Windows DNS Client Information

Using the hosts File

The simplest way to resolve a limited number of hostnames is to maintain a local hostnames file on the system. For remote hostnames that you frequently access, this is the most efficient arrangement for Windows because it allows more immediate access than going out to a remote DNS server. However, this is obviously not the preferred method to use for resolving lots of hostnames, as is the case during Internet surfing.

The hostnames file is named hosts, and its location depends on which version of Windows you are using:

• For Windows 95, 98, Me, and XP, hosts is located in the C:\WINDOWS\SYSTEM32\DRIVERS\ETC directory.

• For Windows NT, and 2000, hosts is located in the C:\WINNT\SYSTEM32\DRIVERS\ETC directory.

The hosts file is in text format, with each line representing a record for each host. The host IP address is listed first, followed by one or more spaces and then the hostname; for example:

127.0.0.1   localhost
192.168.1.1  shadrach.blum.lan
192.168.1.2  meshach.blum.lan
192.168.1.6  abednego.blum.lan

Notice the first entry in the hosts file. The 127.0.0.1 address represents the special loopback address and always points to the localhost hostname. The localhost hostname is itself special because it represents the internal network address of the system. Applications often use this address to direct IP packets to the same system—that’s one way to communicate between programs running on the same system.

After the localhost definition, each remote host that you access frequently should be listed on its own line. Let’s say you run a local in-house network using a fictitious domain name (as shown in the previous example); you can still use the hostnames in the network programs if you enter them in the hosts file on each system.

It’s easy to see that this method will work fine for a limited number of hosts, but if you’re trying to access lots of hosts, the hosts file will become pretty unwieldy. The obvious solution is to use the DNS system to resolve hostnames. The next section describes how to do this on a Windows platform.

Using a Remote DNS Server

When you need to resolve standard Internet hostnames, the easiest way is to find a DNS server to query. Most (if not all) ISPs provide one or more DNS server addresses for customers to use for DNS queries. Often you won’t need to do anything at all to configure the DNS servers into your system. If your ISP dynamically assigns an IP address to your system, it most likely also assigns the DNS servers dynamically as well.

On the other hand, if your DNS servers are not assigned dynamically, it may be up to you to make sure they are configured. The DNS server entries are stored in the Internet Protocol Properties section of the system’s network properties. You’ll take a slightly different route to get to these properties based on the Windows platform you’re working on. On a Windows 2000 or XP workstation, click Control Panel, and double-click the Network Connections entry. A list of all available network interfaces will be shown. Right-click the network interface for which you want to configure the DNS server, and select the Properties option.

Figure shows the Properties window of a network interface. It indicates what protocols and services are loaded for the interface. The DNS configuration settings are stored in the Internet Protocol (TCP/IP) item.

Figure: The network interface properties, reached through Control Panel ‚ Network Connections

When you double-click to display the TCP/IP settings for the network interface, you see the Properties window shown in Figure (for a Windows XP Professional workstation). Here you can set the appropriate IP address, subnet mask, and default gateway settings, as well as define two DNS servers. The first server listed will be the primary server. If Windows does not receive a response from that one, it will try the alternate server.

DNS Server Configurations and Windows

The various Windows platforms have their own ways of presenting the Internet Protocol Properties information. In all cases, the DNS server addresses are located in the IP Properties window, although the path you take to get there may vary.

Also, if you are using DHCP with your ISP, you may not have any DNS servers configured at all—they are configured dynamically when you connect to the ISP. The easiest way to tell if you have DNS configured correctly is to do a simple ping test. From a command prompt window, type ping www.microsoft.com, and see what happens. If the hostname resolves to an IP address, your DNS configuration is working fine.

Figure: The Internet Protocol Properties window in which the DNS server addresses are configured

Using C# to Investigate the DNS Configuration

When your C# application is running on a customer’s system, you have no guarantee that there are any DNS servers configured. You can find out what (if any) DNS servers are configured by using the .NET Registry class methods to examine the DNS Registry values.

Fortunately, all Windows platforms store the DNS server information in the same place:

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

This key stores all the DNS parameters from the Internet Protocol Properties window as separate data values. Figure describes some of the values that are stored under this key.

The value of most interest here is NameServer. This should contain a single string value representing all the configured DNS servers, separated by spaces. The primary DNS server will be listed first, followed by the alternate servers.

You can create a C# program to query this Registry value using the .NET Registry class. Listing 4.2, the FindDNSServers.cs program, demonstrates how to do this.

Listing 4.2: The FindDNSServer.cs program

using System;
using Microsoft.Win32;
class FindDNSServers
{
  public static void Main()
  {
   RegistryKey start = Registry.LocalMachine;
   string DNSservers = @"SYSTEM\CurrentControlSet\Services\Tcpip\Parameters";
   RegistryKey DNSserverKey = start.OpenSubKey(DNSservers);
   if (DNSserverKey == null)
   {
     Console.WriteLine("Unable to open DNS servers key");
     return;
   }
   string serverlist = (string)DNSserverKey.GetValue("NameServer");
   Console.WriteLine("DNS Servers: {0}", serverlist);
   DNSserverKey.Close();
   start.Close();
   char[] token = new char[1];
   token[0] = ' ';
   string[] servers = serverlist.Split(token);
   foreach(string server in servers)
   {
     Console.WriteLine("DNS server: {0}", server);
   }
  }
}

In FindDNSServer.cs, the first step in the process is to create a base RegistryKey object with the HKLM value:

RegistryKey start = Registry.LocalMachine;

After the base key is set, you can use the OpenSubKey() method to create a RegistryKey object pointing to where the DNS information is located:

string DNSservers =
@"SYSTEM\CurrentControlSet\Services\Tcpip\Parameters";
RegistryKey DNSserverKey = start.OpenSubKey(DNSservers);

The DNSservers string points to the text version of the proper Registry key location for the DNS information.

The OpenSubKey() method is used to assign the new key to the DNSServerKey RegistryKey object. Once you have a reference to the proper key, you can begin retrieving data values from it using the GetValue() method:

string serverlist =
     (string)DNSserverKey.GetValue("NameServer");

The serverlist variable should now contain the string value that includes all the configured DNS servers (if any), separated by spaces. To split them up into individual IP addresses, you use the Split() method of the string class.

The Split() method requires a character array specifying the characters on which to split the string. Because you know that each DNS server value is separated by a single space, you specify a character array that contains only a single entry, a space, and use the Split() method to divide the string into the string array:

char[] token = new char[1];
token[0] = ' ';
string[] servers = serverlist.Split(token);

Once you have an array of the DNS servers, you can use our old C# friend foreach to break them out into individual string values:

foreach(string server in servers)
   {
     Console.WriteLine("DNS server: {0}", server);
   }

If you need to use these addresses within the program, you could just as easily reference them using the server’s array (servers[0] is the primary DNS server, servers[1] is the first alternate server, and so on).

The output from the program is simple—first the entire server string is shown, then the individual servers are split out to a separate line:

C:\>FindDNSServers
DNS Servers: 10.25.0.1 10.25.0.2
DNS server: 10.25.0.1
DNS server: 10.25.0.2
C:\>

This output should match what you see when you manually inspect the DNS server entries in the Internet Protocol Properties window. Both DNS server entries appear in the original string as extracted from the Registry. The individual servers are then separated using the Split() string method.

Default nslookup Query

There are many ways to use the nslookup program. The easiest is to perform a single query for a hostname:

C:\>nslookup www.microsoft.com
Server: dns.ispnet.net
Address: 10.25.0.1
Non-authoritative answer:
Name:  www.microsoft.akadns.net
Addresses: 207.46.197.100, 207.46.230.218, 207.46.197.113, 207.46.197.102
     207.46.230.220, 207.46.230.219
Aliases: www.microsoft.com
C:\>

The output from the nslookup command shows several pieces of information:

• The name and address of the DNS server queried:

  Server: dns.ispnet.net
  Address: 10.25.0.1

• The status of the results:

  Non-authoritative answer:

• The results of the query:

  Name:  www.microsoft.akadns.net
  Addresses: 207.46.197.100, 207.46.230.218, 207.46.197.113, 207.46.197.102
       207.46.230.220, 207.46.230.219
  Aliases: www.microsoft.com

Note that in this case, the www.microsoft.com DNS hostname is actually an alias for the host www.microsoft.akadns.net. This particular host also has six IP addresses assigned to it.

The status of the results tells you where the information came from. This example is a nonauthoritative answer, which means that the information came from a cache entry on the local DNS server and not from the DNS server assigned to that domain.

To verify if your local DNS server is caching queries, try to do a query on a new hostname that has not been previously queried, and then try the query a second time:

C:\>nslookup msdn.microsoft.com
Server: dns.ispnet.net
Address: 10.25.0.1
Name:  msdn.microsoft.com
Addresses: 207.46.239.122, 207.46.196.115
C:\>nslookup msdn.microsoft.com
Server: dns.ispnet.net
Address: 10.25.0.1
Non-authoritative answer:
Name:  msdn.microsoft.com
Addresses: 207.46.196.115, 207.46.239.122
C:\>

The first query does not display a status line with the results, which indicates that the results came directly from the DNS server for the domain of the remote host. However, the second query indicates that the results are nonauthoritative, which means that they came from the cache of the local DNS server. Indeed, this particular local DNS server is caching DNS results, which will help speed up your DNS queries.

You can also do reverse IP address queries to determine what hostname (if any) an IP address is assigned to:

C:\>nslookup 207.46.196.115
Server: dns.ispnet.net
Address: 10.25.0.1
Name:  msdn.microsoft.com
Address: 207.46.196.115
C:\>

Unlike hostname queries, IP address queries are not cached on the local DNS server. If you perform this query a second time, it will still go to the DNS server for the domain and return an authoritative answer.

Watching the Query

You can use the WinDump or Analyzer programs to watch the DNS query from the local system. (These tools were described in Chapter 2, “IP Programming Basics.”) Listing 4.3 shows a sample windump output during the sample nslookup command.

Listing 4.3: nslookup windump output

D:\winpcap>windump -s 200 udp port 53
windump    listening on\Device\Packet_El90x1
07:16:45.208103 192.168.1.6.1219 > dns.ispnet.net.53: 2+ A? www.microsoft.com
. (35)
07:16:45.208888 dns.ispnet.net.53 > 192.168.1.6.1219: 2 7/7/7 CNAME www.micro
soft.akadns.net., A microsoft.com, A microsoft.com, A microsoft.com, A www.inter
national.microsoft.com, A microsoft.com, (400)
07:16:50.260472 192.168.1.6.1222 > dns.ispnet.net.53: 3+ PTR? 100.197.46.207.
in-addr.arpa. (45)
07:16:50.261416 dns.ispnet.net.53 > 192.168.1.6.1222: 3 4/13/9 PTR microsoft.
com., PTR microsoft.net., PTR www.domestic.microsoft.com., PTR www.us.microsoft.
com. (499)
07:16:50.263891 192.168.1.6.1223 > dns.ispnet.net.53: 4+ PTR? 219.230.46.207.
in-addr.arpa. (45)
07:16:50.265999 dns.ispnet.net.53 > 192.168.1.6.1223: 4 4/13/8 PTR microsoft.
com., PTR microsoft.net., PTR www.international.microsoft.com., PTR www.us.micro
soft.com. (488)
07:16:50.268427 192.168.1.6.1224 > dns.ispnet.net.53: 5+ PTR? 218.230.46.207.
in-addr.arpa. (45)
07:16:50.270266 dns.ispnet.net.53 > 192.168.1.6.1224: 5 4/13/9 PTR microsoft.
com., PTR microsoft.net., PTR www.domestic.microsoft.com., PTR www.us.microsoft.
com. (499)
07:16:50.272684 192.168.1.6.1225 > dns.ispnet.net.53: 6+ PTR? 113.197.46.207.
in-addr.arpa. (45)
07:16:50.273576 dns.ispnet.net.53 > 192.168.1.6.1225: 6 2/13/11 PTR www.inter
national.microsoft.com., PTR www.us.microsoft.com. (498)
07:16:50.278458 192.168.1.6.1226 > dns.ispnet.net.53: 7+ PTR? 220.230.46.207.
in-addr.arpa. (45)
07:16:50.399074 dns.ispnet.net.53 > 192.168.1.6.1226: 7* 4/0/0 PTR microsoft.
com., PTR microsoft.net., PTR www.domestic.microsoft.com., PTR www.us.microsoft.
com. (147)
239 packets received by filter
0 packets dropped by kernel
D:\winpcap>

As you can see, there is a lot of action happening behind the scenes of a simple nslookup query. Here is the WinDump command that was used for this capture:

windump -s 200 udp port 53

This command uses the -s option to set the amount of displayed data to 200 bytes. Because DNS packets often contain lots of return data, this setting helps WinDump display more information from the packet than the default 64 bytes. It is still possible that more data will be present in the return packet, but for now this should be enough information to get your research started. Note also that the parameters are set to capture only DNS packets. The DNS protocol uses UDP and is assigned well-known port number 53. Fortunately, WinDump decodes the DNS queries to present the text information for you, so no protocol debugging is required here.

The first packet is as expected, a DNS query for the A record for the www.microsoft.com hostname:

07:16:45.208103 192.168.1.6.1219 > dns.ispnet.net.53: 2+ A? www.microsoft.com
. (35)

The return packet contains the information from the DNS query:

07:16:45.208888 dns.ispnet.net.53 > 192.168.1.6.1219: 2 7/7/7 CNAME www.micro
soft.akadns.net., A microsoft.com, A microsoft.com, A microsoft.com, A www.inter
national.microsoft.com, A microsoft.com, (400)

This indicates that the www.microsoft.com hostname was really an alias for another hostname. The A record information revealed that the real hostname of that system is www.microsoft.akadns.net.

The nslookup program then proceeds to query for the IP address information of the real hostname. The PTR record information shows the IP addresses assigned to the host, along with the assigned hostname for each IP address.

07:16:50.260472 192.168.1.6.1222 > dns.ispnet.net.53: 3+ PTR? 100.197.46.207.
in-addr.arpa. (45)
07:16:50.261416 dns.ispnet.net.53 > 192.168.1.6.1222: 3 4/13/9 PTR microsoft.
com., PTR microsoft.net., PTR www.domestic.microsoft.com., PTR www.us.microsoft.
com. (499)

The first IP address, 207.46.197.100, is used to query for the PTR record information. The returned information indicates that the address is assigned to the microsoft.com domain.

Advanced Queries

The default nslookup format described in the preceding sections provides good, simple information regarding the hostname requested. If you would like to see other DNS record types, you must use options for nslookup. The nslookup options can be specified on the command line, but it is often easier to use nslookup in interactive mode.

To enter interactive mode, simply type nslookup at the command prompt without any parameters. The default DNS server used will be displayed, along with an nslookup prompt:

C:\>nslookup
Default Server: dns.ispnet.net
Address: 10.25.0.1
>

At the nslookup prompt, you can enter in a variety of special commands to modify the behavior of the nslookup query, as described in Figure.

As you can see in Figure, you use the set command to establish various options for the DNS query. These options are defined in Figure, and a few of the most commonly used are discussed in the sections that follow.

The debug Option

The debug option allows you to watch the DNS communication with the DNS server. Listing 4.4 shows a sample DNS query with the debug option turned on. This information shows exactly what you saw in the WinDump results: the original query for the www.microsoft.com hostname and the answer indicating that it was an alias for the www.microsoft.akadns.net host, along with all the IP addresses associated with it.

Listing 4.4: nslookup query with debug on

C:\>nslookup
Default Server     dns.ispnet.net
Address: 10.25.0.1
> set debug
> www.microsoft.com
Server: dns.ispnet.net
Address: 10.25.0.1
——————
Got answer:
  HEADER:
    opcode = QUERY, id = 2, rcode = NOERROR
    header flags: response, want recursion, recursion avail.
    questions = 1, answers = 7, authority records = 7, additional = 7
  QUESTIONS:
    www.microsoft.com, type = A, class = IN
  ANSWERS:
  -> www.microsoft.com
    canonical name = www.microsoft.akadns.net
    ttl = 7116 (1 hour 58 mins 36 secs)
  -> www.microsoft.akadns.net
    internet address = 207.46.230.219
    ttl = 216 (3 mins 36 secs)
  -> www.microsoft.akadns.net
    internet address = 207.46.230.220
    ttl = 216 (3 mins 36 secs)
  -> www.microsoft.akadns.net
    internet address = 207.46.197.100
    ttl = 216 (3 mins 36 secs)
  -> www.microsoft.akadns.net
    internet address = 207.46.230.218
    ttl = 216 (3 mins 36 secs)
  -> www.microsoft.akadns.net
    internet address = 207.46.197.102
    ttl = 216 (3 mins 36 secs)
  -> www.microsoft.akadns.net
    internet address = 207.46.197.113
    ttl = 216 (3 mins 36 secs)
  AUTHORITY RECORDS:
  -> akadns.net
    nameserver = ZA.akadns.net
    ttl = 127117 (1 day 11 hours 18 mins 37 secs)
  -> akadns.net
    nameserver = ZC.akadns.net
    ttl = 127117 (1 day 11 hours 18 mins 37 secs)
  -> akadns.net
    nameserver = ZD.akadns.net
    ttl = 127117 (1 day 11 hours 18 mins 37 secs)
  -> akadns.net
    nameserver = ZE.akadns.net
    ttl = 127117 (1 day 11 hours 18 mins 37 secs)
  -> akadns.net
    nameserver = ZF.akadns.net
    ttl = 127117 (1 day 11 hours 18 mins 37 secs)
  -> akadns.net
    nameserver = ZG.akadns.net
    ttl = 127117 (1 day 11 hours 18 mins 37 secs)
  -> akadns.net
    nameserver = ZH.akadns.net
    ttl = 127117 (1 day 11 hours 18 mins 37 secs)
  ADDITIONAL RECORDS:
  -> ZA.akadns.net
    internet address = 216.32.65.105
    ttl = 127117 (1 day 11 hours 18 mins 37 secs)
  -> ZC.akadns.net
    internet address = 63.241.199.50
    ttl = 127117 (1 day 11 hours 18 mins 37 secs)
  -> ZD.akadns.net
    internet address = 206.132.160.36
    ttl = 127117 (1 day 11 hours 18 mins 37 secs)
  -> ZE.akadns.net
    internet address = 12.47.217.11
    ttl = 127117 (1 day 11 hours 18 mins 37 secs)
  -> ZF.akadns.net
    internet address = 63.215.198.79
    ttl = 127117 (1 day 11 hours 18 mins 37 secs)
  -> ZG.akadns.net
    internet address = 204.248.36.131
    ttl = 127117 (1 day 11 hours 18 mins 37 secs)
  -> ZH.akadns.net
    internet address = 63.208.48.42
    ttl = 127117 (1 day 11 hours 18 mins 37 secs)
——————
Non-authoritative answer:
Name:  www.microsoft.akadns.net
Addresses: 207.46.230.219, 207.46.230.220, 207.46.197.100, 207.46.230.218
     207.46.197.102, 207.46.197.113
Aliases: www.microsoft.com
>exit
C:\>
hostname

C:\>nslookup
Default Server: dns.ispnet.net
Address: 10.25.0.1
> set querytype=soa
> microsoft.com
Server: dns.ispnet.net
Address: 10.25.0.1
microsoft.com
    primary name server = dns.cp.msft.net
    responsible mail addr = msnhst.microsoft.com
    serial = 2002061201
    refresh = 900 (15 mins)
    retry  = 600 (10 mins)
    expire = 7200000 (83 days 8 hours)
    default TTL = 7200 (2 hours)
dns.cp.msft.net internet address = 207.46.138.10
>

C:\>nslookup
Default Server: dns.ispnet.net
Address: 10.25.0.1
> set querytype=mx
> microsoft.com
Server: dns.ispnet.net
Address: 10.25.0.1
microsoft.com  MX preference = 10, mail exchanger = maila.microsoft.com
microsoft.com  MX preference = 10, mail exchanger = mailb.microsoft.com
microsoft.com  MX preference = 10, mail exchanger = mailc.microsoft.com
maila.microsoft.com   internet address = 131.107.3.125
maila.microsoft.com   internet address = 131.107.3.124
mailb.microsoft.com   internet address = 131.107.3.123
mailb.microsoft.com   internet address = 131.107.3.122
mailc.microsoft.com   internet address = 131.107.3.126
mailc.microsoft.com   internet address = 131.107.3.121
>

C:\>nslookup
Default Server: dns.ispnet.net
Address: 10.25.0.1
> ls testdomain.com > td.txt
> view td.txt