I decided I would install WireShark on my Windows 7 laptop and watch some traffic. After running Wireshark, I discovered some interesting traffic as a result of a simple DNS query…
The example I use here is a simple nslookup for google.com against the DNS server 10.10.10.11 (ns1.metcorp.org).
That simple command initiated the following activities.
When a Windows 7 workstation sends a DNS query to a DNS server, it performs the following queries (DNS client queries in Blue & responses in Orange):
- Standard Query PTR 126.96.36.199.in-addr.arpa
(reverse lookup for the PTR record associated with the primary DNS server in order to get the DNS server’s hostname).
- Standard Query response PTR ns1.metcorp.org
(the DNS server responds with the hostname)
- Standard Query A google.com.metcorp.org
(The DNS client appends its local domain suffix to perform single-label name resolution. The DNS client requests an A (host) record.)
- Standard Query response, No such name
(The DNS server could not find an A (host) record matching google.com.metcorp.org)
- Standard Query AAAA google.com.metcorp.org
(The DNS client appends its local domain suffix to perform single-label name resolution. The DNS client requests an AAAA (IPv6 host) record which is the IPv6 version of an A record.)
- Standard Query response, No such name
(The DNS server could not find an AAAA (IPv6 host) record matching google.com.metcorp.org)
- Standard Query A google.com
(The DNS client sends the original queried hostname. The DNS client requests an A (host) record.)
- Standard Query response, A 188.8.131.52 A 184.108.40.206 A 220.127.116.11 A 18.104.22.168 A 22.214.171.124 A 126.96.36.199
(The DNS server locates an existing A record matching google.com. In this example, there are multiple IP addresses associated with google.com and these are provided in the response.)
- Standard Query AAAA google.com
(The DNS client sends the original queried hostname. The DNS client requests an AAAA (IPv6 host) record.)
- Standard Query response
(includes SOA record information for the domain)
- Authoritative nameservers
- google.com: type SOA, class IN, mname ns1.google.com (the mname record identifies the primary name server)
- name: google.com
- Type: SOA (Start of zone authority)
- Class: IN (0×0001)
- Time to live: 5 minutes
- Data length: 38
- Primary name server: ns1.google.com
- Responsible authority’s mailbox: dns-admin.google.com
- Serial number: 1473701 (at the time I ran it)
- Refresh interval: 2 hours
- Retry interval: 30 minutes
- Expiration limit: 14 days
- Minimum TTL: 5 minutes
This process doesn’t include the traffic from the local DNS server (ns1.metcorp.org) to get the A record information from the google.com DNS server.
The Windows DNS client will append its primary DNS suffix:
Note that when using Active Directory, by default, the primary DNS suffix portion of a computer’s full computer name must be the same as the name of the Active Directory domain where the computer is located. To allow different primary DNS suffixes, a domain administrator may create a restricted list of allowed suffixes by creating the msDS-AllowedDNSSuffixes attribute in the domain object container. This attribute is created and managed by the domain administrator using Active Directory Service Interfaces (ADSI) or the Lightweight Directory Access Protocol (LDAP).
Furthermore, the Windows DNS client will check its cache first, then send the DNS query to the first DNS server listed in the NIC settings (primary DNS) and after not receiving a response within 1 second, will send the same query to the first DNS configured server (on all network adapters) – whichever one replies first is used for subsequent queries. If there is no response from this query to all DNS servers on the preferred network adapter:
- It waits 2 seconds for a response from the primary DNS servers configured on all other adapters.
- After this second try with no response, the DNS client sends the query to all DNS servers on all adapters (still under consideration) waiting 2 seconds for a response.
- After this third try with no response, the DNS client sends the query to all other DNS servers still under consideration (on all adapters) waiting 4 seconds for a response.
- After this fourth try with no response, the DNS client sends the query to all other DNS servers still under consideration (on all adapters) waiting 8 seconds for a response.
- At this point the DNS client returns a time-out.
Once a response is received, querying stops.
If the response is a positive one, the response is added to the client’s cache, and the query is fulfilled.
If the response is a negative one, all alternate DNS servers are removed from consideration for this query and the negative response is cached.
For example, if someone queries for portal.metcorp.org before the admin creates the A record, the user’s computer will cache this negative response from the DNS sever – the record doesn’t exist so it is cached as such on that computer until the cache expires. The admin creates the A record for portal.metcorp.org 1 minute later and asks the user to try again. The user attempts to connect to portal.metcorp.org and it fails again because this time the DNS query is satisfied by the DNS client cache on the user’s workstation. Running ipconfig /flushdns will clear the DNS client cache on the computer including negative responses. After performing this action on the user’s computer (or restarting the DNS Client service), the user is able to receive the configured IP address for portal.metcorp.org.
The Windows DNS client performs Subnet Prioritization which means that if there are multiple IP addresses for a hostname, the response is then ordered in priority order with the hostname associated IP Addresses that are local to the client listed first. The use of Subnet Prioritization overrides DNS Round Robin behavior.
The Windows Server 2003 DNS Client service performs the following tasks:
- Registers its names in DNS.
- Name resolution.
- Caching responses to name resolution queries.
- Removes previously resolved names from the cache when it receives a negative response for the name.
- Negative caching.
- Keeps track of transitory (Plug and Play) network connections and the DNS server lists based on their IP configurations.
- Maintains connection-specific domain name suffixes.
- Prioritizes which DNS servers it uses according to whether they respond to a query if multiple DNS server are configured on the client.
- Prioritizes the multiple A resource records it receives from a DNS server based on their IP address.
- Initiates a network failure timeout when all DNS Client service queries time out, and does not submit any queries for 30 seconds. This feature applies to every adapter separately.
From “How DNS Works“