Skip navigation

What's DNS name devolution?

Q: What, exactly, is DNS name devolution? Are there any security risks linked to this DNS feature? Has anything changed in Windows 7 and Windows Server 2008 R2 to better protect my Windows platforms against these security risks?

A: DNS name devolution is a built-in feature of the Windows DNS Client. Users of Active Directory (AD)-joined computers can use DNS name devolution to connect to resources using an unqualified name, such as mailserver1, instead of using a Fully Qualified Domain Name (FQDN), such as Thanks to name devolution, the DNS client will automatically append portions of the AD-joined computer's primary DNS domain suffix (for example, "") to the unqualified name during the DNS name resolution process.

Learn more: DNS in Windows Server 2008 R2

For example, when a user on a computer that's a member of the domain uses the resource name mailserver1, the DNS client will automatically try to resolve the and FQDNs.

An important parameter in the DNS name devolution process is the devolution level. It refers to the number of labels in the primary DNS domain suffix at which the devolution process stops. Labels are the parts of a DNS name that are separated by dots. In the above example, emea, mydomain, and net are the three labels of the domain suffix.

In Windows versions prior to Windows 7 and Windows Server 2008 R2, the DNS name devolution level is always two. This means that if you type mailserver1 and the primary domain suffix is, the DNS client will first try to resolve, then, then finally At this point devolution will stop, because only two labels—dc and net—are left.

The default devolution level of two creates a security risk. It may cause domain-joined computers to connect to a malicious computer on the Internet that's outside of the control of an organization's AD domain. Let me illustrate this with an example.

A domain-joined computer's primary domain suffix is (mycompany is located in Florida, hence the extension and tries to connect to mailserver1. In this example, the DNS client will try to resolve and The last name in this list,, is outside of the control of my company. If a malicious person has registered in the DNS, the name resolution will succeed, the domain-joined computer will try to connect to it, and the malicious user could spoof an internal server.

In Windows 7 and Server 2008 R2, Microsoft changed the default DNS devolution behavior such that it cannot cause an internal client to connect to an external computer. Microsoft also provides an update for older Windows platforms to bring the new DNS devolution logic to these older platforms. Microsoft offers more information on this fix.

The DNS devolution logic has changed as follows:

  • If the number of labels in the AD forest root domain's DNS name is one or a machine's primary DNS suffix doesn't end with the forest root domain's DNS name, DNS devolution is automatically disabled. For example, if a computer is a member of the domain and the forest root domain name is, devolution is disabled ( does not end with
  • If a machine's primary DNS suffix ends with the forest root domain's DNS name, the devolution level is automatically set to the number of labels in the forest root domain. For example, if the computer is a member of the domain and the forest root domain name is, the devolution level is set to three (which matches the number of labels in

More information on this new DNS devolution behavior can also be found in a Microsoft Technet article.

You can enable name devolution from the DNS tab in the advanced properties of the TCP/IPv4 and TCP/IPv6 protocols of a Windows box's network interfaces. When you click Append primary and connection specific DNS suffixes and select Append parent suffixes of the primary DNS suffix, name devolution is enabled, as shown here.

DNS name devolution

You can also centrally configure name devolution with the following Group Policy settings, which are located in the Computer Configuration\Administrative Templates\Network\DNS Client GPO container:

  • Primary DNS Suffix Devolution: This Group Policy Object (GPO) setting controls the HKLM\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\UseDomainNameDevolution registry value.
  • Primary DNS Suffix Devolution Level:  This GPO setting controls the HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\DomainNameDevolutionLevel registry value.

Learn more: DNS Enhancements in Windows Server 2008 R2

    TAGS: Security
    Hide comments


    • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

    Plain text

    • No HTML tags allowed.
    • Web page addresses and e-mail addresses turn into links automatically.
    • Lines and paragraphs break automatically.