joeware - never stop exploring... :)

Information about joeware mixed with wild and crazy opinions...

Windows DNS Server Negative Cache

by @ 10:46 am on 8/12/2006. Filed under tech

So how do I display what info is in the negative cache? From the command line…

Also, the DNSCMD tool allows you to show the positive cache, but I don’t see how to have it show the entire positive cache versus just the cache for specific domains that you specify.

I looked at what it would take to write my own command line tools to try and pull this info and when I peeked, what did I find??? &*^$#% WMI. That pretty much kills any chances of me writing code to do anything with it.

Why? Because I haven’t had a single WMI programming story that ended well. In fact, I have been in a debate with the Exchange Dev team over enumerating DCs being used by the Exchange servers which is done via WMI (yes even for ESM) and it is all broken and the servers you get listed aren’t necessarily correct. I realize this isn’t strictly a WMI issue but WMI was messy getting to that point and then the Exchange folks straight up said that WMI was never intended to be used for monitoring…. Hmm, the biggest Enterprise application group in MSFT saying that WMI isn’t used for monitoring sure tells me I don’t need to spend the time worring about dealing with trying to make it work.

So anyway, who knows the answers to the above questions, again they are

How do I display the DNS Server negative cache from the command line? 

How do I display ALL positively cached items in one command line?

I asked my main Windows DNSphile friend and he didn’t know. Actually the response to the first question was “If I suspect the negative cache of having a problem I just clear it”. Which brings up why I would want to see it… I think it might be an interesting thing to monitor, especially in enterprises using Exchange. It could be used to help identify bad email addresses on contacts and mail-enabled users in the GAL.

  joe

 

Rating 3.00 out of 5

8 Responses to “Windows DNS Server Negative Cache”

  1. matheesha says:

    Is the negative cache info for a DNS server also possibly visible using “ipconfig /displaydns” on the server? If so, can you not parse for strings with “Negative cache entry for no records” and give surrounding lines using perl or similar?

    M@

  2. joe says:

    Nope, that won’t show the cache items from the DNS Server service, that just shows, I believe, what is cached by the DNS Client Service.

  3. matheesha says:

    I am looking at the following and trying to figure how to use it at the moment. I assume you’ve seen it.

    H:\>dnscmd nti-ad19 /enumrecords
    USAGE: DnsCmd /EnumRecords [] []
    — FQDN of zone node to enumerate
    /RootHints for roots-hints enumeration
    /Cache for cache enumeration
    — name of node to enumerate
    …….

    See the line before the last?

    M@

  4. matheesha says:

    Well I havent yet figured how to enumerate the cached domain list. But I can check what records are cached for a domain using something like

    dnscmd DNS_Server_IP /enumrecords /cache domainname

    which lists info of cached records for the specific zone. /detail gives more info. If the server hasnt cached any info for the zone, it gives an error.

    Still not sure how to get negative caching. Not sure how to decipher the /detail switch. I wonder if it has something?

    M@

  5. matheesha says:

    Oops. I guess I didnt read that post properly. Sorry. Didnt realise you knew this already.

    M@

  6. Joe,

    How’s DNSCMD and IPCONFIG doing this? Surely there’s an API *somehwere*? I’d be really shocked if IPCONFIG was using WMI. I thought it was much lower level than that…

    I’ve been where you’re at in the past. I’d be very happy to see a DNS cache command line tool, from you, that can query, delete, flush or add stuff to either the resolver or server caches.

  7. joe says:

    Thanks Matheesha, yep I can enumerate cached records for a known domain. Haven’t figured out the domain list yet.

    Paul: This is all done through WMI for the DNS Service side stuff. The IPCONFIG side stuff doesn’t much matter as I want to do it at the DNS Service level. I hate WMI.

  8. Al Mulnick says:

    It could be used to help identify bad email addresses on contacts and mail-enabled users in the

    I have to ask, how is it that viewing the negative cache could help identify bad addresses on contacts? How do you envision seeing these addresses vs. mis-typed addresses elsewhere? And are the 821/822 NDR messages not enough to see what’s causing the failure in the first place?

    In all the years of working with Exchange, I don’t believe negative cache ever came up in the conversation. I’m curious as to the value of viewing the cache. It’s possible I’m just missing something and hate it when that happens. 🙂

[joeware – never stop exploring… :) is proudly powered by WordPress.]