Negative caching

Is it possible to change the handling of negative caching in the DNS Server
of Windows 2008?

I have a LAN-LAN VPN connection to a remote site, and to be able to resolve
local addresses in the remote site I have set up Conditional forwarders
pointing to the local DNS of the remote site.

Problem arises when the VPN tunnel is down, where my DNS server is unable to
contact the remote DNS, all remote queries ends up in the negative cache.
This means that when the VPN tunnel is up again the local clients is still
unable to connect until I manually clear the cache of all my local DNS
servers.

What I want to do is;
1. Disable negative caching for the conditional forwarder, or if not
possible;
2. Disable negative caching completely

Internal DNS Servers query a DNS server in the firewall for external
addresses, so I am not concerned about excessive external DNS traffic.

Regards;
/jb

Hello customer,

The managed support service of the microsoft.public.windows.server.dns is
now available instead on Platform Networking forum:
http://social.technet.microsoft.com/...rverPN/threads .
Would you please repost the question in the forum with the Windows Live ID
used to access your Subscription benefits? Our engineers will assist you in
the new platform.

The web link http://technet.microsoft.com/en-us/s.../ms788697.aspx
introduces more information about the migration. In the future, please post
your Print-related questions directly to the forums. If you have any
questions or concerns, please feel free to contact us:

David Shen
Microsoft Online Technical Support

dnscmd;

/maxnegativecachettl [<seconds>]
Specifies how many seconds (0x1-0xFFFFFFFF) an entry that records a negative
answer to a query remains stored in the DNS cache. The default setting is
0x384 (900 seconds).

http://technet.microsoft.com/en-us/l...69(WS.10).aspx


Jonny Bergdahl wrote:
> Is it possible to change the handling of negative caching in the DNS
> Server of Windows 2008?
>
> I have a LAN-LAN VPN connection to a remote site, and to be able to
> resolve local addresses in the remote site I have set up Conditional
> forwarders pointing to the local DNS of the remote site.
>
> Problem arises when the VPN tunnel is down, where my DNS server is
> unable to contact the remote DNS, all remote queries ends up in the
> negative cache. This means that when the VPN tunnel is up again the
> local clients is still unable to connect until I manually clear the
> cache of all my local DNS servers.
>
> What I want to do is;
> 1. Disable negative caching for the conditional forwarder, or if not
> possible;
> 2. Disable negative caching completely
>
> Internal DNS Servers query a DNS server in the firewall for external
> addresses, so I am not concerned about excessive external DNS traffic.
>
> Regards;
> /jb

--
/kj

"Jonny Bergdahl" <> wrote in message
news:uYyI$...
> Is it possible to change the handling of negative caching in the DNS
> Server of Windows 2008?
>
> I have a LAN-LAN VPN connection to a remote site, and to be able to
> resolve local addresses in the remote site I have set up Conditional
> forwarders pointing to the local DNS of the remote site.
>
> Problem arises when the VPN tunnel is down, where my DNS server is unable
> to contact the remote DNS, all remote queries ends up in the negative
> cache. This means that when the VPN tunnel is up again the local clients
> is still unable to connect until I manually clear the cache of all my
> local DNS servers.
>
> What I want to do is;
> 1. Disable negative caching for the conditional forwarder, or if not
> possible;
> 2. Disable negative caching completely
>
> Internal DNS Servers query a DNS server in the firewall for external
> addresses, so I am not concerned about excessive external DNS traffic.
>
> Regards;
> /jb


In your scenario with an unreliable VPN or link, I have to agree with
Jonathan's suggestion to use a Stub zone. Otherwise, it will go through the
Root hints looking for it.

You can use KJ's suggestion to change the TTLs, however with all due
respect, I tend to shy away from making registry changes when another
solution is available.


--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE &
MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

If you feel this is an urgent issue and require immediate assistance, please
contact Microsoft PSS directly. Please check http://support.microsoft.com
for regional support phone numbers.

Ace Fekay [MVP-DS, MCT] wrote:
> "Jonny Bergdahl" <> wrote in message
> news:uYyI$...
>> Is it possible to change the handling of negative caching in the DNS
>> Server of Windows 2008?
>>
>> I have a LAN-LAN VPN connection to a remote site, and to be able to
>> resolve local addresses in the remote site I have set up Conditional
>> forwarders pointing to the local DNS of the remote site.
>>
>> Problem arises when the VPN tunnel is down, where my DNS server is
>> unable to contact the remote DNS, all remote queries ends up in the
>> negative cache. This means that when the VPN tunnel is up again the
>> local clients is still unable to connect until I manually clear the
>> cache of all my local DNS servers.
>>
>> What I want to do is;
>> 1. Disable negative caching for the conditional forwarder, or if not
>> possible;
>> 2. Disable negative caching completely
>>
>> Internal DNS Servers query a DNS server in the firewall for external
>> addresses, so I am not concerned about excessive external DNS
>> traffic. Regards;
>> /jb
>
>
> In your scenario with an unreliable VPN or link, I have to agree with
> Jonathan's suggestion to use a Stub zone. Otherwise, it will go
> through the Root hints looking for it.
>
> You can use KJ's suggestion to change the TTLs, however with all due
> respect, I tend to shy away from making registry changes when another
> solution is available.

Actaully I found Jonathan's post most informative and I'm giving much more
thought to stub zones now.

My reponse was directed more at what the OP was asking, not necessarily that
it was the best thing to do. ( Maybe nitpicking, but using the dnscmd is
more a configuration change than a registry hack, though the end result may
be the same)

--
/kj

"kj [SBS MVP]" <> wrote in message
news:%23T9Fzd%...
> Ace Fekay [MVP-DS, MCT] wrote:
>> "Jonny Bergdahl" <> wrote in message
>> news:uYyI$...
>>> Is it possible to change the handling of negative caching in the DNS
>>> Server of Windows 2008?
>>>
>>> I have a LAN-LAN VPN connection to a remote site, and to be able to
>>> resolve local addresses in the remote site I have set up Conditional
>>> forwarders pointing to the local DNS of the remote site.
>>>
>>> Problem arises when the VPN tunnel is down, where my DNS server is
>>> unable to contact the remote DNS, all remote queries ends up in the
>>> negative cache. This means that when the VPN tunnel is up again the
>>> local clients is still unable to connect until I manually clear the
>>> cache of all my local DNS servers.
>>>
>>> What I want to do is;
>>> 1. Disable negative caching for the conditional forwarder, or if not
>>> possible;
>>> 2. Disable negative caching completely
>>>
>>> Internal DNS Servers query a DNS server in the firewall for external
>>> addresses, so I am not concerned about excessive external DNS
>>> traffic. Regards;
>>> /jb
>>
>>
>> In your scenario with an unreliable VPN or link, I have to agree with
>> Jonathan's suggestion to use a Stub zone. Otherwise, it will go
>> through the Root hints looking for it.
>>
>> You can use KJ's suggestion to change the TTLs, however with all due
>> respect, I tend to shy away from making registry changes when another
>> solution is available.
>
> Actaully I found Jonathan's post most informative and I'm giving much more
> thought to stub zones now.
>
> My reponse was directed more at what the OP was asking, not necessarily
> that it was the best thing to do. ( Maybe nitpicking, but using the dnscmd
> is more a configuration change than a registry hack, though the end result
> may be the same)
>
> --
> /kj
>

I knew that. :-)

Thinking more about this, maybe a Secondary will be better. This way a copy
is sitting on the box so if the WAN link goes down for a short period, it
would use the Secondary.

Maybe the *better* solution is to get an ISP that doesn't drop as often?

Ace

Ace Fekay [MVP-DS, MCT] wrote:
> "kj [SBS MVP]" <> wrote in message
> news:%23T9Fzd%...
>> Ace Fekay [MVP-DS, MCT] wrote:
>>> "Jonny Bergdahl" <> wrote in message
>>> news:uYyI$...
>>>> Is it possible to change the handling of negative caching in the
>>>> DNS Server of Windows 2008?
>>>>
>>>> I have a LAN-LAN VPN connection to a remote site, and to be able to
>>>> resolve local addresses in the remote site I have set up
>>>> Conditional forwarders pointing to the local DNS of the remote
>>>> site. Problem arises when the VPN tunnel is down, where my DNS server
>>>> is
>>>> unable to contact the remote DNS, all remote queries ends up in the
>>>> negative cache. This means that when the VPN tunnel is up again the
>>>> local clients is still unable to connect until I manually clear the
>>>> cache of all my local DNS servers.
>>>>
>>>> What I want to do is;
>>>> 1. Disable negative caching for the conditional forwarder, or if
>>>> not possible;
>>>> 2. Disable negative caching completely
>>>>
>>>> Internal DNS Servers query a DNS server in the firewall for
>>>> external addresses, so I am not concerned about excessive external
>>>> DNS traffic. Regards;
>>>> /jb
>>>
>>>
>>> In your scenario with an unreliable VPN or link, I have to agree
>>> with Jonathan's suggestion to use a Stub zone. Otherwise, it will go
>>> through the Root hints looking for it.
>>>
>>> You can use KJ's suggestion to change the TTLs, however with all due
>>> respect, I tend to shy away from making registry changes when
>>> another solution is available.
>>
>> Actaully I found Jonathan's post most informative and I'm giving
>> much more thought to stub zones now.
>>
>> My reponse was directed more at what the OP was asking, not
>> necessarily that it was the best thing to do. ( Maybe nitpicking,
>> but using the dnscmd is more a configuration change than a registry
>> hack, though the end result may be the same)
>>
>> --
>> /kj
>>
>
> I knew that. :-)
>
> Thinking more about this, maybe a Secondary will be better. This way
> a copy is sitting on the box so if the WAN link goes down for a short
> period, it would use the Secondary.
>
> Maybe the *better* solution is to get an ISP that doesn't drop as
> often?

Right to the heart of the matter !

>
> Ace

--
/kj

"kj [SBS MVP]" <> wrote in message
news:OkBPz8$...
> Ace Fekay [MVP-DS, MCT] wrote:
>> "kj [SBS MVP]" <> wrote in message
>> news:%23T9Fzd%...
>>> Ace Fekay [MVP-DS, MCT] wrote:
>>>> "Jonny Bergdahl" <> wrote in message
>>>> news:uYyI$...
>>>>> Is it possible to change the handling of negative caching in the
>>>>> DNS Server of Windows 2008?
>>>>>
>>>>> I have a LAN-LAN VPN connection to a remote site, and to be able to
>>>>> resolve local addresses in the remote site I have set up
>>>>> Conditional forwarders pointing to the local DNS of the remote
>>>>> site. Problem arises when the VPN tunnel is down, where my DNS server
>>>>> is
>>>>> unable to contact the remote DNS, all remote queries ends up in the
>>>>> negative cache. This means that when the VPN tunnel is up again the
>>>>> local clients is still unable to connect until I manually clear the
>>>>> cache of all my local DNS servers.
>>>>>
>>>>> What I want to do is;
>>>>> 1. Disable negative caching for the conditional forwarder, or if
>>>>> not possible;
>>>>> 2. Disable negative caching completely
>>>>>
>>>>> Internal DNS Servers query a DNS server in the firewall for
>>>>> external addresses, so I am not concerned about excessive external
>>>>> DNS traffic. Regards;
>>>>> /jb
>>>>
>>>>
>>>> In your scenario with an unreliable VPN or link, I have to agree
>>>> with Jonathan's suggestion to use a Stub zone. Otherwise, it will go
>>>> through the Root hints looking for it.
>>>>
>>>> You can use KJ's suggestion to change the TTLs, however with all due
>>>> respect, I tend to shy away from making registry changes when
>>>> another solution is available.
>>>
>>> Actaully I found Jonathan's post most informative and I'm giving
>>> much more thought to stub zones now.
>>>
>>> My reponse was directed more at what the OP was asking, not
>>> necessarily that it was the best thing to do. ( Maybe nitpicking,
>>> but using the dnscmd is more a configuration change than a registry
>>> hack, though the end result may be the same)
>>>
>>> --
>>> /kj
>>>
>>
>> I knew that. :-)
>>
>> Thinking more about this, maybe a Secondary will be better. This way
>> a copy is sitting on the box so if the WAN link goes down for a short
>> period, it would use the Secondary.
>>
>> Maybe the *better* solution is to get an ISP that doesn't drop as
>> often?
>
> Right to the heart of the matter !
>
>>
>> Ace
>
> --
> /kj
>


Yep! That seems to be the more logical solution. Why try to bandaid it with
creative DNS solutions?

Ace