Applies to: IDENTIKEY Server 3.4 - DAWL

KB 150103 – 28/06/2013 2013 VASCO Data Security. All rights reserved.

Page 1 of 5

KB 150103

How to speed up IDENTIKEY DNS lookup of the

Windows Logon DAWL client on Windows 7?

Creation date: 27/05/2013 Last Review: 28/06/2013 Revision number: 2

Document type: How To Security status: EXTERNAL

Summary

This article will explain how DNS lookup is used in the DIGIPASS Authentication

Windows Logon (DAWL) client and how the lookup can be improved for Windows 7.

Details.

When configuring IDENTIKEY Server for use with DAWL, the default DAWL

configuration will resolve the IDENTIKEY Server using DNS Lookup.

IDENTIKEY Server can be configured to register itself (at startup) in the AD DNS

server, so that it can be resolved by the DAWL clients.

Below, you can see IDENTIKEY Server can be found in the DNS server:

In this example: _ikeyserver-seal._tcp.vdsi.local

Applies to: IDENTIKEY Server 3.4 - DAWL

KB 150103 – 28/06/2013 2013 VASCO Data Security. All rights reserved.

Page 2 of 5

When DAWL needs to find IDENTIKEY Server, it will use the following mechanisms in

this order:

1. Send the unqualified Multi-label name to the Microsoft DNS Client 2. Send the qualified Multi-label name to the Microsoft DNS Client 3. Use the Primary and Backup IP Address of the IDENTIKEY Server

1. DAWL sends the unqualified Multi-label name to the Microsoft DNS Client.

The DAWL client will add ._tcp to the DNS server service name (configured in the

DAWL client) and pass the DNS Request to the Microsoft DNS client.

Depending on the OS, the Microsoft DNS Client will handle the DNS request a bit

different.

1.1. On Windows XP. When a Windows XP machine attempts to resolve an unqualified multi-label

name, the DNS client will attempt to resolve the name as specified.

If this DNS Query fails, it will append the domains that are listed in the DNS

suffix search order.

So the DNS queries that are sent are:

� _ikserver-seal._tcp

� _ikserver-seal._tcp.vasco.local

(supposing that the DNS Suffix search list is Vasco.local)

In XP we should see something like this if we do a wireshark trace:

1.2. On Windows 7 and Vista. When a Windows 7 (Vista) machine attempts to resolve an unqualified multi-

label name, the DNS client will attempt to resolve the name as specified. The

DNS suffix search order will NOT be used.

So the DNS querie that is sent is:

� _ikserver-seal._tcp

Remarks:

o When the IDENTIKEY Server cannot be found (DNS query fails), the DAWL client will try this mechanism a second time

(DAWL will send the same unqualified Multi-label name a second time to the

Microsoft DNS Client)

o The DNS Suffix Search List can be seen when you do a ipconfig /all in a DOS window:

Applies to: IDENTIKEY Server 3.4 - DAWL

KB 150103 – 28/06/2013 2013 VASCO Data Security. All rights reserved.

Page 3 of 5

When DHCP is used, the DNS Suffix Search List is filled in automatically.

When a fixed IP/DNS is used, the DNS Suffix Search List is configured in the

advanced internet protocol properties:

2. DAWL sends the qualified Multi-label name to the Microsoft DNS Client.

If IDENTIKEY Server is not found after step 1 described above, the DAWL client will

start his back-up plan.

The DAWL client will combine the Suffix of the PC name with “DNS server service

name” from the DAWL configuration and pass this DNS request to the Microsoft

DNS Client/

In our example: _ikeyserver-seal._tcp.vdsi.local

In case the PC is located in a sub domain DAWL will also try to find IDENTIKEY

Applies to: IDENTIKEY Server 3.4 - DAWL

KB 150103 – 28/06/2013 2013 VASCO Data Security. All rights reserved.

Page 4 of 5

Server in the different domains of the domain tree.

Eg: if the the PC is W7PC.sub2.sub1.mydomain.local, then DAWL will try:

� _ikeyserver-seal._tcp.sub2.sub1.mydomain.local

� _ikeyserver-seal. _tcp.sub1.mydomain.local � _ikeyserver-seal. _tcp.mydomain.local

� _ikeyserver-seal. _tcp.local

3. Use the Primary and Backup IP Address of the IDENTIKEY Server

If the IDENTIKEY Server cannot be resolved via DNS (step 1 and 2 have failed),

DAWL will use the IP Addresses filled in in the DAWL configuration.

Problem Solution.

As explained above the DNS Resolving of IDENTIKEY Server will fail in step 1 on a

Windows 7 machine.

To speed up DNS discovery on a Windows 7 machine we can apply:

http://blogs.technet.com/b/networking/archive/2009/04/16/dns-client-name-

resolution-behavior-in-windows-vista-vs-windows-xp.aspx

As explained in the article, run gpedit.msc, then enable:

Computer Configuration -> Administrative Templates -> Network -> DNS Client ->

“Allow DNS Suffix Appending to Unqualified Multi-Label Name Queries”

In regedit you should see:

Applies to: IDENTIKEY Server 3.4 - DAWL

KB 150103 – 28/06/2013 2013 VASCO Data Security. All rights reserved.

Page 5 of 5

When this Registry key is set, IDENTIKEY Server should also be resolved in step 1 and

not by the DAWL Back-up plan (Step 2) as explained above.

This can also be set in the group policy on the domain level: