DNS: Wildcards and Search Lists

Chris DentPowerShell Developer
CERTIFIED EXPERT
Published:
Updated:
This article explains how a domain name may be inadvertently appended to all DNS queries. This exhibits as described below.

C:\> ping www.internetdomain.com
                      Pinging www.internetdomain.com.internal.domain.com [23.24.25.26] ... 

Open in new window

And / Or:
C:\> NsLookup www.internetdomain.com
                      ...
                      Name:    www.internetdomain.com.internal.domain.com
                      Address: 23.24.25.26

Open in new window


Cause

This issue can occur in either of these two scenarios.

EITHER

1. A Primary DNS Suffix which is a sub-domain of a public domain name.
Windows IP Configuration
                      
                              Host Name . . . . . . . . . . . . : SomeHost
                              Primary Dns Suffix  . . . . . . . : internal.domain.com

Open in new window


2.  A Wildcard Record exists for *.domain.com on the public DNS server for domain.com and "Append parent suffixes of the primary DNS suffix" is ticked (TCP/IP settings, Advanced, DNS). Or a Wildcard exists for *.internal.domain.com.

OR

1.  domain.com exists in the DNS Suffix Search List.

2.  A Wildcard Record exists for *.domain.com on the public DNS server for domain.com.

In either case each Suffix is requested before the multi-label name is submitted.

Examples

In the following examples the detailed responses from NsLookup are available by enabling the Debugging option.
C:\> NsLookup
                      > set debug
                      > www.internetdomain.com

Open in new window

Or
> set d2
                      > www.internetdomain.com

Open in new window

1. With no wildcard record
C:\> NsLookup
                      > www.internetdomain.com
                      
                      ACTION:  Appending Primary DNS Suffix
                      HEADER:  NXDOMAIN (Does Not Exist)
                      QUESTIONS:  www.internetdomain.com.internal.domain.com
                      
                      ACTION:  Appending Parent Suffix
                      HEADER:  NXDOMAIN (Does Not Exist)
                      QUESTIONS:  www.internetdomain.com.domain.com
                      
                      ACTION:  Without Suffix
                      HEADER:  NOERROR
                      QUESTIONS:  www.internetdomain.com
                      ANSWERS:  IP Address(es) of www.google.com and any related records

Open in new window

2. With a wildcard for domain.com and Append Parent Suffixes selected

C:\> NsLookup
                      > www.internetdomain.com
                      
                      ACTION:  Appending Primary DNS Suffix
                      HEADER:  NOERROR
                      QUESTIONS:  www.internetdomain.com.internal.domain.com
                      ANSWERS:  IP Address(es) of *.domain.com. Matching Wildcard record to "www.internetdomain.com.internal"

Open in new window


3. With a wildcard for internal.domain.com

C:\> NsLookup
                      > www.internetdomain.com
                      
                      ACTION:  Appending Primary DNS Suffix
                      HEADER:  NOERROR
                      QUESTIONS:  www.internetdomain.com.internal.domain.com
                      ANSWERS:  IP Address(es) of *.internal.domain.com. Matching wildcard record to "www.internetdomain.com"

Open in new window


4. With a Wildcard for domain.com and a DNS Suffix Search List including
domain.com

C:\> NsLookup
                      > www.internetdomain.com
                      
                      ACTION:  Appending Primary DNS Suffix
                      HEADER:  NXDOMAIN
                      QUESTIONS:  www.internetdomain.com.internal.domain.com
                      
                      ACTION:  Appending first DNS Suffix from Search List (otherdomain.com)
                      HEADER:  NXDOMAIN
                      QUESTIONS:  www.internetdomain.com.otherdomain.com
                      
                      ACTION:  Appending second DNS Suffix from Search List (domain.com)
                      HEADER:  NOERROR
                      QUESTIONS:  www.internetdomain.com.domain.com
                      ANSWERS:  IP Address(es) of *.domain.com. Matching Wildcard record to "www.internetdomain.com"

Open in new window


NsLookup vs DNS Client

It is possible that this problem only occurs when using NsLookup. Ping uses the DNS Client which may not necessarily append the DNS Suffix to a multi-label name. NsLookup queries the DNS Server directly, it does not use the DNS Client service.

The behaviour of the DNS Client can be controlled by setting a value for "AppendToMultiLabelName" in the registry. Depending on the Operating System this can be in one of two places.

Windows XP, Windows Vista and Windows 2008

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient
                      Name: AppendToMultiLabelName
                      Data: 0 (Do not append suffix) or 1 (Append suffix)
                      Default: 0

Open in new window


The default value may vary with Service Pack level for Windows XP.

Windows 2003
LOCAL_MACHINE\System\CurrentControlSet\Services\DNSCache\Parameters
                      Name: AppendToMultiLabelName
                      Data: 0 (Do not append suffix) or 1 (Append suffix)
                      Default: 0

Open in new window


The default value may vary with Service Pack level for Windows 2003.

Resolution

If this is identified as being a problem one of the following steps can be taken:

1. Disable "Append parent suffixes of the primary DNS suffix"
2. Remove the domain name containing the wildcard from the DNS Suffix Search List
3. Disable "AppendToMultiLabelName" (will not effect NsLookup)
4. Remove the Wildcard Record
1
10,093 Views
Chris DentPowerShell Developer
CERTIFIED EXPERT

Comments (0)

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.