Resolver Cache – Linux vs Windows

  1. Wireshark Capture - Ubuntu
  2. Wireshark Capture for IPv6 Training

Microsoft Windows OS’ have a resolver cache built into the actual OS.  Most Windows admins already know this.  When your Windows system performs a DNS query the results are stored by the OS and are available for use by other applications and processes running on the system.  This means that you can resolve to its IP address using Firefox and then open a command prompt and ping without your system performing a new DNS query in support of the ping.  The ping command will use the cached entry stored by the OS.  For Windows systems you can view and control (somewhat) this using these commands:

  • ipconfig /displaydns – This command will show you what is currently in the resolver cache of your Windows OS.
  • ipconfig /flushdns – This command will clear your resolver cache.

By default, Linux systems do not have a built in resolver cache.  Each app handles this function on its own.

You can observe the differences between the two systems by doing this:

  1. Set up two computers, one running your favorite Windows OS and one running your preferred Linux OS.  For my example, I used Windows Server 2008 R2 and Ubuntu 12.04 LTS.
  2. Install Wiresharek on both systems.
  3. Install Firefox and Google Chrome on each system.
  4. Start a Wireshark capture then configure and apply this filter: == “
  5. On the Linux system:
    • With Wireshark running, open Firefox and go to  You will see a query captured in Wireshark.
    • With Wireshark still running, open Google Chrome and go to  You will see another query for captured in Wireshark.  This is because the cached resolution from Firefox is not available to Chrome (e.g Firefox caches the resolution, not Linux)
    • With Wireshark still running, open a terminal.  Ping  You will see a third query for in the capture.
  6. On the Windows system:
    • Perform the same three steps you did on the Linux system.  You will capture a query the first time you go to (using Firefox).
    • Opening Chrome and pinging the web site will not generate additional queries.  These apps are using the cached result stored by the OS.

Wireshark Capture - Ubuntu
Wireshark Capture – Ubuntu

Wireshark Capture - Windows
Wireshark Capture – Windows

Firefox has it’s own DNS cache, too (regardless the system on which it is running) and Firefox’s default behavior is to store resolved DNS queries for 60 seconds.  As you follow one link to the next on the web site the browser does not need to continuously query DNS.  This is a good thing because it’s not typically going to be beneficial to do a new DNS query just so you can move from to  The content of both of those pages is on the same site; doing a new DNS query each time you move from page-to-page is only going to slow down your ‘user experience’.

All of these settings can be controlled, of course.

A few random notes you may find interesting:

  • Linux systems can be configured with a local DNS cache using dnsmasq (not installed by default).
  • Both Chrome and Firefox perform DNS pre-fetching.  This means they pre-resolve links on a page you are visiting in anticipation of you clicking on them.  DNS pre-fetch info for Firefox is here.  DNS pre-fetch for Chrome is here.
  • Using the registry you can control Windows DNS caching behavior.  Microsoft provides info on how to do this in Q318803.
  • In Windows you can stop the OS client resolver cache from a command line by typing net stop dnscache.
  • In Firefox you can enter about:config in the address bar and control DNS caching by adding the network.dnsCacheExpiration and network.dnsCacheEntries values.  The Expiration value is a number of minutes before timeout (default=1 minute) and the Entries value is the total number of cached entries that can be stored (default=20 entries).  Neither of these values exists by default.  You will have to add them.
  • In Chrome you can type about:dns in the address bar to view DNS Pre-Fetch information.
  • Starting a Private Browsing session in Firefox or opening an Incognito window in Chrome clears the browser’s DNS cache entries.
Colin Weaver

Owner/Lead Trainer

About the Author

Colin Weaver

Colin Weaver is co-owner and lead instructor at ITdojo, Inc., a network security and information assurance training center and consulting firm located in Virginia Beach, VA. His passion for technology, networks, and security has led him to become enthralled with the idea of IPv6 and its implementation. In this blog he will share with you glimpses of what he has learned and a hint at what you’ll learn in his classes.