DNS Suffixes on Windows
I was asked if I could provide mote details on the following sentence from my diary entry "nslookup's Debug Options":
(notice that in my nslookup query, I terminated the FQDN with a dot: "example.com.", I do that to prevent Windows from adding suffixes)
A DNS suffix is a configuration of the Windows DNS client (locally, via DHCP, ...) to have it append suffixes when doing domain lookups.
For example, if a DNS suffix local is configured, then Windows' DNS client will not only do a DNS lookup for example.com, but also for example.com.local.
As an example, let me configure mylocalnetwork as a suffix on a Windows machine:
With DNS suffix mylocalnetwork configured, nslookup will use this suffix. For example, when I perform a lookup for "example.com", nslookup will also do a lookup for "example.com.mylocalnetwork".
I can show this with nslookup's debug option d2:
You can see in these screenshots DNS type A and AAAA resolutions for example.com.mylocalnetwork and example.com.
One of the ideas behind DNS suffixes, is to reduce typing. If you have a NAS, for example, named mynas, you can just access it with https://mynas/login. No need to type the fully qualified domain name (FQDN) https://mynas.mylocalnetwork/login.
Notice that the suffix also applies for AAAA queries, while in the screenshots above I only configured it for IPv4. That's because the DNS suffix setting applies both to IPv4 and IPv6:
Before I show the results with "example.com." (notice the dot character at the end), let me show how I can summarize the lookups by grepping for "example" (findstr):
If I terminate my DNS query with a dot character (.), suffixes will not be appended:
Notice that there are no resolutions for mylocalnetwork in this last example. That's because the trailing dot instructs Windows' DNS client to start resolving from the DNS root zone.
A domain name consists of domain labels separated by dots:
If you are adding a trailing dot, you are actually adding an empty domain label:
The empty label represents the DNS root zone, and no suffixes are appended to the DNS root zone, as it is the top-level (root) DNS zone.
A small tip if you want to restrict nslookup's resolutions to A records, for example. There is an option for that.
If you use nslookup's help option /?, you will see that you can provide options, but the actual options are not listed:
To see the available options, start nslookup, and then type "?" at its prompt, like this:
Now you can see that option "type" allows you to specify which type of records to query. Here is an example for A records:
Didier Stevens
Senior handler
blog.DidierStevens.com
Comments