Windows Services Console

Why and how to disable the Windows DNS Client Service

The Windows DNS client is poorly named. It is not a true DNS client but rather a DNS caching service. It caches records of all domain names you have visited (resolved). Overall this is a positive feature for network performance as it can greatly reduce the time it takes to begin the actual connection to a domain-named network service.

The information in here is up to date as of publishing it for Windows 10.

Why should I disable the Windows DNS Client Service?

  1. The most common reason that I encounter are by people using extremely large HOSTS files. Often to block off dangerous domains/hosts. The Windows DNS Client Service is unable to load such large files and it often results in network access breaking down completely and even system instability. I recommend that you stick to a smaller HOSTS file anyways as it is less likely to break access to common websites.
  2. Privacy: This is a huge one as the Windows DNS Client Service provides a handy list of every resolved hostname to anyone and any app with user-level access. This is a better reason to disable it.
  3. DNS Conflicts: This is a more rare issue but one that is still important to mention here. Your computer/device having it’s own DNS cache may conflict with other upstream network components (home routers, ISP, etc). They may decide to route the same hostname to different IP addresses. For this reason I disable the Windows DNS Client Service and rely on my Fresh Tomato Router (Netgear R7000) to run a DNS caching service for all of my devices. It is generally faster and safer and since it runs a DNS server alongside the caching there are generally no conflicts on my network like the ones I mentioned above. Well, at least they are less likely now…

You can view all the entries in your DNS cache by doing the following as an Administrator. If you have trouble launching these apps and commands as an Administrator then press the WinKey and just type out cmd, services.msc, regedit – You will see them listed as items and you can right-click on them and select Run as administrator

  1. Press WinKey + R and hit ENTER
  2. Type in cmd and hit ENTER
  3. Type in ipconfig /displaydns and hit ENTER

You can also flush out the DNS cache by doing the following:

  1. Press WinKey + R and hit ENTER
  2. Type in cmd and hit ENTER
  3. Type in ipconfig /flushdns and hit ENTER
  4. Type in ipconfig /displaydns and hit ENTER to confirm the flush was truly successful.

Steps to disable the Windows DNS Client Service:

  1. Press WinKey + R and hit ENTER
  2. Type in regedit and hit ENTER
  3. Browse to Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache
  4. Find the key (The type is DWORD) named Start and change it’s value from 4 to 2
  5. Restart your computer.

Addendum: I do not recommend that you disable this service unless the above issues are of a higher concern to you. The performance loss from disabling it may be noticeable for some users as it may delay overall connection times (transfer rates/latency are 100% unaffected by this, no matter what anyone tells you!). If the privacy concerns are high for you, then disabling it is still worth it but remember to make use of decent DNS servers in general.


Posted

in

by

Comments

14 responses to “Why and how to disable the Windows DNS Client Service”

  1. Franck

    Thanks a lot for the great guide and information!

    1. Cletus

      Disabling it fixed my issue. I had to disable it because visiting regular websites would produce the DNS_PROBE_FINISHED_NXDOMAIN errors. I’m taking websites like Amazon, Netflix, etc.

      Clearing the dns cache didn’t resolve it. Disabling the service via the registry was the only fix that worked for me.

  2. Archon

    Point 4: “Find the key (The type is DWORD) named Start and change it’s value from 4 to 2”,
    Values are 1: Automatic delayed, 2: Automatic, 3: Manual, 4: Disabled. So it should be the opposite.

  3. You SONG

    >Privacy: This is a huge one as the Windows DNS Client Service provides a handy list of every resolved hostname to anyone and any app with user-level access. This is a better reason to disable it.

    In tests it looks like, that the cache is done per user!
    On my computer
    ipconfig /displaydns
    is different for every user and no personal lookups are shown in other processes.
    (some lookups are common in all lists – but this are lookups done for every user. e.g. from the virus scanner)

    1. You SONG

      > for every user and no personal lookups are shown in other processes.
      for every user and no personal lookups are shown in other processes of others logins.

      1. You SONG

        I had even no success with a sidechannel timing attack.
        user A lookup website1.com
        The first lookup is slow, the next lookups are cached and faster

        user B lookup website1.com
        The first lookup again is slow (done by DNS a not a cache), the next lookups are cached and faster

        On my system user B can not measure the lookup time, to check which lookups user A has done.

  4. Erik

    Disabling DNS client with this registry modification worked for a while, but now I find that the service is started irregardless of the registry setting. Either Windows is now ignoring the startup setting, or some other service is starting DNS Client.

Leave a Reply

Your email address will not be published. Required fields are marked *

six  ×    =  thirty six