Windows DNS Client Behavior: Failover to Secondary DNS and Reversion Logic Explained for Developers


4 views

When a Windows client (Windows 10/11 or Server OS) experiences DNS resolution failures with the primary server, it follows this sequence:

  1. Initial query to primary DNS (immediate)
  2. First retry after 1 second (if no response)
  3. Second retry after another 2 seconds
  4. Failover to secondary DNS after ~3 seconds total

The client maintains an internal "server ranking" system that prefers the primary DNS. Reversion occurs when:

  • The primary server becomes responsive again
  • Existing DNS cache entries expire (default TTL respected)
  • Network interface resets or system reboots

You can programmatically clear the DNS cache to trigger re-evaluation:

Clear-DnsClientCache
Restart-NetAdapter -Name "Ethernet"

Use this WMI query to check active DNS servers:

Get-WmiObject -Namespace root\StandardCimv2 -Class MSFT_NetDNSSetting | 
Select-Object InterfaceAlias,ServerAddresses

Modify failover timing via registry (requires admin):

New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters" 
-Name "QueryTimeoutMillis" -Value 1000 -PropertyType DWord

Note: Values are in milliseconds (default 3000ms for total wait time)

Capture DNS traffic for analysis:

netsh trace start scenario=NetConnection capture=yes tracefile=dns.etl
# Reproduce issue
netsh trace stop

html

Windows clients implement a sophisticated DNS server failover mechanism that follows specific timing patterns and conditions when switching between primary and secondary DNS servers. The behavior is governed by both built-in timeout values and successful query responses.

When the primary DNS server fails to respond, Windows clients exhibit the following behavior:

  • Initial timeout: 1 second for the first query attempt
  • Subsequent attempts: The client waits 2 seconds before retrying the primary server
  • Failover trigger: After 3 failed attempts (approximately 5 seconds total), the client switches to the secondary DNS server
// Example PowerShell command to test DNS resolution
Test-NetConnection -ComputerName example.com -Port 53

The client will automatically revert to the primary DNS server when:

  • The primary server successfully responds to a query
  • The DNS client service is restarted
  • The network interface is reset (disable/enable) or reconnected
  • The system reboots

You can modify default timeout values using the registry (use with caution):

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters]
"QueryTimeout"=dword:00002710
"NegativeCacheTime"=dword:00000000
"NetFailureCacheTime"=dword:00000000

Use these commands to monitor DNS server usage:

# View DNS cache (includes which server resolved each entry)
ipconfig /displaydns

# Clear DNS cache to force new resolutions
ipconfig /flushdns

# Continuous DNS resolution test (Powershell)
1..10 | % { Resolve-DnsName example.com -Server $dnsServer }

Case 1: If the secondary server is consistently being used, verify primary server connectivity:

Test-NetConnection -ComputerName <primary_dns_ip> -Port 53

Case 2: When failover isn't occurring, check if negative caching is interfering:

# Check negative cache time (0 means disabled)
Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters" -Name "NegativeCacheTime"