Registry Tip #27: Gotcha! W2K DNS Negative Response Caching

Hits: Failed to execute CGI : Win32 Error Code = 3


A pure W2K domain relies on DNS for name resolution abandoning NetBIOS and WINS. W2K Pro has a DNS client resolver service which submits lookup queries to DNS servers. When the DNS server responds to a request, the client caches the response for a period of time so that it does not need to send another lookup request if the user wants to contact the same host again. A potential gotcha! for network admins is that W2K supports RFC2308 and also caches negative responses, that is NACKs.

Its kinda like the situation I run into with web caching. A developer updates a page on the a web server and then winds up calling me when he cannot see his updates in the browser. His webbrowser has cached the page and is not requesting an update from the webserver. It will resolve itself ultimately or the user can clear the browser's cache or force an update from the webserver ( hold down shift key and press reload).

This is a new unexpected result for network admins used to WINS. Take a situation where users cannot contact a new server because DNS server has a missing host (A) record. You add the missing record but the users still get Invalid host name when they ping the server name. Oddly enough, when pinging from an NT workstation or linux workstation it now works! What's the problem? The W2K clients cached the NACK they received from the original query and W2K is not going back to the DNS server for a fresh lookup (just like the browser does refresh its cache).

To verify the contents of the DNS cache use ipconfig at the commandline:

ipconfig /displaydns

You will see the negative cache entries (NAKs). IPCONFIG can be used to flush the DNS cache:

ipconfig /flushdns

W2K's default caches records for an hour. This is the timeout interval specified in the Start Of Authority (SOA) record for the primary DNS master for the zone that contains the record. If you change the default be cautious. Reducing the cache interval can cause increased network traffic while increasing it can make it take longer for changes in IP addresses to be recognized by clients.

If you want to experiment with the cache interval:

Windows 2000 DNS secondaries will be updated via W2K's update notification. Unix and other non-Windows 2000 secondaries require you to force a zone transfer to propagate the change throughout your network.

To change W2K Pro's default behavior of caching NAKs, use the following registry hack:

Hive: HKEY_LOCAL_MACHINE
Key: System\CurrentControlSet\Services\DNSCache\Parameters
Name: NegativeCacheTime
Type: REG_DWORD
Set the NegativeCacheTime value to 0 to disable NACK caching.

You can not use Group Policy to control this behavior in W2K Pro. You can distribute the change to client workstations by including a registry update in logon scripts. Use Regedit to save the Registry entry to a .reg file, save it in logon script directory and include a call to it in the logon script:

regedit /I no_nak.reg

W2K, whether workstation or server, has a client-side DNS cache that keeps local copies of DNS information which will stay in the local cache until its TTL (Time to Live) value expires. Any DNS request after the domains TTL expires will force a new DNS lookup. You can control the DNS cache using the following registry hacks:

The CacheHashTable parameters are used to control the maximum number of columns in the hash table used by the DNS caching resolver service:
Hive: HKEY_LOCAL_MACHINE
Key: System\CurrentControlSet\Services\DNSCache\Parameters
Name: CacheHashTableBucketSize
Type: REG_DWORD
Value: 384

Name: CacheHashTableSize
Type: REG_DWORD
Value: 64000

The MaxCacheEntryTtlLimit value is the maximum allowable TTL value, and it overrides any value that may have been set on a specific record that is larger. For debugging purposes, set it equal to 1 which forces DNS to perform a lookup on every query.
Name: MaxCacheEntryTtlLimit
Type: REG_DWORD
Value: 301 seconds

The MaxSOACacheEntryTtlLimit value is the longest amount of time the cache holds any SOA records.
Name: MaxSOACacheEntryTtlLimit
Type: REG_DWORD
Value: 300 seconds

As mentioned above, you can dump the contents of the DNS cache to the console with the command ipconfig /displaydns or manually empty the cache with ipconfig /flushdns. If you are having DNS problems, flush the DNS cache.






Keywords: Windows NT 2000 Registry Tip, Gotcha! W2K DNS Negative Response Caching, name resolution, caching, dns servers, rfc 2308, dns cache, start of authority, soa, ifconfig, ifconfig /displaydns, ifconfig /flushdns, Minimum Default TTL, Time To Live