Why does every executable sends DNS request after deleting DNScache service?

0

In Windows, there is a service named DNS Client service (dnscache) caches DNS names and registers the full computer name. When it is running only svchost.exe connects to DNS server. Then I stop and delete that service with the following process::

  1. Set dependency of Network Store Interface Service (NSI) to only Remote Procedure Call (RPCSS):: reg add "HKLM\SYSTEM\CurrentControlSet\Services\nsi" /V "DependOnService" /T REG_MULTI_SZ /D "RPCSS" /F

  2. Set dependency of Network Connectivity Assistant Service (NcaSvc) to only Base Filtering Engine (BFE):: reg add "HKLM\SYSTEM\CurrentControlSet\Services\NcaSvc" /V "DependOnService" /T REG_MULTI_SZ /D "BFE" /F

Set Services Dependencies

  1. Stop & Delete DNScache service:: sc stop "Dnscache" & sc delete "Dnscache"

Delete DNScache service

After deleteing DNScache service, every executable file which is connected to internet (including every browser) send & receive DNS packets (with netstat). With this process, it is obvious that Windows does not save dnscache. you can see that with ipconfig /displaydns.

Question: Why every executable sends DNS request after deleting DNScache service?

Biswapriyo

Posted 2017-06-28T16:12:57.830

Reputation: 6 640

Your question title, and the question don't match - consider what you really are trying to ask here. As for why does it do look ups after deleting the service - consider it was doing look ups prior to deleting it too. – djsmiley2k TMW – 2017-06-28T16:23:40.430

2From what you say, it seems normal that if you remove a dns caching service then programs will send out dns queries: they can no longer interrogate the dns cache. – simlev – 2017-08-01T14:14:04.477

@simlev: Better put it up as an answer. There is no other answer. To the poster: I suggest that you undo the above changes. – harrymc – 2017-08-01T14:33:45.773

Based on this comment by the OP, this appears to be an XY problem, namely in that the OP is deleting the DNSCache service in order to be able to monitor DNS queries made by programs. There's a better way...

– I say Reinstate Monica – 2017-08-02T15:12:30.137

I (and I'm sure others) would be happy to have a look but you'll need to ask a new question. – I say Reinstate Monica – 2017-08-02T15:29:34.023

Answers

7

The behaviour you describe is precisely what you should expect. All DNS requests would normally be handled by the DNScache service, which would serve any application running on the same machine. After you delete it, all programs have to send out DNS queries, since they can no longer take advantage of the DNS caching service.

Information found online confirms that the DNScache service indeed does exactly what it is aptly named after: caching DNS queries.

What does the DNS Client (DNScache) service do? Resolving and caching domain names: it finds a domain name's IP address and saves this association for a short time.
What happens if it is disabled? If the service is stopped, DNS names will continue to be resolved. However, the results of DNS name queries will not be cached.

On a different note, what were you trying to accomplish by deleting the DNScache service? I fail to see any advantage or goal other than experimenting with the system to gain insight into its workings.

I would leave the Dnscache service alone.

simlev

Posted 2017-06-28T16:12:57.830

Reputation: 3 184

1By deleting dnscache service I get notified every time when a new app is trying to connect. Otherwise network monitor shows svchost.exe. This also helps me to resolve which exe associated with Windows telemetry. It also saves some RAM. – Biswapriyo – 2017-08-01T15:16:25.017

@Biswa Ok, it seems you have your reasons. So, is this behaviour satisfying for your needs? The RAM savings would not be substantial on a typical desktop pc, are you trying to create an embedded appliance? – simlev – 2017-08-01T15:19:03.450

If you want to know when apps are requesting internet connections you could use ZoneAlarm (on Windows) or Little Snitch (on Mac). – user1258361 – 2017-08-07T15:30:32.597

@Biswa Why did you not accept the answer and assign the bounty? What aspects did not satisfy you? – simlev – 2017-08-09T16:02:40.950

Asked: 2017-06-28T16:12:57.830

Viewed: 374 times

Active: 2017-08-01T15:09:11.567