data stored in cache to resolve a DNS query. If it does not find a record then it goes upstream to DNS servers.

    Like

  12. Midal Phingar // June 4, 2011 at 9:23 am // Reply

    In certain cases this “service” can cause a severe startup delay. When it is disabled, the delay is instantly destroyed.

    RPCSS is the verbose delay indication, but DNS is the REAL problem.

    Typical Micro$oft software.

    Like

  13. Whatever the points, it is clear that resolution works perfectly fine if dns client service is stopped

    Like

  14. It just builds a local DNS cache on your PC rather than going to actual DNS for everything all the time. ipconfig /flushdns will empty this, which is useful for developers spoofing or updating domains, and troubleshooting.

    Like

Leave a Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s