PowerShell remoting & DNS

I’ve noticed a strange thing: the PowerShell remoting works much faster if you use the remote computer’s IP address for connection rather than a DNS name. Well, not everything is faster but the re-connections. PowerShell uses the HTTP (or HTTPS) protocol to send the data. This connection is cached between the successive commands but if you don’t enter anything for a few minutes, this connection gets dropped and then re-established when you enter the next command. This re-establishment, and also the initial connection, works much faster with the IP address than with the DNS name. The effect is most pronounced if connecting over a WAN, such as to a VM in Azure. Don’t know why. There shouldn’t be that much delay with the DNS. It’s a mystery.

Of course, this won’t work with HTTPS connections, HTTPS connections require that the machine name matches the name in the certificate.

P.S. Here is the real answer: this happens if the user is not domain-joined, and the user name was specified without an explicit domain, like you would typically do wne connecting to an Azure machine. The slowness happens in an attempt to use the domain of the machine you’re connecting from. The workaround is to use the explicit domain or more exactly non-domain that says that the user belongs to the remote machine, i.e. instead of “myuser” use “.\myuser”.

Comments (3)

  1. Do you use Invoke-Command with the -ComputerName or -Session parameter? What do you mean by "connection is cached"? If you use the IP address in a domain environment, Kerberos authentication won't be used.

  2. Robert Rathbun says:

    Did you perform testing of your DNS server(s) lookup speeds to ensure you don't have an issue with DNS or the network itself? How many milliseconds do you DNS lookups take? What tools did you use to benchmark those results/findings?

    Also, what baseline are you referencing for the faster or slower speed? The terms "FASTER" or "SLOWER" are simply too ambiguous to provide meaning without any associated units of measure as a reference.

    Performing a DNS lookup to resolve NAME to IP Address is always slower in milliseconds, when compared to direct IP based connections, which are always be a bit "faster" in milliseconds. Add PKI to the mix and the connection will be even slower in milliseconds, but again that's by design – more processing overhead = more time.

  3. Yes, this is for the non-domain-joined machines (or machines joined to a different domain), the Kerberos is obviously similar in this respect to HTTPS. By the way, HTTPS is slower at connection setup than HTTP, with both using the DNS names.

    It's the argument for -ComputerName (in Enter-PsSession or New-PsSession, with that session later usable for Enter-PsSession or Invoke-Command). With the typical use of the Invoke-Command it's less noticeable because the commands get sent automaticaly one after another and then the session gets closed. With the interactive sessions the delay is much more annoying when you run a command, spend a few second looking at  its result, then type the new command, and that new command now takes a long time to start.

    Yes, I've checked that the DNS gets resolved quickly, and that the reverse zones are properly populated.

    The difference is in seconds, not milliseconds. Such as 12s by IP vs 54s by name for establishing the connection in Enter-PsSession when connecting to a local VM. It's a mystery to me. Even the 12s with the IP address is way too slow, something somewhere is obviously timing out. I'm taking it up to the PowerShell guys :-)

Skip to main content