Updated Version of Dns.exe Fixes Several Problems

• Microsoft Windows NT Workstation version 4.0
• Microsoft Windows NT Server version 4.0

SYMPTOMS

An updated version of Dns.exe is available to fix the following problems:

• A lookup for a non-existent A record takes about 30 seconds to time out: When the internal DNS server is queried, it goes to the root server. If the root server returns an RCODE of 0, the Microsoft DNS server does not respond to its client immediately. Some versions of BIND may return an RCODE of 0. This can cause a 30 second delay at the querying client.
• Problem resolving some MX records: If a DNS client does a recursive query to the Microsoft DNS server for an MX record and the authoritative DNS server for that MX record returns an SOA record instead (because the MX record doesn't exist), the Microsoft DNS server does not return that SOA record to the client. A BIND DNS server does return the SOA record to the DNS client even though it requested an MX record. Microsoft has modified its DNS service to be compatible with BIND.
• BIND incompatibility: When the Microsoft DNS service receives a query for a name that requires an authoritative lookup, and the DNS server handling the lookup is a BIND server, it may respond with a CNAME record, causing the name server (NS) record for the BIND server to be overwritten in cache. The NS record is used to specify the authoritative name server for a domain.
• When using the new WriteAuthorityNs reg key that was added in Windows NT 4.0 SP3 DNS, DNS queries will always return authority records=0 and additional=0 instead the actual count for this.
• If you delegate a zone (such as mydepartment.mycompany.com) to a DNS server that is not in the zone (such as yourserver.yourdepartment.company.com), when a client does a lookup on a host in the delegated zone, it will not succeed. If you ping the server that the zone was delegated to (yourserver.yourdepartment.company.com) once so that it is cached, lookups will start to succeed. The problem was caused by a problem following the glue record that was associated with the delegation, and it has been fixed.
• Access Violation in Dns.exe: Dr Watson may report an access violation on a secondary DNS server when it is receiving invalid records from the primary, and the data changes on the primary from the initial zone transfer.

• Reduced traffic to root servers: This version eliminates the automatic root query on startup and in the timeout thread; instead, it queries the root only when it receives a query that needs to be sent to the root servers, and limits retrying the root servers to once every ten minutes.
• Better recursion response: This version supports direct forwarding of a response from the remote DNS, where possible.
• Eliminates a deadlock condition hit by a few customers. At least one person posting on the MS-DNS newsgroup reported hitting a deadlock. The symptom of this is that the server stops responding to all requests.
• Better use of SOA in authority section: This version still has an optimization to avoid this on local queries, but overall should be a more "friendly" partner for remote DNS servers when sending a NAME_ERROR or no-records response.
• Local network prioritization of queries: If there are multiple A records, this version of the server puts the one that "fits best" first; if none fits best, a straight round robin scheme is followed. This is on by default but can be turned off with the new LocalNetPriority registry flag:

        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters
  

        Value Name: LocalNetPriority
        Data Type : REG_DWORD
        Data      : 0 or 1 (0 is disabled)
  
        NOTE: This key does not exist by default.
  
     For more information see the following article in the Microsoft
     Knowledge base:
  
        ARTICLE-ID: Q177883
        TITLE     : DNS Server Stops Using Round Robin for Host Name
                    Resolution
  
  

• WildcardAllTypes registry flag: If on, this version of DNS will use wildcards on all types -- even where they make no sense; this was added for a specific customer scenario where it is used for a security check using reverse lookup.
• Cache pollution fix: There was a recently-publicized problem where a remote DNS returned bogus data, polluting the cache of DNS servers on the Internet. This was used to point some traffic that would normally go to InterNIC sites to another site. This release plugs that hole. All data received must be for names at or below the zone for which the NS is queried. For example, when you query the microsoft.com DNS server, you will accept any data for microsoft.com or ntdev.microsoft.com but will reject any data for someothersite.com.

RESOLUTION

To resolve this problem, obtain the following fix or wait for the next Windows NT service pack.

This fix should have the following time stamp:

   10/29/97  04:32p               160,016 Dns.exe (Intel)
   10/29/97  04:29p               269,584 Dns.exe (Alpha)

STATUS

Microsoft has confirmed this to be a problem in Windows NT version 4.0. A supported fix is now available, but has not been fully regression tested and should be applied only to systems experiencing this specific problem. Unless you are severely impacted by this specific problem, Microsoft recommends that you wait for the next Service Pack that contains this fix. Contact Microsoft Technical Support for more information.

MORE INFORMATION

The hotfix mentioned above, may experience some problems as specified below: