?
Solved

FQDN names resolved with duplicated DNS suffix

Posted on 2017-06-19
15
Medium Priority
?
111 Views
Last Modified: 2017-09-02
Hi All,

I have a quick question I hope you can help me to fix.

Environment: I have an environment where I have installed a new AD and the domain name is something like corp.example.com

As a NETBIOS name during the AD install wizard I did choose "example" to make things easier and consistent with the public DNS name. The public DNS registered is example.com and there is public website running with example.com already hosted by WordPress and DNS registrar is GoDayddy.

Issue: Internal host names are not resolved properly with NSLOOKUP

1. Hostnames are working fine

2. IP Addresses are working fine

3. FQDN are NOT working fine. They are resolved with internal domain appended to external domain name.

eg. "VM1.CORP.EXAMPLE.COM" returns VM1.CORP.EXAMPLE.COM.EXAMPLE.COM and public IP Address registered with the website DNS Provider

4. FQDN with a trailing "." are working fine

eg. "VM1.CORP.EXAMPLE.COM." returns the correct IP Address as expected

Configuration: AD/DNS server is pointing at itself. NO forwarders configured. AD is pointing at an internal Gateway. This gateway is configured to talk with the internet using a different network through a separate Router connected to the internet.

My question: It's obviously not a question of routing but I dont understand why DNS forwards queries for FQDN names to external DNS servers considering that "A" and respective "PTR" records are fully registered and working on the builtin DNS? Of course this is affecting ANY operation you can think of from joining machines to domain to leverage network services through FQDN names! What am I missing here?

Any help is greatly appreciated!

Thanks,
0
Comment
Question by:Mike Doma
15 Comments
 
LVL 3

Expert Comment

by:Shawn Stewart
ID: 42183781
If your entering vm1 in your internal dns the hostname should just be "vm1" under the reverse lookup directory for "corp.example.com"

Anything you put in the a record shows up before "corp.example.com" so if you put "vm1.corp.example.com" it will be "vm1.corp.example.com.example.com"
0
 

Author Comment

by:Mike Doma
ID: 42183794
Hi Shaun,
thanks for coming back to me.

Issue is "application services" use FQDN names and they are not resolved properly as duplicated suffix is returned.
So for example if I run NSLookup on vm1.corp.example.com the result is vm1.corp.example.com.example.com.
This of course is not working for application when connecting to other hosts..
Also only when adding a trailing dot to the FQDN then the resolution is correct AND i do NOT get NON-Authoritative answers!

I cannot run other tests at the moment but is there a way to make sure FQDNs are resolved as expected?

Thanks
0
 

Author Comment

by:Mike Doma
ID: 42183828
to clarify the following happens:

1. Ping to hostname is ok

2. Ping to IP Address is ok

3. Ping to FQDN returns duplicated DNS suffix as in hostname.corp.example.com.example.com

4. lookup to FQDN returns duplicated DNS suffix as in hostname.corp.example.com.example.com

5. lookup to FQDN with trailing "dot" returns answers as expected

Name registrar is with GoDaddy

DNS Hosting is with WordPress

Any clue on how I can solve this? Thanks a lot for your help and attention

Thanks,
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
LVL 20

Expert Comment

by:David Favor
ID: 42184055
If you still require assistance, past the above answers...

1) include your entire zone file

2) include your actual domain name

Then likely many people can rapidly assist you with fixes.
0
 
LVL 27

Accepted Solution

by:
DrDave242 earned 2000 total points (awarded by participants)
ID: 42184301
3. FQDN are NOT working fine. They are resolved with internal domain appended to external domain name.

eg. "VM1.CORP.EXAMPLE.COM" returns VM1.CORP.EXAMPLE.COM.EXAMPLE.COM and public IP Address registered with the website DNS Provider

4. FQDN with a trailing "." are working fine

eg. "VM1.CORP.EXAMPLE.COM." returns the correct IP Address as expected

This is normal behavior for nslookup. If you add the trailing dot, you're telling it not to append any DNS suffixes, just attempt to resolve the name as supplied. Otherwise, it will append whatever DNS suffixes are in that machine's suffix search list. It may also devolve those suffixes, depending on the policies present in your environment.

If nslookup is responding with a public IP address to these queries with appended suffixes, it most likely indicates the presence of a wildcard record somewhere. If you query for blahblahblahblahblah.example.com or some other nonsense name in example.com, does it return the same address? If so, there's definitely a wildcard record present.
1
 
LVL 27

Assisted Solution

by:DrDave242
DrDave242 earned 2000 total points (awarded by participants)
ID: 42184304
My question: It's obviously not a question of routing but I dont understand why DNS forwards queries for FQDN names to external DNS servers considering that "A" and respective "PTR" records are fully registered and working on the builtin DNS?

Just realized I didn't actually answer this question. Your internal servers are authoritative for the corp.example.com domain, but the queries being forwarded are queries for names in the example.com domain as a result of the example.com suffix being appended. That's why they're being forwarded and queries with the trailing dot aren't.
1
 

Author Comment

by:Mike Doma
ID: 42184308
Great stuff DrDave242! and thanks to David Favor as well.

You are right. If I check WordPress domain configuration there is a CNAME *.example.com and cannot be removed. I need to check this with WordPress support. So knowing this is there a sensible workaround? Am I missing anything?
0
 

Author Comment

by:Mike Doma
ID: 42184347
Hi David,

here you are the info requested. I have removed all hosts and left a couple as example plus the results of nslookup and ping as stated earlier

Thanks
DNS-01.PNG
DNS-02.PNG
DNS-03.PNG
export.xlsx
0
 
LVL 27

Expert Comment

by:DrDave242
ID: 42184362
Are you sure that FQDNs are having suffixes appended (outside of nslookup, which will always do that)? As far as I know, the Windows resolver will only append suffixes to single-label names, and this seems to be backed up by DNS-02.PNG. I just did some testing in my own environment, and any DNS name with more than one label didn't get anything appended to it. There could be a policy that controls this behavior, though; I'll see if I can find more info on that.
0
 

Author Comment

by:Mike Doma
ID: 42184379
Yes parent DNS suffix is appended. It's the default property in the advanced TCP connection DNS tab
0
 
LVL 27

Assisted Solution

by:DrDave242
DrDave242 earned 2000 total points (awarded by participants)
ID: 42184408
Ah, I found something. There is in fact a Group Policy setting that affects this behavior, and it's here:

Computer Configuration/Policies/Administrative Settings/Network/DNS Client

The setting is called Allow DNS suffix appending to unqualified multi-label name queries, and if it's enabled, it will result in the Windows resolver appending suffixes to names that have more that one label, but only if a query for the original name fails. (This is stated in the description of the setting, which is a bit too long to post here.)

Please run ping foo.bar at a command prompt and let me know the result. I'm curious to see if example.com gets appended to the name.
0
 

Author Comment

by:Mike Doma
ID: 42184644
Hi DrDave,
sorry just seen this one now..
here you are the screenshot
DNS-04.PNG
0
 

Author Comment

by:Mike Doma
ID: 42184651
BTW just checked and the policy is not configured as per screenshot
DNS-05.PNG
0
 
LVL 27

Expert Comment

by:DrDave242
ID: 42184759
OK, it appears to be working as expected with that policy not configured. Notice in DNS-04.PNG that there was no suffix appended to any of those two-label names.
0
 
LVL 27

Expert Comment

by:DrDave242
ID: 42279455
No further response from asker.
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
While Plesk offers many potential benefits to website administrators, including compatibility with Windows Server and other leading technologies, the company has also been working to differentiate it from other control panels for content management…
The is a quite short video tutorial. In this video, I'm going to show you how to create self-host WordPress blog with free hosting service.
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question