Recently I had debate over whether to set the alternative DNS servers on our workstations to a public DNS or the internal DNS. Many of our sites are connected via IPSec VPNs so if the IPSec tunnel were to drop for some reason, any internal DNS servers would be inaccessible. If we set both DNS servers to internal DNS servers and a site’s IPsec tunnel dropped, we wouldn’t be able to remotely service that site. However, I was questioned over whether using a public DNS as a secondary DNS would cause issues with internal name resolution which led me to do a deeper dive. Specifically, to find out whether Windows clients queried/pinged primary and secondary DNS servers and used the fastest response.
I thought it would be worth sharing what I discovered about how Windows DNS clients work as confusingly, Microsoft lacks updated documentation.
After much digging, the only relevant articles I could find from Microsoft was one from 2014 “NET: DNS: DNS client resolution timeouts”. It explains that windows always queries the primary DNS server configured on a NIC before querying the alternative/secondary DNS server with timeout intervals. So, I was vindicated? Not so fast… the documentation was last updated in 2014 and only tested up to Windows 8. The only way to test for sure – Wireshark.
- Flush DNS using ipconfig/flushdns before each test
- Start packet capture on all interfaces using Wireshark
- Visit an internal website in an incognito browser
- Stop packet capture and review
Windows Client DNS Settings
WiFi Network Adapter
- Primary DNS: Internal DNS
- Secondary DNS: Public DNS (Cloudflare in this case)
SSL VPN Network Adapter
- Primary DNS: Another Internal DNS
- Secondary DNS: Internal DNS
Two queries are sent – one to each Primary DNS on each Adapter. Both have a successful response within 1 second the first time. At no point packets are sent to secondary DNS servers (18.104.22.168 or the other internal DNS). So, we’ve confirmed that within a single interface, only the Primary DNS server is queried in normal situations. There’s no round robin or fastest response metric. However, the second DNS request raises the question – why is a DNS request sent to the Primary DNS server on each interface?
Smart Multi-homed Name Resolution
In Windows 8, Microsoft introduced Smart Multi-homed Name Resolution. A fancy way of saying – Windows sends DNS requests across all interfaces and uses the fastest reply. This leads to DNS leaks but for my purposes, it’s not an issue as the workstations have a single NIC anyways.
So, by default Windows 10 sends a DNS request in parallel for each interface. Within each interface, the Primary DNS is queried first, then if there’s no reply for 1 second, a request is sent to the Secondary DNS.