Windows – Why Adding Both Private and Public DNS Servers Causes Issues

dnswindows

I have two DNS servers configured under network settings in Windows:

  • Preferred DNS server: My DNS server
  • Alternate DNS server: Public DNS provided by ISP

While I am opening an intranet site, which should resolve using my private DNS server, my browser opens a public Internet website. When I remove the alternate DNS server, the public DNS, it opens the intranet site.

Per my understanding, once the private DNS resolves the IP it should not attempt to resolve with the public DNS. When I check in the command prompt, it resolves only to intranet, but in the browser it's not the same.

Why is this happening and how can I fix it?

Best Answer

1) It doesn't work that way.

I learned a hard lesson that Windows does not use this DNS server list in order. You cannot assume it will simply walk down the list when it can't resolve a name.

There's a quite lengthy explanation on TechNet, which you can find here. The problem I personally experienced was caused by this little snippet here:

The DNS Client service keeps track of which servers answer name queries more quickly, and it moves servers up or down on the list based on how quickly they reply to name queries.

We had five DNS servers listed in our DHCP settings, the last two were the local ISP's. Our other three were very old machines, and we had figured it would be best to add the local ISP's servers as backup. Guess whose were faster?

It's not fun when servers stop resolving internal names.

This prompted me to threaten a switch to Linux.

2) So why did it work in the command prompt?

I'm assuming you used nslookup, which will always use the first server in your DNS list unless you specify otherwise. Since you were always checking your private DNS server, it always worked. Once you open Internet Explorer and start actually trying to resolve names, the behavior is different (as specified by the lengthy flowchart above.)

Isn't that wonderfully confusing? I chased name resolution problems for a week wondering why it always worked using nslookup yet for some reason Lotus Notes could never find its mail server. I didn't figure it out until using Wireshark to check how it was really resolving names.

3) How can I fix it?

You can fix your specific problem by configuring your DNS server with a forwarder. When your private DNS server can't find a name, it will forward the request to the server you specify. This way, you can simply use your DNS server and nothing else, preventing the odd behavior that's showing up.

Related Question