locked
Weird NSLOOKUP results RRS feed

  • Question

  • I have very weird replies when i do a NSLOOKUP. No matter which site i lookup ("yahoo.com" or "msn.com", etc) i get the same address in return. Is that normal? ALSO, the name returned always get appended to be "msn.com.com.my" or "yahoo.com.com.my".

    This looks scary because it's appending suffixes for no reason...

    Thursday, June 10, 2010 9:46 AM

Answers

  • Is this a duplicate thread? Chris, I think you mentioned that in the other thread. In case Tonymoey can't find the other thread, I'll post my response from that thread here, too.

     

    ==========

    Hi tonymoey,

    Funny, this question came up the other day as well, but I'm not sure if it's the same one Chris mentioned. Here was my response on it, which pretty much reflects Chris' response on how nslookup behaves. I hope you find it helpful.

    Keep in mind, nslookup's resolver service has its own built-in resolver service and is totally *independent* of the operating system's client side resolver, (although it will use the machine's suffixes to devolve names), and will behave differently than if you were to say ping a host by single name. When using nslookup, you need to fully qualify the name you are querying with a trailing dot. If not, it will append the current context, that is the suffix on the machine.

    Here's are some links explaining what I mean. The first one is a doc that explains more of this in greater detail. This doc actually was compiled from KB200525, the second link, which is also mentioned in the Microsoft Official Curriculum #688 Using TCP/IP Courseware.

    Using NSlookup (File Format: Microsoft Word) - Nslookup will always devolve the name from the current context. If you fail to fully qualify a name query (that is, use trailing dot), the query will be ...;
    http://mcse.villanova.edu/Courses/688/documents/Using%20NSlookup.doc

    Using NSlookup.exe
    http://support.microsoft.com/?id=200525

    Using NSlookupFile Format: Microsoft Word - View as HTML
    Nslookup will always devolve the name from the current context. If you fail to fully qualify a name query (that is, use trailing dot), the query will be ...
    http://mcse.villanova.edu/Courses/688/documents/Using%20NSlookup.doc

    NslookupSep 28, 2007 ... This applies when the set and the lookup request contain at least one period, but do not end with a trailing period. Nslookup /set srchlist ...
    http://technet.microsoft.com/en-us/library/cc725991(WS.10).aspx

    As the last link suggests, you can use the Nslookup /set srchlist  switch to set your own search lists that changes the default search suffix nslookup uses. You can also sepecific it in interactive mode by the following and leaving it blank to remove any search suffixes it's pulling from the machine:

    nslookup
    > set srchlist

    So basically you will need to use the dot unless you remove the search suffix. You can also remove the suffix from the machine, and it will work without a trailing dot. But the search suffix is derived from the Primary DNS Suffix, which is set by the domain it's joined to. You can remove it in the registry and not touch the Primary DNS Suffix.

    Will it affect AD functionality? Yes if you remove the Primary DNS Suffix, which the default search list comes from and the machine uses in such cases as DirectSMB connectivity, among other things, and No, nslookup's requirement of using a dot doesn't affect or indicate any issues with AD, it's just an nslookup thing.

    It just something to keep in mind when using nslookup.

    ========

    Ace


    Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003, Microsoft Certified Trainer, Microsoft MVP - Directory Services. This posting is provided AS-IS with no warranties or guarantees and confers no rights.
    Saturday, June 12, 2010 5:46 AM
  • tonymoey wrote:
    > I have very weird replies when i do a NSLOOKUP. No matter which site i
    > lookup ("yahoo.com" or "msn.com", etc) i get the same address in return.
    > Is that normal? ALSO, the name returned always get appended to be
    > "msn.com.com.my" or "yahoo.com.com.my".
    >
    > This looks scary because it's appending suffixes for no reason...
    >
     
    NsLookup always appends suffixes unless you terminate the name with a
    period.
     
    e.g.
     
    nslookup msn.com.
     
    And, if you have a wildcard-record for your domain, or one of the
    domains in the search list you will find that is appended and that you
    get an answer.
     
    For example, if you have this:
     
    *.domain.com. IN A 1.2.3.4
     
    And the system you use has domain.com as the Primary DNS Suffix, or in
    the DNS Suffix Search List you will find that NsLookup replies to
    everything with 1.2.3.4.
     
    e.g.
     
    nslookup www.google.com
    Reply: www.google.com.domain.com
     
    Except when terminated with a period as above.
     
    The DNS Client does not necessarily exhibit the same behaviour (can be
    tested with Ping). It can be controlled by setting
    AppendToMultiLabelName in the registry, or by changing this setting in
    Group Policy:
     
    Computer Configuration \ Administrative Templates \ Network \ DNS Client
    Allow DNS Suffix Appending to Unqualified Multi-Label Name Queries
     
    For most systems, by default, it will not append the suffix to a
    multi-label name. Do note that this setting has no impact on NsLookup.
     
    HTH
     
    Chris
     
    Thursday, June 10, 2010 10:09 AM

All replies

  • tonymoey wrote:
    > I have very weird replies when i do a NSLOOKUP. No matter which site i
    > lookup ("yahoo.com" or "msn.com", etc) i get the same address in return.
    > Is that normal? ALSO, the name returned always get appended to be
    > "msn.com.com.my" or "yahoo.com.com.my".
    >
    > This looks scary because it's appending suffixes for no reason...
    >
     
    NsLookup always appends suffixes unless you terminate the name with a
    period.
     
    e.g.
     
    nslookup msn.com.
     
    And, if you have a wildcard-record for your domain, or one of the
    domains in the search list you will find that is appended and that you
    get an answer.
     
    For example, if you have this:
     
    *.domain.com. IN A 1.2.3.4
     
    And the system you use has domain.com as the Primary DNS Suffix, or in
    the DNS Suffix Search List you will find that NsLookup replies to
    everything with 1.2.3.4.
     
    e.g.
     
    nslookup www.google.com
    Reply: www.google.com.domain.com
     
    Except when terminated with a period as above.
     
    The DNS Client does not necessarily exhibit the same behaviour (can be
    tested with Ping). It can be controlled by setting
    AppendToMultiLabelName in the registry, or by changing this setting in
    Group Policy:
     
    Computer Configuration \ Administrative Templates \ Network \ DNS Client
    Allow DNS Suffix Appending to Unqualified Multi-Label Name Queries
     
    For most systems, by default, it will not append the suffix to a
    multi-label name. Do note that this setting has no impact on NsLookup.
     
    HTH
     
    Chris
     
    Thursday, June 10, 2010 10:09 AM
  • Is this a duplicate thread? Chris, I think you mentioned that in the other thread. In case Tonymoey can't find the other thread, I'll post my response from that thread here, too.

     

    ==========

    Hi tonymoey,

    Funny, this question came up the other day as well, but I'm not sure if it's the same one Chris mentioned. Here was my response on it, which pretty much reflects Chris' response on how nslookup behaves. I hope you find it helpful.

    Keep in mind, nslookup's resolver service has its own built-in resolver service and is totally *independent* of the operating system's client side resolver, (although it will use the machine's suffixes to devolve names), and will behave differently than if you were to say ping a host by single name. When using nslookup, you need to fully qualify the name you are querying with a trailing dot. If not, it will append the current context, that is the suffix on the machine.

    Here's are some links explaining what I mean. The first one is a doc that explains more of this in greater detail. This doc actually was compiled from KB200525, the second link, which is also mentioned in the Microsoft Official Curriculum #688 Using TCP/IP Courseware.

    Using NSlookup (File Format: Microsoft Word) - Nslookup will always devolve the name from the current context. If you fail to fully qualify a name query (that is, use trailing dot), the query will be ...;
    http://mcse.villanova.edu/Courses/688/documents/Using%20NSlookup.doc

    Using NSlookup.exe
    http://support.microsoft.com/?id=200525

    Using NSlookupFile Format: Microsoft Word - View as HTML
    Nslookup will always devolve the name from the current context. If you fail to fully qualify a name query (that is, use trailing dot), the query will be ...
    http://mcse.villanova.edu/Courses/688/documents/Using%20NSlookup.doc

    NslookupSep 28, 2007 ... This applies when the set and the lookup request contain at least one period, but do not end with a trailing period. Nslookup /set srchlist ...
    http://technet.microsoft.com/en-us/library/cc725991(WS.10).aspx

    As the last link suggests, you can use the Nslookup /set srchlist  switch to set your own search lists that changes the default search suffix nslookup uses. You can also sepecific it in interactive mode by the following and leaving it blank to remove any search suffixes it's pulling from the machine:

    nslookup
    > set srchlist

    So basically you will need to use the dot unless you remove the search suffix. You can also remove the suffix from the machine, and it will work without a trailing dot. But the search suffix is derived from the Primary DNS Suffix, which is set by the domain it's joined to. You can remove it in the registry and not touch the Primary DNS Suffix.

    Will it affect AD functionality? Yes if you remove the Primary DNS Suffix, which the default search list comes from and the machine uses in such cases as DirectSMB connectivity, among other things, and No, nslookup's requirement of using a dot doesn't affect or indicate any issues with AD, it's just an nslookup thing.

    It just something to keep in mind when using nslookup.

    ========

    Ace


    Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003, Microsoft Certified Trainer, Microsoft MVP - Directory Services. This posting is provided AS-IS with no warranties or guarantees and confers no rights.
    Saturday, June 12, 2010 5:46 AM