juliec
asked on
Nslookup returns incorrect non-authoritative server, constantly appended results
An nslookup on my domain servers returns a wrong non-authoritative zone. An nslookup from corp.ourdomain.com for www.google.com returns an incorrect non-authoritative dns server. The result goes:
Microsoft Windows [Version 10.0.18363.657]
(c) 2019 Microsoft Corporation. All rights reserved.
H:\>nslookup
Default Server: server1.corp.ourdomain.com
Address: 10.1.10.233
> www.google.com
Server: server1.corp.ourdomain.com
Address: 10.1.10.233
Non-authoritative answer:
Name: www.google.com.ourdomain.com
Address: 209.15.13.134
Any nslookup result is always appended the result with that "ourdomain.com"
Any ideas on how to correct the matter would be appreciated
Microsoft Windows [Version 10.0.18363.657]
(c) 2019 Microsoft Corporation. All rights reserved.
H:\>nslookup
Default Server: server1.corp.ourdomain.com
Address: 10.1.10.233
> www.google.com
Server: server1.corp.ourdomain.com
Address: 10.1.10.233
Non-authoritative answer:
Name: www.google.com.ourdomain.com
Address: 209.15.13.134
Any nslookup result is always appended the result with that "ourdomain.com"
Any ideas on how to correct the matter would be appreciated
ASKER
I shall try this footech. Thank you so much.
You have a search do in defined aspart of the DHCP option and asfootech pointed out, a non terminated hostname will have the search domai appended ..
ASKER
I shall look into these tomorrow. Thank you so much. The issue has been driving me nuts?
Are you ipacted by this in any other applications other than nslookup?
The other option, after you run nslookup
Set nosearch or just nosearch
Might be an option that directs nslookup to take the input as a a whole (terminated)
The other option, after you run nslookup
Set nosearch or just nosearch
Might be an option that directs nslookup to take the input as a a whole (terminated)
ASKER
Yes. Exchange autodiscover is not working. A Microsoft person was working on this and this was his conclusion, that this DNS issue is creating issues for Autodiscover.
double check the settings in your domain's zone and references do you have a smtp, imap, pop hosts?
do you have an autodiscover.ourdomain.com ?
the search domain would not impact your application's ability to locate the record as the requests within programs are properly terminated.
Something else is likely impacting it.
This is an on-site or off-site setup? Do you have an AD that is the same as your public domain, i.e. the AD is ourdomain and you are using a hosted Exchange solution?
In such a case, you have to maintain two zones with the same information. one on your AD DNS and one on your public domain.
do you have an autodiscover.ourdomain.com
the search domain would not impact your application's ability to locate the record as the requests within programs are properly terminated.
Something else is likely impacting it.
This is an on-site or off-site setup? Do you have an AD that is the same as your public domain, i.e. the AD is ourdomain and you are using a hosted Exchange solution?
In such a case, you have to maintain two zones with the same information. one on your AD DNS and one on your public domain.
ASKER
Thank you folks. It is an on-site setup. I am double checking my zone entries. Yes, autodiscover.ourdomain.com . What baffles us is that any lookup will always be appended. A lookup on autodiscover.ourdomain.com will yield, autodiscover.ourdomain.com .ourdomain .com with a non-authoritative answer and a public IP.
the nslookup query maens the default has a search domain and thus it appends unterminated queries.
nslookup autodiscover will return the data you are after which is the same as nslookup autodiscover.ourdomain.com .
What is the error you get when trying to add an account, it might be that the certificate does not include the autodiscover and that leads to issues, though your question deals with nslookup and the appending of the search domain/domain suffix to each query.
you've not in the question included what the issue you have that you are trying to address/resolve/.
nslookup autodiscover will return the data you are after which is the same as nslookup autodiscover.ourdomain.com
What is the error you get when trying to add an account, it might be that the certificate does not include the autodiscover and that leads to issues, though your question deals with nslookup and the appending of the search domain/domain suffix to each query.
you've not in the question included what the issue you have that you are trying to address/resolve/.
ASKER
You mentioned what started this all, a certificate error. Not knowing much about DNS, I called Microsoft support to troubleshoot the matter. After hours of troubleshooting, I was told to resolve the "domain.com.domain.com" for him to complete the work and that no work can be done further until this matter is resolved. I am almost sure that the certificate does not include autodiscover.
the certificate is self signed, or public, the certificate should commonly include several names in the section Subject Alternate Names (SAN)
If you use a public CA issues certificate, autodiscover possibly omitted. Check the public cert as to whether a certificate can be reissued with new key, ....which would allow you to generate a new CSR with all the required SAN names for the certifiacate.
Are you using a Letsencrypt.org's certificate which once setup are cost free.
If you use a public CA issues certificate, autodiscover possibly omitted. Check the public cert as to whether a certificate can be reissued with new key, ....which would allow you to generate a new CSR with all the required SAN names for the certifiacate.
Are you using a Letsencrypt.org's certificate which once setup are cost free.
ASKER
We use RapidSSL. I shall check the current SAN.
ASKER
Our certificate SAN has only one entry, mail.ourdomain.com
usually, if you are using in exchange and you use one certificate accross your connectors
mail for SMTP
IMAP service ? 143/993
autosync connector ?
pop3 retrieval?
etc.
or you use individual connector for each component and thus need a certificate for each?
mail for SMTP
IMAP service ? 143/993
autosync connector ?
pop3 retrieval?
etc.
or you use individual connector for each component and thus need a certificate for each?
ASKER
This is most helpful. Thank you arnold
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
If you query for "www.google.com." (notice the trailing dot) then it won't append any suffix. The only way to change which suffixes to be appended is to change your NIC settings, or Group Policy settings if you define DNS suffixes there.
The only reason I can think why you would get a result though for a query of "www.google.com.ourdomain.com" is that you have a wildcard DNS record.