Updated Version of Dns.exe Fixes Several Problems

Last reviewed: December 22, 1997
Article ID: Q159310
The information in this article applies to:
  • Microsoft Windows NT Workstation version 4.0
  • Microsoft Windows NT Server version 4.0

SYMPTOMS

An updated version of Dns.exe is available to fix the following problems:

  • A lookup for a non-existent A record takes about 30 seconds to time out: When the internal DNS server is queried, it goes to the root server. If the root server returns an RCODE of 0, the Microsoft DNS server does not respond to its client immediately. Some versions of BIND may return an RCODE of 0. This can cause a 30 second delay at the querying client.
  • Problem resolving some MX records: If a DNS client does a recursive query to the Microsoft DNS server for an MX record and the authoritative DNS server for that MX record returns an SOA record instead (because the MX record doesn't exist), the Microsoft DNS server does not return that SOA record to the client. A BIND DNS server does return the SOA record to the DNS client even though it requested an MX record. Microsoft has modified its DNS service to be compatible with BIND.
  • BIND incompatibility: When the Microsoft DNS service receives a query for a name that requires an authoritative lookup, and the DNS server handling the lookup is a BIND server, it may respond with a CNAME record, causing the name server (NS) record for the BIND server to be overwritten in cache. The NS record is used to specify the authoritative name server for a domain.
  • When using the new WriteAuthorityNs reg key that was added in Windows NT 4.0 SP3 DNS, DNS queries will always return authority records=0 and additional=0 instead the actual count for this.
  • If you delegate a zone (such as mydepartment.mycompany.com) to a DNS server that is not in the zone (such as yourserver.yourdepartment.company.com), when a client does a lookup on a host in the delegated zone, it will not succeed. If you ping the server that the zone was delegated to (yourserver.yourdepartment.company.com) once so that it is cached, lookups will start to succeed. The problem was caused by a problem following the glue record that was associated with the delegation, and it has been fixed.
  • Access Violation in Dns.exe: Dr Watson may report an access violation on a secondary DNS server when it is receiving invalid records from the primary, and the data changes on the primary from the initial zone transfer.

Other updates and optimizations:
  • Reduced traffic to root servers: This version eliminates the automatic root query on startup and in the timeout thread; instead, it queries the root only when it receives a query that needs to be sent to the root servers, and limits retrying the root servers to once every ten minutes.
  • Better recursion response: This version supports direct forwarding of a response from the remote DNS, where possible.
  • Eliminates a deadlock condition hit by a few customers. At least one person posting on the MS-DNS newsgroup reported hitting a deadlock. The symptom of this is that the server stops responding to all requests.
  • Better use of SOA in authority section: This version still has an optimization to avoid this on local queries, but overall should be a more "friendly" partner for remote DNS servers when sending a NAME_ERROR or no-records response.
  • Local network prioritization of queries: If there are multiple A records, this version of the server puts the one that "fits best" first; if none fits best, a straight round robin scheme is followed. This is on by default but can be turned off with the new LocalNetPriority registry flag:

          HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters
    

          Value Name: LocalNetPriority
          Data Type : REG_DWORD
    
          Data      : 0 or 1 (0 is disabled)
    
          NOTE: This key does not exist by default.
    
       For more information see the following article in the Microsoft
       Knowledge base:
    
          ARTICLE-ID: Q177883
          TITLE     : DNS Server Stops Using Round Robin for Host Name
                      Resolution
    
    
  • WildcardAllTypes registry flag: If on, this version of DNS will use wildcards on all types -- even where they make no sense; this was added for a specific customer scenario where it is used for a security check using reverse lookup.
  • Cache pollution fix: There was a recently-publicized problem where a remote DNS returned bogus data, polluting the cache of DNS servers on the Internet. This was used to point some traffic that would normally go to InterNIC sites to another site. This release plugs that hole. All data received must be for names at or below the zone for which the NS is queried. For example, when you query the microsoft.com DNS server, you will accept any data for microsoft.com or ntdev.microsoft.com but will reject any data for someothersite.com.

RESOLUTION

To resolve this problem, obtain the following fix or wait for the next Windows NT service pack.

This fix should have the following time stamp:

   10/29/97  04:32p               160,016 Dns.exe (Intel)
   10/29/97  04:29p               269,584 Dns.exe (Alpha)

NOTE: Service Pack 3 must be applied to Windows NT 4.0 prior to applying this fix.

STATUS

Microsoft has confirmed this to be a problem in Windows NT version 4.0. A supported fix is now available, but has not been fully regression tested and should be applied only to systems experiencing this specific problem. Unless you are severely impacted by this specific problem, Microsoft recommends that you wait for the next Service Pack that contains this fix. Contact Microsoft Technical Support for more information.

MORE INFORMATION

The hotfix mentioned above, may experience some problems as specified below:

  • Local network prioritization of queries may cause Round-Robin load balancing to fail. If you experience this problem turn off the LocalNetPriority flag as mentioned above.
  • High Speed Zone Transfers The default configuration now always attempts to include multiple records in each transaction. This may cause BIND 4.9.4 and older DNS Servers to be unable to receive zone transfers. If you experience this problem set the BindSecondaries flag to use slower transfers:

          HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters
    

          Value Name: BindSecondaries
          Data Type : REG_DWORD
    
          Data      : 0 or 1 (0 = high speed; 1 = slower transfers)
    
       NOTE: This key does not exist by default. Transfers between Microsoft
       DNS Servers will always be done with using the faster, high compression
       method, regardless of how the BindSecondaries flag is set. After
       changing this registry key, you must stop and restart the DNS Server
       service.
    
       For more information see the following article in the Microsoft
       Knowledge base:
    
          ARTICLE-ID: Q151416
          TITLE     : Microsoft DNS Compatibility w/BIND Versions Earlier Than
                      4.9.4
    


Additional query words: hotfix
Keywords : kbbug4.00 kbfix4.00 NTSrvWkst kbnetwork
Version : WinNT:4.0
Platform : winnt
Issue type : kbbug
Solution Type : kbpatch


THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

Last reviewed: December 22, 1997
© 1998 Microsoft Corporation. All rights reserved. Terms of Use.