Windows DNS query order
-
A long time ago I referred to MS training that talked about DNS query order, but I could not locate a reference. I found the reference so that problem has been resolved.
Short version: if Windows tries DNS #1 and it fails to respond it will try #2, if #2 responds it becomes #1.
The DNS client does not utilize each of the DNS servers listed in TCP/IP configuration for each query. By default, on startup the DNS client will attempt to use the server in the Preferred DNS server entry. If this server fails to respond for any reason, the DNS client will switch to the server listed in the alternate DNS server entry. The DNS client will continue to use this alternate DNS server until:
It fails to respond to a DNS query, or:
The ServerPriorityTimeLimit value is reached (15 minutes by default).https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/best-practices-for-dns-client-settings
-
@AndyRH I had to read your post a few times but I think you're saying you resolved you not having a link handy, vs MS changing the behavior of this?
I didn't realize there was a timer but yeah we've run into this in the past...usually when the primary DNS isn't available exactly during boot, then when the person logs in the PC tries to connect to say Google DNS. Logins can be slow, group policy fails, etc. Sometimes, well meaning "IT experts" at a client will add those as a backup.
-
What methods use to determine or a timer to fall back really doesn't matter..
At some point your going to have a bad experience if you point a client to more than 1 NS that can respond differently.. Be that with not knowing anything about what your asking about, a local domain for example or if there is any filtering being done or not, etc.. where your answer might or might not be filtered depending on what NS you asked.
If your going to point your client to more than 1 NS they should answer the same.. Any of them should be able to resolve your local domain, or if external they should all either filter (the same) or not filter..
This really isn't anything new, this has been how it as been since like dns has even been a thing..
And yeah still to this day I see admin's configuring their dns for a client that could be problematic.. They might get lucky, they might not - but its bad practice in my 30 some years experience in the biz to point to multiple NS that might respond not exactly how you want.. if you ask google dns for something host.home.arpa for example - its going to return NX, and when it does your client won't ask anyone else..
; <<>> DiG 9.16.45 <<>> @8.8.8.8 www.home.arpa ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 26063 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;www.home.arpa. IN A ;; AUTHORITY SECTION: home.arpa. 1800 IN SOA prisoner.iana.org. hostmaster.root-servers.org. 1 604800 60 604800 604800 ;; Query time: 77 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Wed Jan 03 15:36:50 Central Standard Time 2024 ;; MSG SIZE rcvd: 119
And or maybe it returns the wrong IP because you were using a public domain locally.. And if suppose to be filtered, and asked 8.8.8.8 vs 1.1.1.1 for example and its not - your going to have a bad day.. Can be even worse if your forwarding from some common local dns that multiples use, and it happens to query some upstream NS that doesn't filter, and now all your clients can access this site because your local NS cached it.