How to access the NT Name Cache?

[Michael M.]

Hi all,

I would like to know how to access the NT/2000/XP/2003 Name cache; what I
mean by this is:

Open a Command Prompt and..,

C:\>
C:\>IPCONFIG /DISPLAYDNS

You will see a bunch of cached name records for pretty much all of the
websites / domains that have been resovled since you booted the computer. I
would realy like to know what API or function I could access this data with
so it could speed up my DNS lookups but I have been unable to find the API
function.

Please help

Regards,

Michael.

 

[Michael M.]

OK.

So I opended the IPconfig.exe from C:\windows\system32\

I see an External sysbol link to a function called DnsGetCacheDataTable()
Sounds like it could be the one!

Does any one no where to get the C/C++ header for this or an already VB
converted one.

Its not listed in the Win2k3 SDK

regards

Mike.

 

[Scott M.]

Have you looked at your hosts file? This file can be used to do exactly
what you are asking about. If your program just opened this text file and
appended to it, you'd get what you want.

 

[Michael M.]

Thanks Scott,

I am aware of the Hosts file, but this is static, only your localhost
127.0.0.1 record is there by default, it does not get automaticly updated.

This file is loaded into the name cache you can it's entrys IPconfig /
DisplayDns, but
IPconfig / FlushDns does not remove them (Why are these commands not
listed when you type IPconfig / ? they are not exactly secret ????)

Win XP does Names likes this I believe

Host File & LMhost file -> loads into cache -> check cache -> check dns
server <-> wait for lookup

on a NT / 2Kx domain might append default DNS suffix to the name and check
for that as well.

Anyway what I want is:

Lets say the scenario of a internet access / NAT windows server that has a
bunch of connections to webservers. All of thoose webservers has already
been translated to IP addresses, and stored in that name cache and
(depending on Time To Live) will be threre for some time.

It makes no sense for an application to launch a new thread and lookup
Google.com or Microsoft.com again when it has allready been done and stored.
I would like to read that data into an array or List every 60 seconds or so,
and search that before doing a lookup (I will be doing reverse lookup so
won't be able to rely on NT searching the cache for me)

I have found a C++ exmple code that has some clues on this, if can convert
it and get it to work I will naturaly post back here.

The other thing is writing to that file could leave stale records, I would
have to loop through and them update them or Cleint computers would lose
domain resovles on the LANs that the software runs on.

Thanks for your reply though, I have seen add / popup blocking software
write Dodgy Domains to that file!

Example
Adverts.SomeDodgyCompany.Com 127.0.0.1

or is it the other way round?

That will not resovle so is quite effective :0)

Regards

Mike.

 

[Scott M.]

Hey Mike,

I wish I had more info. for you, but I can tell you that typing "ipconfig
/?" <---no space bettween / and ? does give you a list of all command line
switches.

good luck

 

[Eric]

Very interesting question... there's so little out there!

All I've learned so far is that the DnsGetCacheDataTable() function is in
dnsapi.dll, but you've probably already figured that one out. There appears
to be good info in the article titled: "Explore the Windows DNS cache" here:
http://www.codepieces.net/ , but I guess I'm not literate enough to
understand the example.

I was thinking I could just figure out where the cache is stored and access
it myself, but I've learned it's all in RAM, so no-go on that front.

Anyway, good luck!

 

[_AnonCoward]

: Hi all,
:
: I would like to know how to access the NT/2000/XP/2003 Name cache;
what I
: mean by this is:
:
: Open a Command Prompt and..,
:
: C:\>
: C:\>IPCONFIG /DISPLAYDNS
:
: You will see a bunch of cached name records for pretty much all of
the
: websites / domains that have been resovled since you booted the
computer. I
: would realy like to know what API or function I could access this
data with
: so it could speed up my DNS lookups but I have been unable to find
the API
: function.
:
: Please help
:
: Regards,
:
: Michael.


This isn't what you're looking for specifically, and it's really an
ugly hack, but....

How about running the IPCONFIG command from a shell and piping the
output to a file? (IPCONFIG /DISPLAYDNS >
[SOME_FOLDER]\displaydns.dat)

From there, you could open the file, parse the contents then delete
it. That would do as an interim solution.

Ralf

 

[Scott M.]

That's what I was suggesting, but instead of "some file", I suggested using
the hosts file, since it is consulted automatically.

 

[Michael M.]

Ok I have converted the C++ sample and I have it working now, but I have a
question

I am new to VB.net have been only programming on and off for the last two
months.

using the interop marshal class I need to retrieve a string from a pointer
the string is passed from the

DnsGetCacheDataTable() so it is a C++ string, all I have is the start memory
address of a string; how do I determine the length of the string so I don't
hit the tried to read protected memory error?

Right now I am just reading 128 bytes from the start address of the string
pointer it seems to work about 95 out of 100 which is wierd.

Eric <[email protected]> posted me this which had a link to C++ example
which I converted.

<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
Very interesting question... there's so little out there!

All I've learned so far is that the DnsGetCacheDataTable() function is in
dnsapi.dll, but you've probably already figured that one out. There appears
to be good info in the article titled: "Explore the Windows DNS cache" here:
http://www.codepieces.net/ , but I guess I'm not literate enough to
understand the example.

I was thinking I could just figure out where the cache is stored and access
it myself, but I've learned it's all in RAM, so no-go on that front.

Anyway, good luck!

Ps if anyone is intrested I can post my VB.Net port of this function.

Regards,

Michael.

 

[Michael M.]

What an idiot.
I did not check the overload options of Marshal.PtrToStringAuto the second
option does not require a length guess it finds the first null char or
something then returns the left all chars to the left of that?

Michael.