Jaa


Check your DNS for WINS lookup -- then get rid of it

It is surprisingly often that I encounter customers who have a WINS dependency in an odd place: in DNS itself. Since the early days of AD the DNS service had a feature that was intended specifically to help with migrations from NT4 domains to Active Directory. This feature called WINS Lookup is enabled on a DNS zone, and does something very simple: when a record cannot be found, it forwards the hostname part of the query to specified WINS servers, hoping that these may know more. This was certainly useful in the NT4 days when WINS contained relevant or even authoritative information, but it's obviously no good anymore today. But, surely it can't do any harm? Wrong. It can. Let me show you how.

The setup is that I have a DNS server called DC4, and a client called DC8. They are part of a domain called sol.local. The DNS zone for sol.local has WINS forwarding configured, as follows.

This configuration tells the DNS server to first try to resolve a query in its own zone, but if it fails, try it with WINS at the IP address 192.168.56.24.

As long as there really is a WINS server listening, this is OK. Not great because you lose time with each roundtrip to WINS, but that was the choice you made. But if there is no WINS service listening anymore, things look very different. Take a look at the following network trace. It shows two queries executed from DC8 to DC4:

  1. query for dc4.sol.local. This record exists in the local zone and is returned immediately.
  2. query for dc5.sol.local. This record does not exist...

... so the DNS service immediately forwards it to the configured WINS service, and then sits for two full seconds waiting for a response that never arrives. For good measure it tries again and waits for slightly more than one second more before it gives up and replies to DC8 that the requested record does not exist. Three seconds total! This happens for every record that does not exist, directly impacting the end-user or application.

So having WINS forwarding without an active WINS service is clearly a lethal combination. But even if you still had WINS, would it do any good? It would only help in case WINS has relevant records that your DNS does not have. In that unlikely case you should probably create those records directly in the zone, or in a GlobalNames zone.

So no matter how you cut it, WINS forwarding has no value anymore and does more harm than good. Check your forward DNS zones, and get rid of the WINS forwarders!