<

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x

DNS: Wildcards and Search Lists

Published on
15,112 Points
8,012 Views
1 Endorsement
Last Modified:
Approved
This article explains how a domain name may be inadvertently appended to all DNS queries. This exhibits as described below.

C:\> ping www.internetdomain.com
Pinging www.internetdomain.com.internal.domain.com [23.24.25.26] ... 

Open in new window

And / Or:
C:\> NsLookup www.internetdomain.com
...
Name:    www.internetdomain.com.internal.domain.com
Address: 23.24.25.26

Open in new window


Cause

This issue can occur in either of these two scenarios.

EITHER

1. A Primary DNS Suffix which is a sub-domain of a public domain name.
Windows IP Configuration

        Host Name . . . . . . . . . . . . : SomeHost
        Primary Dns Suffix  . . . . . . . : internal.domain.com

Open in new window


2.  A Wildcard Record exists for *.domain.com on the public DNS server for domain.com and "Append parent suffixes of the primary DNS suffix" is ticked (TCP/IP settings, Advanced, DNS). Or a Wildcard exists for *.internal.domain.com.

OR

1.  domain.com exists in the DNS Suffix Search List.

2.  A Wildcard Record exists for *.domain.com on the public DNS server for domain.com.

In either case each Suffix is requested before the multi-label name is submitted.

Examples

In the following examples the detailed responses from NsLookup are available by enabling the Debugging option.
C:\> NsLookup
> set debug
> www.internetdomain.com

Open in new window

Or
> set d2
> www.internetdomain.com

Open in new window

1. With no wildcard record
C:\> NsLookup
> www.internetdomain.com

ACTION:  Appending Primary DNS Suffix
HEADER:  NXDOMAIN (Does Not Exist)
QUESTIONS:  www.internetdomain.com.internal.domain.com

ACTION:  Appending Parent Suffix
HEADER:  NXDOMAIN (Does Not Exist)
QUESTIONS:  www.internetdomain.com.domain.com

ACTION:  Without Suffix
HEADER:  NOERROR
QUESTIONS:  www.internetdomain.com
ANSWERS:  IP Address(es) of www.google.com and any related records

Open in new window

2. With a wildcard for domain.com and Append Parent Suffixes selected

C:\> NsLookup
> www.internetdomain.com

ACTION:  Appending Primary DNS Suffix
HEADER:  NOERROR
QUESTIONS:  www.internetdomain.com.internal.domain.com
ANSWERS:  IP Address(es) of *.domain.com. Matching Wildcard record to "www.internetdomain.com.internal"

Open in new window


3. With a wildcard for internal.domain.com

C:\> NsLookup
> www.internetdomain.com

ACTION:  Appending Primary DNS Suffix
HEADER:  NOERROR
QUESTIONS:  www.internetdomain.com.internal.domain.com
ANSWERS:  IP Address(es) of *.internal.domain.com. Matching wildcard record to "www.internetdomain.com"

Open in new window


4. With a Wildcard for domain.com and a DNS Suffix Search List including
domain.com

C:\> NsLookup
> www.internetdomain.com

ACTION:  Appending Primary DNS Suffix
HEADER:  NXDOMAIN
QUESTIONS:  www.internetdomain.com.internal.domain.com

ACTION:  Appending first DNS Suffix from Search List (otherdomain.com)
HEADER:  NXDOMAIN
QUESTIONS:  www.internetdomain.com.otherdomain.com

ACTION:  Appending second DNS Suffix from Search List (domain.com)
HEADER:  NOERROR
QUESTIONS:  www.internetdomain.com.domain.com
ANSWERS:  IP Address(es) of *.domain.com. Matching Wildcard record to "www.internetdomain.com"

Open in new window


NsLookup vs DNS Client

It is possible that this problem only occurs when using NsLookup. Ping uses the DNS Client which may not necessarily append the DNS Suffix to a multi-label name. NsLookup queries the DNS Server directly, it does not use the DNS Client service.

The behaviour of the DNS Client can be controlled by setting a value for "AppendToMultiLabelName" in the registry. Depending on the Operating System this can be in one of two places.

Windows XP, Windows Vista and Windows 2008

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient
Name: AppendToMultiLabelName
Data: 0 (Do not append suffix) or 1 (Append suffix)
Default: 0

Open in new window


The default value may vary with Service Pack level for Windows XP.

Windows 2003
LOCAL_MACHINE\System\CurrentControlSet\Services\DNSCache\Parameters
Name: AppendToMultiLabelName
Data: 0 (Do not append suffix) or 1 (Append suffix)
Default: 0

Open in new window


The default value may vary with Service Pack level for Windows 2003.

Resolution

If this is identified as being a problem one of the following steps can be taken:

1. Disable "Append parent suffixes of the primary DNS suffix"
2. Remove the domain name containing the wildcard from the DNS Suffix Search List
3. Disable "AppendToMultiLabelName" (will not effect NsLookup)
4. Remove the Wildcard Record
1
Comment
Author:Chris Dent
0 Comments

Featured Post

Become a Certified Penetration Testing Engineer

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

Join & Write a Comment

Learn how to collaborate with office 365 Office Online
I previously published an Experts Exchange video Micro Tutorial that describes how to scan documents to a PDF file using an excellent, free product called Foxit Reader: How to scan to a PDF file with free software (https://www.experts-exchange.co…
Other articles by this author

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month