3

Occasionally on one of my web servers svchost.exe runs around 60-80% running the DNS Client Service. This is on a Windows 2008 Web Server machine (patched up all the way) handling around 10M page views a day and around 5M unique users monthly.

I sometimes see it running on one of two servers in my farm, while handling the same amount of traffic as the other machines so I think it might be okay to disable it... Keep in mind that a server affected by it running close to 90% CPU while the others at 15%.

Now I know it caches the name resolution data but does it need to do it at this expense? I did some research and there are split recommendations on this so here I am asking you guys :) Thanks!

Here are screenshots of the CPU utilization:

enter image description here

I say Reinstate Monica
  • 3,100
  • 7
  • 23
  • 51
enlightenedOne
  • 31
  • 1
  • 3
  • I have never heard of the DNS Client service using that much CPU. Sometimes malware uses svchost.exe; have you ruled out the possibility that your server has been compromised? – Skyhawk Oct 11 '11 at 20:10
  • Miles Erickson - yes i have used Process Explorer to lookup the svchost.exe and it's Dnscache service causing the CPU spikes, here is the screen of the process http://screencast.com/t/RfxznL15Wic – enlightenedOne Oct 11 '11 at 20:19
  • 2
    If it were me, I would install a packet capture program on the server, start a capture, filter the capture for DNS, and see what all this DNS client activity is about. – joeqwerty Oct 11 '11 at 20:35
  • 1
    all right guys, got an update. i scanned the system, nothing was found, captured the traffic and saw absolutely nothing wrong with it. now something interesting happening is that i tried stopping the DNS Client service and it did not have any effect on it, the CPU spikes continued as before and in Process Explorer the thread still showed Dnscache Service as the one causing the issue, so how is this possible? Also i noticed that this only happens when there is load on a server, once i take it out of LBS the CPU utilization by that service stops so maybe it's normal??? – enlightenedOne Oct 15 '11 at 17:28

4 Answers4

1

Disabling the dns client service will not disable dns lookups. The stack will still know how to do a dns lookup. Don't believe it? Try it.

Now, one possible cause of high dns query rates on your web server may be dns lookups related to logging of http requests. Disable logging of the client request source by dns name.

spenser
  • 11
  • 1
  • 2
    While it is correct that disabling the DNS client service does not disable DNS lookups, before suggesting this you need to understand and point out the impacts. As this is a performance related issue disabling the DNS client server could make it far worse. – Bernie White Oct 20 '11 at 09:28
1

I hate suggesting this, but does the server exhibit the same problem after a restart, or does it just slowly degrade over time?

Ditto Peter Ivan's note about large hosts files causing the DnsCache service to eat up CPU.

Seems to be my stock answer these days, but have a nose at what's going on using Process Monitor.

I'd also consider moving DnsCache to its own SVCHOST instance (for testing / isolation):

tasklist /fi "imagename eq svchost.exe" /svc
sc config dnscache Type= own
sc stop dnscache
sc start dnscache
tasklist /fi "imagename eq svchost.exe" /svc
Simon Catlin
  • 5,222
  • 3
  • 16
  • 20
0

Disabling the DNS client service is going to make the server completely unable to resolve any DNS queries at all. This is not a good idea, IMHO. For starters, that means at a minimum the server will not be able to do any Windows Updates. But also, almost everything any computer does that involves networking of any sort requires DNS queries in order to function properly.

Also, if your web application is communicating with other services or web sites, then it would stop functioning.

My guess is that the DNS client service activity is due to IIS Logging; try turning that off temporarily and see if that resolves it. If that's the case then you know where your real problem lies.

Coding Gorilla
  • 1,938
  • 12
  • 10
  • thanks Coding Gorilla, but IIS Logging is currently disabled on all machines. any other things i should be looking at? – enlightenedOne Oct 11 '11 at 18:46
  • Anything else running on the server? For troubleshooting purposes, you could always disable the service and see what breaks. But I wouldn't recommend leaving it permanently disabled. – Coding Gorilla Oct 11 '11 at 18:49
  • Nothing else, just IIS handling requests all day long. Keep in mind this happens on on server and it stops, it might happen on another server on the farm. And when it happens the CPU spikes are in sort of 5 second intervals. I added a screenshot link in my original post – enlightenedOne Oct 11 '11 at 19:12
  • Honestly, unless you're seeing a specific problem, I wouldn't worry about it too much. It could be a lot of things, scheduled tasks, update checks, just to name a few. Probably pretty normal and benign stuff, especially since you're seeing it across multiple servers. – Coding Gorilla Oct 11 '11 at 19:14
  • 1
    Like others have said, disabling the service WON'T cause lookups to fail. – Simon Catlin Feb 25 '13 at 20:29
0

DNS Client Service serves mainly as a DNS cache as it's service name "DNS Cache" suggests. Turning it off can slow down DNS name resolution.
Common browsing experience shouldn't be harmed. But there might be some processes on your web servers which rely on DNS name resolution. Then their response times could raise only because of repeated DNS queries to your DNS authority.

In my experience, high CPU utilisation by DNS Client Service can be caused by big hosts file. Adding NICs or changing their settings can cause flushing of DNS Cache and then it's CPU usage goes up.

Peter Ivan
  • 103
  • 5