I wanted to talk about an issue today that I see with a great deal of regularity. Statically setting an external or public DNS (Domain Name System) server in the DNS client settings of a machine that is joined to an Active Directory domain.
In the above picture we have the Active Directory domain controller as the Preferred DNS server. However we also have one of the Google public DNS servers as the Alternate DNS server. At first look, it appears this might be a good idea. If the Active Directory domain controller goes down, this PC can still resolve names on the Internet. However there is a significant disadvantage to setting up the DNS client in this way. To understand this disadvantage, we must first understand how the DNS name resolution process works in Windows.
When a Windows system, either client or server, needs to resolve a name it goes through the following process.*
- The client checks to see if the name queried is its own.
- The client queries the DNS client resolver cache. Any entries from the hosts file are preloaded to the resolver cache.
- Domain Name System (DNS) servers are queried.
- If the name is still not resolved, the NetBIOS name resolution sequence is used.
*I have omitted WINS from the process as it is rarely used anymore.
Let’s dive a little deeper into bullet point two. There are two important takeaways for the DNS client cache. The first is the time limit a record or lack thereof is cached. This is typically referred to as TTL (Time To Live). A positive answer is cached for its TTL or 24 hours whichever is less. A negative response, that is when the record does not exist or cannot be found, is cached for 5 minutes. The second takeaway is that clearing the cache can only be achieved by restating the DNS client service, running ipconfig /flushdns or restarting the client.
Now on to bullet point three and our example above. The Windows DNS client will use the Preferred DNS server first. If that server fails to respond, even just for a second, the Windows DNS client will switch over to the Alternate DNS server. The Windows DNS client will not switch back to the Preferred DNS server unless the alternate fails to respond. In the case of a public DNS server this is unlikely to happen. If the Windows DNS client does get “stuck” on the alternate server there are three ways to get it to switch back; restart the DNS client service, restart the computer, or modify the DNS client configuration.
So now we have a better understanding of how DNS name resolution and the Windows DNS client work. Let’s go over why public DNS servers should not be used. In most environments there will be DNS timeouts on occasion. As we now understand a DNS timeout can cause the DNS client to switch to the next DNS server in the list. If the DNS client switches to a public DNS server then queries for internal resources, such as domain controller service records, or other systems on the LAN (Local Area Network), will fail. So the bottom line here is that using an external DNS server in the DNS client settings can and usually will cause unpredictable behavior.
One final thought. The default configuration of the Microsoft DNS server will allow Internet names to be resolved. This is accomplished using root hints. If a public DNS server must be used for Internet queries, then a DNS forwarder can be added in the DNS server configuration.
I hope you found this article informative. If you have anything to add or see something that needs a correction, please leave a comment below.