locked
DNS Queries all have my internal domain name applied to queries - e.g. - google.com.mydomain.com RRS feed

  • Question

  • Hello there,

    I have two internal DNS/AD servers on my LAN. One is Server 2003 (called Server1) and one is Server 2008 (called Server3).

    Let's say our internal domain name is: nc1.example.com. The "nc1" part is to denote the state of NC and the first location (1) - which is our only physical at this time.

    We have a website registered as example.com that is being hosted elsewhere.

    I have noticed a banking application on clients that refuses to work properly. I tracked down some more info. I have noticed that ANY DNS query on Server1 (Server 2003) using NSLookup results in:

    > google.com
    Server: server1.nc1.example.com
    Address: 192.168.114.10
    Non-authoritative answer:
    Name:  google.com.example.com
    Address: 216.119.148.XXX
    >
    Any DNS query on Server3 (Server 2008) results in the same:
    > google.com
    Server: server3.nc1.example.com
    Address: 192.168.114.9
    
    Non-authoritative answer:
    Name:  google.com.example.com
    Address: 216.119.148.XXX
    >

    I do realize that if I use google.com. (with trailing period) that it resolves properly. HOWEVER, I have basically the same setup at my home-office and it does not do this. At my office, both servers return:

    > google.com
    Server: [192.168.1.3]
    Address: 192.168.1.3
    
    Non-authoritative answer:
    Name:  google.com
    Addresses: 74.125.65.106
         74.125.65.147
         74.125.65.99
         74.125.65.103
         74.125.65.104
         74.125.65.105

    On one of the client PCs that is joined to the AD domain at work, the DNS Search Suffix is:

    Windows IP Configuration
    
        Host Name . . . . . . . . . . . . : clientPC1
        Primary Dns Suffix . . . . . . . : nc1.example.com
        Node Type . . . . . . . . . . . . : Hybrid
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No
        DNS Suffix Search List. . . . . . : nc1.example.com
                                nc1.example.com
                                nc1.example.com
                                example.com

    I think the problem lies in the last search list of "example.com". I noticed that when I unchecked Append Parent Suffixes of the Primary DNS suffix on the client PC "example.com" was removed from the list and I was able to (SO FAR) get the banking software to work. However, all DNS queries on the client PC were still appended with .example.com.

    I have compared my DNS server settings at my home-office to the DNS server settings at work and from what I can tell they are the same.

    Is there any way I can fix this to avoid and future problems such as this?

     

    Thanks!

    Tuesday, April 12, 2011 5:01 PM

Answers

  • Hi TC10284,

     

    Thanks for posting here.

     

    Not sure if it is necessary to set DNS suffix search list in this scenario , but please take look the article below:

     

    Configuring Query Settings

    http://technet.microsoft.com/en-us/library/cc959339.aspx

     

    Thanks

     

    Tiger Li

     


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Wednesday, April 13, 2011 8:53 AM
  • You found one way, to uncheck that setting to stop it appending, or when using nslookup, just put a period at the end of the query, and it won't append it. During normal use, such as in a URL, it won't append it anyway. As for the banking app, is that web based, or an installed application? You narrowed it down to a DNS lookup causing the app to not work? How did you determine that? Did you use packet captures, such as using WireShark?

    Ace

    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

     

     

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    The banking app is web-based and uses a Microsoft SSL app which I can't recall the name of. I think it is called Microsoft UAG. Basically I messed with some DNS settings, finally got to Append Parent Suffixes of the Primary DNS suffix on the local client PC. I am being told this morning that the banking app is now working properly.

    Though I am still left with why my DNS servers are doing this.
    How can I be sure that a GPO is not causing this?


    Also of note, when I used NSLookup on the client, they are using DNS on the local servers. HOWEVER, even if I change the server to 4.2.2.1, the domain suffix is still applied there too.

    Wednesday, April 13, 2011 2:25 PM
  • If the machine is joined to an AD domain called nc1.example.com, it will automatically take that on as the Primary DNS Suffix. It will also set it as the default Search Suffix, and then it will devlolve the parent level and set that as the next Search Suffix. What you are seeing is default behavior.

    The client side resolver will append the search suffix on the NIC property settings. You are seeing it in action with nslookup. Have you tried a ping? Try pinging by single name and by FQDN and paste your results, please.

    But this shouldn't be a problem with using something a browser. I'm kind of surprised to hear it affected an application. I'm glad to hear unchecking the box to append the suffix is working for you!

     

     


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Thursday, April 14, 2011 4:51 AM

All replies

  • You found one way, to uncheck that setting to stop it appending, or when using nslookup, just put a period at the end of the query, and it won't append it.

    During normal use, such as in a URL, it won't append it anyway. As for the banking app, is that web based, or an installed application? You narrowed it down to a DNS lookup causing the app to not work? How did you determine that? Did you use packet captures, such as using WireShark?

    Ace


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Wednesday, April 13, 2011 3:48 AM
  • Hi TC10284,

     

    Thanks for posting here.

     

    Not sure if it is necessary to set DNS suffix search list in this scenario , but please take look the article below:

     

    Configuring Query Settings

    http://technet.microsoft.com/en-us/library/cc959339.aspx

     

    Thanks

     

    Tiger Li

     


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Wednesday, April 13, 2011 8:53 AM
  • You found one way, to uncheck that setting to stop it appending, or when using nslookup, just put a period at the end of the query, and it won't append it. During normal use, such as in a URL, it won't append it anyway. As for the banking app, is that web based, or an installed application? You narrowed it down to a DNS lookup causing the app to not work? How did you determine that? Did you use packet captures, such as using WireShark?

    Ace

    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

     

     

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    The banking app is web-based and uses a Microsoft SSL app which I can't recall the name of. I think it is called Microsoft UAG. Basically I messed with some DNS settings, finally got to Append Parent Suffixes of the Primary DNS suffix on the local client PC. I am being told this morning that the banking app is now working properly.

    Though I am still left with why my DNS servers are doing this.
    How can I be sure that a GPO is not causing this?


    Also of note, when I used NSLookup on the client, they are using DNS on the local servers. HOWEVER, even if I change the server to 4.2.2.1, the domain suffix is still applied there too.

    Wednesday, April 13, 2011 2:25 PM
  •  

    C:\Users\tpadmin>gpresult /R

     

    Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0

    Copyright (C) Microsoft Corp. 1981-2001

     

    Created On 4/13/2011 at 10:39:56 AM

     

     

    RSOP data for EXAMPLE\TPAdmin on SERVER3 : Logging Mode

    ----------------------------------------------------------------

     

    OS Configuration:            Additional/Backup Domain Controller

    OS Version:                  6.0.6002

    Site Name:                   Default-First-Site-Name

    Roaming Profile:             N/A

    Local Profile:               C:\Users\tpadmin

    Connected over a slow link?: No

     

     

    COMPUTER SETTINGS

    ------------------

        CN=SERVER3,OU=Domain Controllers,DC=nc1,DC=example,DC=com

        Last time Group Policy was applied: 4/13/2011 at 10:35:23 AM

        Group Policy was applied from:      Server3.nc1.example.com

        Group Policy slow link threshold:   500 kbps

        Domain Name:                        EXAMPLE

        Domain Type:                        Windows 2000

     

        Applied Group Policy Objects

        -----------------------------

            Default Domain Controllers Policy

            Default Domain Policy

     

        The following GPOs were not applied because they were filtered out

        -------------------------------------------------------------------

            Local Group Policy

                Filtering:  Not Applied (Empty)

     

        The computer is a part of the following security groups

        -------------------------------------------------------

            BUILTIN\Administrators

            Everyone

            BUILTIN\Users

            BUILTIN\Pre-Windows 2000 Compatible Access

            Windows Authorization Access Group

            NT AUTHORITY\NETWORK

            NT AUTHORITY\Authenticated Users

            This Organization

            SERVER3$

            Domain Controllers

            NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS

            RAS and IAS Servers

            System Mandatory Level

     

     

    USER SETTINGS

    --------------

        CN=TPAdmin,CN=Users,DC=nc1,DC=example,DC=com

        Last time Group Policy was applied: 4/13/2011 at 9:50:02 AM

        Group Policy was applied from:      Server3.nc1.example.com

        Group Policy slow link threshold:   500 kbps

        Domain Name:                        EXAMPLE

        Domain Type:                        Windows 2000

     

        Applied Group Policy Objects

        -----------------------------

            Default Domain Policy

     

        The following GPOs were not applied because they were filtered out

        -------------------------------------------------------------------

            Local Group Policy

                Filtering:  Not Applied (Empty)

     

        The user is a part of the following security groups

        ---------------------------------------------------

            Domain Users

            Everyone

            BUILTIN\Administrators

            Remote Desktop Users

            BUILTIN\Users

            BUILTIN\Pre-Windows 2000 Compatible Access

            NT AUTHORITY\INTERACTIVE

            NT AUTHORITY\Authenticated Users

            This Organization

            LOCAL

            Group Policy Creator Owners

            Domain Admins

            Enterprise Admins

            Schema Admins

            High Mandatory Level

    Wednesday, April 13, 2011 2:42 PM
  • TC,

    It's NOT the DNS servers doing this. This is a client-side resolver function based on the client side resolver algorithm, hence the need to address it client side, not DNS server side.

    And thanks for posting the gpresult output. It appears your machines are receiving their GPOs. Was there a specific GPO you were concerned with?

    Ace


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Wednesday, April 13, 2011 2:55 PM
  • TC,

    It's NOT the DNS servers doing this. This is a client-side resolver function based on the client side resolver algorithm, hence the need to address it client side, not DNS server side.

    And thanks for posting the gpresult output. It appears your machines are receiving their GPOs. Was there a specific GPO you were concerned with?

    Ace


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

     

     

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.


    None in particular. Just whatever is causing the domain name suffix to be appended. Why does ever system in the domain do this if there is no GPO applied doing it?
    Wednesday, April 13, 2011 4:22 PM
  • If the machine is joined to an AD domain called nc1.example.com, it will automatically take that on as the Primary DNS Suffix. It will also set it as the default Search Suffix, and then it will devlolve the parent level and set that as the next Search Suffix. What you are seeing is default behavior.

    The client side resolver will append the search suffix on the NIC property settings. You are seeing it in action with nslookup. Have you tried a ping? Try pinging by single name and by FQDN and paste your results, please.

    But this shouldn't be a problem with using something a browser. I'm kind of surprised to hear it affected an application. I'm glad to hear unchecking the box to append the suffix is working for you!

     

     


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Thursday, April 14, 2011 4:51 AM