Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

nslookup query return strange result

Posted on 2014-11-11
Last Modified: 2014-11-21
Hi all,
I have 2 internal DNS servers (DNS1 and DNS2) as per below settings:
DNS1 (Windows server) > Forwarders point to External DNS NS1 (Linux server)
DNS2 (Windows server) > No forwarders being set
No DNS suffix search list being configured in both internal DNS servers

Problem: When I run the nslookup query from DNS1 and set type to SOA, it returns result from external DNS instead of internal DNS. No issue with DNS2 for the same query.

> set type=soa
> DNS1
Server:  DNS1.abc.com
Address:  x.x.x.x

        primary name server = DNS1.dr001.abcx.com
        responsible mail addr = hostmaster.dr001.abcx.com
        serial  = 6816
        refresh = 900 (15 mins)
        retry   = 600 (10 mins)
        expire  = 86400 (1 day)
        default TTL = 3600 (1 hour)
DNS1.dr001.abcx.com        internet address = x.x.x.x
> ods-prd-print.abc.com
Server:  DNS1.abc.com
Address:  x.x.x.x

        primary name server = ns1.voodoo.com
        responsible mail addr = hostmaster.voodoo.com
        serial  = 2014080111
        refresh = 10800 (3 hours)
        retry   = 3600 (1 hour)
        expire  = 604800 (7 days)
        default TTL = 3600 (1 hour)

I saw one related article from EE saying that it might due to a wildcard host record in the public  zone, and that record contains the IP address of the web server.

Where to find the wildcard host record?? Need to check from NS1 server?
I cannot find it from internal DNS servers and have no visibility to NS1 server.
Question by:SuzenJ
  • 4
  • 3
LVL 28

Expert Comment

by:Jan Springer
ID: 40438284
You're forwarding DNS1 queries.  Of course it's going to return a result from the external server.
LVL 70

Expert Comment

by:Chris Dent
ID: 40438379
The DNS suffix applies to client-side operations (not the DNS server itself). You must have a DNS suffix set for "DNS1" to become DNS1.abc.com.

Either way, there doesn't look to be anything particularly wrong with the response you're getting. What do you expect to see differently?


Author Comment

ID: 40441834
Hi Jesper/Chris,

SOA records are same for both servers. I  run the query in DNS2 server and below is the expected result :
Server:  DNS2.abc.com
Address:  x.x.x.x

        primary name server = DNS3.dradm001.corp.abc.com
        responsible mail addr = (root)
        serial  = 158701
        refresh = 3600 (1 hour)
        retry   = 600 (10 mins)
        expire  = 172800 (2 days)
        default TTL = 900 (15 mins)

DNS3.dradm001.corp.abc.com internet address = x.x.x.x

Both servers have same Host A record created for ods-prd-print.abc.com. It shouldn't resolved by external DNS.

I tried to run the nslookup query again and below is the results (DNS2 returns correct result):

Default Server:  DNS2.abc.com
Address:  x.x.x.x

> ods-prd-print.abc.com
Server:  DNS2.abc.com
Address:  x.x.x.x

Name:    ods-prd-print.abc.com
Addresses:  57.x.x.x, 57.x.x.x, 57.x.x.x

> server DNS1
Default Server:  DNS1.dr001.drcx.com
Address:  57.x.x.x

> ods-prd-print.abc.com
Server:  DNS1.dr001.abcx.com
Address:  57.x.x.x

Non-authoritative answer:
Name:    ods-prd-print.abc.com.abcx.com
Address:  192.x.x.x
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

LVL 70

Expert Comment

by:Chris Dent
ID: 40442132
> Non-authoritative answer:
> Name:    ods-prd-print.abc.com.abcx.com
> Address:  192.x.x.x

This one is the wildcard (*.abcx.com).

But it's perhaps important to realise that while nslookup appends the abcx.com DNS suffix (which must come from your search list), the DNS client won't necessarily do so.

If you stick a period on the end of the name you're querying the problem will go away:

> ods-prd-print.abc.com.

The difference in response can be explained by the fact that one DNS server forwards to outside and the other doesn't.


Author Comment

ID: 40449002
Hi Chris,
Just want to confirm, even though DNS1 already has the Host (A) record for ods-prd-print.abc.com created in the server, it will still forward the query to external DNS NS1?
LVL 70

Accepted Solution

Chris Dent earned 500 total points
ID: 40449203
No, but given that DNS suffixes are appended before the name is submitted without, if you get an answer to something else first nslookup will stop there.

If I do this we can see it in action:
set type=a
set srchlist=domain1.com/domain2.com
set d2

Open in new window

You will (or should) see nslookup send the following questions (success or failure for individual queries may vary):
        test.com.domain1.com, type = A, class = IN

        test.com.domain2.com, type = A, class = IN

        test.com, type = A, class = IN

Open in new window

Obviously this behaviour is undesirable in your case. However, the DNS Client (rather than nslookup the troubleshooting tool) will only really append suffixes if the name is not multi-label. Equivalent to running:
nslookup -q=a test.com.

Open in new window

Where the period on the end null terminates the name, telling the DNS client that that's all there is to the name.

Therefore this will always return the expected response:
nslookup -q=a ods-prd-print.abc.com.

Open in new window

Generally speaking, the slightly unhelpful behaviour of nslookup can be disregarded. It only actually becomes a problem when the DNS client itself is willing to append suffixes to multi-label names as well (because that's the resolver your Windows box will be using).

It's a bit of a historic Windows XP problem in practical terms because early on that used to append by default, nothing more recent does.

You see the same problem when looking up the SOA record. Unless you're very careful with your queries you end up sending the wrong question and can easily get the wrong answer.

LVL 70

Expert Comment

by:Chris Dent
ID: 40449207
Sorry one more note:

> even though DNS1 already has the Host (A) record for ods-prd-print.abc.com created in the server, it
> will still forward the query to external DNS NS1?

It's important to realise that your DNS server is not doing this. The DNS server is simply responding to the requests made by a client (in this case requests created by nslookup).

The server doesn't append suffixes and doesn't fabricate labels so if you see an odd problem like the one you're experiencing here it's something of the clients creation.


Author Closing Comment

ID: 40459066
Thanks a lots Chris!!

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Powershell knowledge 2 53
local DNS vendor. 4 67
Wild Card CName in Windows Active Directory integrated zone - Good Idea? 4 36
Forest and doamin tree 3 26
This article explains how a domain name may be inadvertently appended to all DNS queries. This exhibits as described below. (CODE)And / Or: (CODE) Cause This issue can occur in either of these two scenarios. EITHER 1. A Primary DNS S…
Occasionally you run into the website or two that will not resolve properly using your own DNS servers.  Some people simply set up global forwarders for their DNS server.  I don’t recommend doing this because it can cause problems resolving addresse…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question