<

DNS: Wildcards and Search Lists

Published on
14,915 Points
7,815 Views
1 Endorsement
Last Modified:
Approved
This article explains how a domain name may be inadvertently appended to all DNS queries. This exhibits as described below.

C:\> ping www.internetdomain.com
Pinging www.internetdomain.com.internal.domain.com [23.24.25.26] ... 

Open in new window

And / Or:
C:\> NsLookup www.internetdomain.com
...
Name:    www.internetdomain.com.internal.domain.com
Address: 23.24.25.26

Open in new window


Cause

This issue can occur in either of these two scenarios.

EITHER

1. A Primary DNS Suffix which is a sub-domain of a public domain name.
Windows IP Configuration

        Host Name . . . . . . . . . . . . : SomeHost
        Primary Dns Suffix  . . . . . . . : internal.domain.com

Open in new window


2.  A Wildcard Record exists for *.domain.com on the public DNS server for domain.com and "Append parent suffixes of the primary DNS suffix" is ticked (TCP/IP settings, Advanced, DNS). Or a Wildcard exists for *.internal.domain.com.

OR

1.  domain.com exists in the DNS Suffix Search List.

2.  A Wildcard Record exists for *.domain.com on the public DNS server for domain.com.

In either case each Suffix is requested before the multi-label name is submitted.

Examples

In the following examples the detailed responses from NsLookup are available by enabling the Debugging option.
C:\> NsLookup
> set debug
> www.internetdomain.com

Open in new window

Or
> set d2
> www.internetdomain.com

Open in new window

1. With no wildcard record
C:\> NsLookup
> www.internetdomain.com

ACTION:  Appending Primary DNS Suffix
HEADER:  NXDOMAIN (Does Not Exist)
QUESTIONS:  www.internetdomain.com.internal.domain.com

ACTION:  Appending Parent Suffix
HEADER:  NXDOMAIN (Does Not Exist)
QUESTIONS:  www.internetdomain.com.domain.com

ACTION:  Without Suffix
HEADER:  NOERROR
QUESTIONS:  www.internetdomain.com
ANSWERS:  IP Address(es) of www.google.com and any related records

Open in new window

2. With a wildcard for domain.com and Append Parent Suffixes selected

C:\> NsLookup
> www.internetdomain.com

ACTION:  Appending Primary DNS Suffix
HEADER:  NOERROR
QUESTIONS:  www.internetdomain.com.internal.domain.com
ANSWERS:  IP Address(es) of *.domain.com. Matching Wildcard record to "www.internetdomain.com.internal"

Open in new window


3. With a wildcard for internal.domain.com

C:\> NsLookup
> www.internetdomain.com

ACTION:  Appending Primary DNS Suffix
HEADER:  NOERROR
QUESTIONS:  www.internetdomain.com.internal.domain.com
ANSWERS:  IP Address(es) of *.internal.domain.com. Matching wildcard record to "www.internetdomain.com"

Open in new window


4. With a Wildcard for domain.com and a DNS Suffix Search List including
domain.com

C:\> NsLookup
> www.internetdomain.com

ACTION:  Appending Primary DNS Suffix
HEADER:  NXDOMAIN
QUESTIONS:  www.internetdomain.com.internal.domain.com

ACTION:  Appending first DNS Suffix from Search List (otherdomain.com)
HEADER:  NXDOMAIN
QUESTIONS:  www.internetdomain.com.otherdomain.com

ACTION:  Appending second DNS Suffix from Search List (domain.com)
HEADER:  NOERROR
QUESTIONS:  www.internetdomain.com.domain.com
ANSWERS:  IP Address(es) of *.domain.com. Matching Wildcard record to "www.internetdomain.com"

Open in new window


NsLookup vs DNS Client

It is possible that this problem only occurs when using NsLookup. Ping uses the DNS Client which may not necessarily append the DNS Suffix to a multi-label name. NsLookup queries the DNS Server directly, it does not use the DNS Client service.

The behaviour of the DNS Client can be controlled by setting a value for "AppendToMultiLabelName" in the registry. Depending on the Operating System this can be in one of two places.

Windows XP, Windows Vista and Windows 2008

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient
Name: AppendToMultiLabelName
Data: 0 (Do not append suffix) or 1 (Append suffix)
Default: 0

Open in new window


The default value may vary with Service Pack level for Windows XP.

Windows 2003
LOCAL_MACHINE\System\CurrentControlSet\Services\DNSCache\Parameters
Name: AppendToMultiLabelName
Data: 0 (Do not append suffix) or 1 (Append suffix)
Default: 0

Open in new window


The default value may vary with Service Pack level for Windows 2003.

Resolution

If this is identified as being a problem one of the following steps can be taken:

1. Disable "Append parent suffixes of the primary DNS suffix"
2. Remove the domain name containing the wildcard from the DNS Suffix Search List
3. Disable "AppendToMultiLabelName" (will not effect NsLookup)
4. Remove the Wildcard Record
1
Comment
Author:Chris Dent
0 Comments

Featured Post

Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

Join & Write a Comment

A query can call a function, and a function can call Excel, even though we are in Access. This is Part 2, and steps you through the VBA that "wraps" Excel functionality so we can use its worksheet functions in Access. The declaration statement de…
Learn the basics of Skype For Business in office 365
Other articles by this author

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month