Active_Directory [SOLVED]: FQDNs resolving correctly via ping but not nslookup

Active_Directory [SOLVED]: FQDNs resolving correctly via ping but not nslookup

Home Forums Active Directory Active_Directory [SOLVED]: FQDNs resolving correctly via ping but not nslookup

Viewing 2 posts - 1 through 2 (of 2 total)
  • Author
    Posts
  • #35913

    Anonymous

    QuestionQuestion

    The following AD DS domain was freshly setup:

    • DNS domain name, FLZ, and only DNS suffix: internal.example.co.uk
    • DC OSes: Windows Server 2016 Standard
    • DC #1 DNS servers: 172.16.233.2, 127.0.0.1
    • DC #2 DNS servers: 172.16.233.1, 127.0.0.1
    • DNS forwarders: 8.8.8.8, 208.67.222.222

    By all accounts, the domain and DNS is working correctly.

    However, nslookup behaves very strangely:

    • nslookup <any FQDN> <any DC server> works incorrectly, appending example.co.uk (not internal.example.co.uk) and resolves to the same, unknown public IP address.
    • nslookup <any FQDN>. <any DC server> works correctly.

    I determined that routing, the file hosts, Windows service DNS Server, etc weren’t relevant and no DNS PTR RR existed for the unknown public IP address.

    I know that you’re supposed to suffix a . to a FQDN but I’ve never had to and never seen it behave like this before.

    I couldn’t find a suitable resolution online, hence this post.

    The following, anonymised Command Prompt output demonstrates this:

    Microsoft Windows [Version 10.0.14393]
    (c) 2016 Microsoft Corporation. All rights reserved.
    
    C:Usersusername>ipconfig /all
    
    Windows IP Configuration
    
    Host Name . . . . . . . . . . . . : DC2
    Primary Dns Suffix . . . . . . . : internal.example.co.uk
    Node Type . . . . . . . . . . . . : Hybrid
    IP Routing Enabled. . . . . . . . : No
    WINS Proxy Enabled. . . . . . . . : No
    DNS Suffix Search List. . . . . . : internal.example.co.uk
    
    Ethernet adapter Ethernet 2:
    
    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Microsoft Hyper-V Network Adapter #2
    Physical Address. . . . . . . . . : 00-15-5D-9E-13-07
    DHCP Enabled. . . . . . . . . . . : No
    Autoconfiguration Enabled . . . . : Yes
    Link-local IPv6 Address . . . . . : fe80::45fd:755c:e86d:eed3%14(Preferred)
    IPv4 Address. . . . . . . . . . . : 172.16.233.2(Preferred)
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . : 172.16.233.254
    DHCPv6 IAID . . . . . . . . . . . : 100668765
    DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-21-42-DF-91-00-15-5D-9E-13-05
    DNS Servers . . . . . . . . . . . : ::1
    172.16.233.1
    127.0.0.1
    NetBIOS over Tcpip. . . . . . . . : Enabled
    
    Tunnel adapter isatap.{DEFCF64F-0919-47F6-8206-DA42E6828191}:
    
    Media State . . . . . . . . . . . : Media disconnected
    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Microsoft ISATAP Adapter
    Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
    DHCP Enabled. . . . . . . . . . . : No
    Autoconfiguration Enabled . . . . : Yes
    
    C:Usersusername>ping internal.example.co.uk
    
    Pinging internal.example.co.uk [172.16.233.2] with 32 bytes of data:
    Reply from 172.16.233.2: bytes=32 time<1ms TTL=128
    Reply from 172.16.233.2: bytes=32 time<1ms TTL=128
    Reply from 172.16.233.2: bytes=32 time<1ms TTL=128
    Reply from 172.16.233.2: bytes=32 time<1ms TTL=128
    
    Ping statistics for 172.16.233.2:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
    Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms
    
    C:Usersusername>nslookup internal.example.co.uk 127.0.0.1
    Server: localhost
    Address: 127.0.0.1
    
    Non-authoritative answer:
    Name: internal.example.co.uk.example.co.uk
    Address: <unknown public IP address>
    
    
    C:Usersusername>nslookup internal.example.co.uk. 127.0.0.1
    Server:  localhost
    Address:  127.0.0.1
    
    Name:    internal.example.co.uk
    Addresses:  172.16.233.1
              172.16.233.2
    
    
    C:Usersusername>ping DC1
    
    Pinging DC1.internal.example.co.uk [172.16.233.1] with 32 bytes of data:
    Reply from 172.16.233.1: bytes=32 time=1ms TTL=128
    Reply from 172.16.233.1: bytes=32 time<1ms TTL=128
    Reply from 172.16.233.1: bytes=32 time<1ms TTL=128
    Reply from 172.16.233.1: bytes=32 time<1ms TTL=128
    
    Ping statistics for 172.16.233.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
    Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 1ms, Average = 0ms
    
    C:Usersusername>nslookup DC1 127.0.0.1
    Server: localhost
    Address: 127.0.0.1
    
    Name: DC1.internal.example.co.uk
    Address: 172.16.233.1
    
    
    C:Usersusername>ping google.co.uk
    
    Pinging google.co.uk [74.125.133.94] with 32 bytes of data:
    Reply from 74.125.133.94: bytes=32 time=11ms TTL=49
    Reply from 74.125.133.94: bytes=32 time=11ms TTL=49
    Reply from 74.125.133.94: bytes=32 time=11ms TTL=49
    Reply from 74.125.133.94: bytes=32 time=15ms TTL=49
    
    Ping statistics for 74.125.133.94:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
    Approximate round trip times in milli-seconds:
    Minimum = 11ms, Maximum = 15ms, Average = 12ms
    
    C:Usersusername>nslookup google.co.uk 127.0.0.1
    Server: localhost
    Address: 127.0.0.1
    
    Non-authoritative answer:
    Name: google.co.uk.example.co.uk
    Address: <unknown public IP address>
    
    
    C:Usersusername>nslookup google.co.uk. 127.0.0.1
    Server:  localhost
    Address:  127.0.0.1
    
    Non-authoritative answer:
    Name:    google.co.uk
    Addresses:  2a00:1450:4007:80e::2003
              216.58.208.227
    
    
    C:Usersusername>
    

    #35914

    Anonymous

    Accepted AnswerAnswer

    Using nslookup‘s debug mode, I found that this was due to DNS recursion devolution (thanks @joeqwerty) and a previously existing but unknown public root wildcard DNS RR (*.example.co.uk. IN A <unknown public IP address>).

     

    Specifically, I found that in this case where there is one DNS suffix;:

    • The given DNS name is a FQDN with a suffixed .; and DNS recursion is enabled (default), nslookup was:
      1. Appending no DNS suffix and succeeding.
    • The given DNS name is a FQDN without a suffixed .; and DNS recursion is enabled (default), nslookup was:
      1. Appending the primary DNS suffix and failing.
      2. Appending the primary DNS suffix a level up and “succeeding” because the given DNS name matched the wildcard DNS RR.
    • The given DNS name is a FQDN without a suffixed .; and DNS recursion is disabled, nslookup was:
      1. Appending the primary DNS suffix and failing.
      2. Appending the primary DNS suffix a level up and failing.
      3. Appending no DNS suffix and succeeding.

     

    This is demonstrated in the following, anonymised Command Prompt output when recursion was enabled (default):

    C:Usersusername>nslookup
    Default Server:  UnKnown
    Address:  ::1
    
    > set debug=true
    > internal.example.co.uk
    Server:  UnKnown
    Address:  ::1
    
    ------------
    Got answer:
        HEADER:
            opcode = QUERY, id = 2, rcode = NXDOMAIN
            header flags:  response, auth. answer, want recursion, recursion avail.
            questions = 1,  answers = 0,  authority records = 1,  additional = 0
    
        QUESTIONS:
            internal.example.co.uk.internal.example.co.uk, type = A, class = IN
        AUTHORITY RECORDS:
        ->  internal.example.co.uk
            ttl = 3600 (1 hour)
            primary name server = DC2.internal.example.co.uk
            responsible mail addr = hostmaster.internal.example.co.uk
            serial  = 170
            refresh = 900 (15 mins)
            retry   = 600 (10 mins)
            expire  = 86400 (1 day)
            default TTL = 3600 (1 hour)
    
    ------------
    ------------
    Got answer:
        HEADER:
            opcode = QUERY, id = 3, rcode = NXDOMAIN
            header flags:  response, auth. answer, want recursion, recursion avail.
            questions = 1,  answers = 0,  authority records = 1,  additional = 0
    
        QUESTIONS:
            internal.example.co.uk.internal.example.co.uk, type = AAAA, class = IN
        AUTHORITY RECORDS:
        ->  internal.example.co.uk
            ttl = 3600 (1 hour)
            primary name server = DC2.internal.example.co.uk
            responsible mail addr = hostmaster.internal.example.co.uk
            serial  = 170
            refresh = 900 (15 mins)
            retry   = 600 (10 mins)
            expire  = 86400 (1 day)
            default TTL = 3600 (1 hour)
    
    ------------
    ------------
    Got answer:
        HEADER:
            opcode = QUERY, id = 4, rcode = NOERROR
            header flags:  response, want recursion, recursion avail.
            questions = 1,  answers = 1,  authority records = 0,  additional = 0
    
        QUESTIONS:
            internal.example.co.uk.example.co.uk, type = A, class = IN
        ANSWERS:
        ->  internal.example.co.uk.example.co.uk
            internet address = <unknown public IP address>
            ttl = 599 (9 mins 59 secs)
    
    ------------
    Non-authoritative answer:
    ------------
    Got answer:
        HEADER:
            opcode = QUERY, id = 5, rcode = NOERROR
            header flags:  response, want recursion, recursion avail.
            questions = 1,  answers = 0,  authority records = 1,  additional = 0
    
        QUESTIONS:
            internal.example.co.uk.example.co.uk, type = AAAA, class = IN
        AUTHORITY RECORDS:
        ->  example.co.uk
            ttl = 599 (9 mins 59 secs)
            primary name server = ns.domaincheck.co.uk
            responsible mail addr = dns.domaincheck.co.uk
            serial  = 2017092801
            refresh = 7200 (2 hours)
            retry   = 3600 (1 hour)
            expire  = 604800 (7 days)
            default TTL = 3600 (1 hour)
    
    ------------
    Name:    internal.example.co.uk.example.co.uk
    Address:  <unknown public IP address>
    
    > internal.example.co.uk.
    Server:  UnKnown
    Address:  ::1
    
    ------------
    Got answer:
        HEADER:
            opcode = QUERY, id = 6, rcode = NOERROR
            header flags:  response, auth. answer, want recursion, recursion avail.
            questions = 1,  answers = 2,  authority records = 0,  additional = 0
    
        QUESTIONS:
            internal.example.co.uk, type = A, class = IN
        ANSWERS:
        ->  internal.example.co.uk
            internet address = 172.16.233.2
            ttl = 600 (10 mins)
        ->  internal.example.co.uk
            internet address = 172.16.233.1
            ttl = 600 (10 mins)
    
    ------------
    ------------
    Got answer:
        HEADER:
            opcode = QUERY, id = 7, rcode = NOERROR
            header flags:  response, auth. answer, want recursion, recursion avail.
            questions = 1,  answers = 0,  authority records = 1,  additional = 0
    
        QUESTIONS:
            internal.example.co.uk, type = AAAA, class = IN
        AUTHORITY RECORDS:
        ->  internal.example.co.uk
            ttl = 3600 (1 hour)
            primary name server = DC2.internal.example.co.uk
            responsible mail addr = hostmaster.internal.example.co.uk
            serial  = 170
            refresh = 900 (15 mins)
            retry   = 600 (10 mins)
            expire  = 86400 (1 day)
            default TTL = 3600 (1 hour)
    
    ------------
    Name:    internal.example.co.uk
    Addresses:  172.16.233.2
              172.16.233.1
    
    >
    

    This is demonstrated in the following, anonymised Command Prompt output when recursion was disabled:

    C:Usersusername>nslookup
    Default Server:  UnKnown
    Address:  ::1
    
    > set debug=true
    > set norecurse
    > internal.example.co.uk
    Server:  UnKnown
    Address:  ::1
    
    ------------
    Got answer:
        HEADER:
            opcode = QUERY, id = 2, rcode = NXDOMAIN
            header flags:  response, auth. answer, recursion avail.
            questions = 1,  answers = 0,  authority records = 1,  additional = 0
    
        QUESTIONS:
            internal.example.co.uk.internal.example.co.uk, type = A, class = IN
        AUTHORITY RECORDS:
        ->  internal.example.co.uk
            ttl = 3600 (1 hour)
            primary name server = DC2.internal.example.co.uk
            responsible mail addr = hostmaster.internal.example.co.uk
            serial  = 170
            refresh = 900 (15 mins)
            retry   = 600 (10 mins)
            expire  = 86400 (1 day)
            default TTL = 3600 (1 hour)
    
    ------------
    ------------
    Got answer:
        HEADER:
            opcode = QUERY, id = 3, rcode = NXDOMAIN
            header flags:  response, auth. answer, recursion avail.
            questions = 1,  answers = 0,  authority records = 1,  additional = 0
    
        QUESTIONS:
            internal.example.co.uk.internal.example.co.uk, type = AAAA, class = IN
        AUTHORITY RECORDS:
        ->  internal.example.co.uk
            ttl = 3600 (1 hour)
            primary name server = DC2.internal.example.co.uk
            responsible mail addr = hostmaster.internal.example.co.uk
            serial  = 170
            refresh = 900 (15 mins)
            retry   = 600 (10 mins)
            expire  = 86400 (1 day)
            default TTL = 3600 (1 hour)
    
    ------------
    ------------
    Got answer:
        HEADER:
            opcode = QUERY, id = 4, rcode = SERVFAIL
            header flags:  response, recursion avail.
            questions = 1,  answers = 0,  authority records = 0,  additional = 0
    
        QUESTIONS:
            internal.example.co.uk.example.co.uk, type = A, class = IN
    
    ------------
    ------------
    Got answer:
        HEADER:
            opcode = QUERY, id = 5, rcode = SERVFAIL
            header flags:  response, recursion avail.
            questions = 1,  answers = 0,  authority records = 0,  additional = 0
    
        QUESTIONS:
            internal.example.co.uk.example.co.uk, type = AAAA, class = IN
    
    ------------
    ------------
    Got answer:
        HEADER:
            opcode = QUERY, id = 6, rcode = NOERROR
            header flags:  response, auth. answer, recursion avail.
            questions = 1,  answers = 2,  authority records = 0,  additional = 0
    
        QUESTIONS:
            internal.example.co.uk, type = A, class = IN
        ANSWERS:
        ->  internal.example.co.uk
            internet address = 172.16.233.2
            ttl = 600 (10 mins)
        ->  internal.example.co.uk
            internet address = 172.16.233.1
            ttl = 600 (10 mins)
    
    ------------
    ------------
    Got answer:
        HEADER:
            opcode = QUERY, id = 7, rcode = NOERROR
            header flags:  response, auth. answer, recursion avail.
            questions = 1,  answers = 0,  authority records = 1,  additional = 0
    
        QUESTIONS:
            internal.example.co.uk, type = AAAA, class = IN
        AUTHORITY RECORDS:
        ->  internal.example.co.uk
            ttl = 3600 (1 hour)
            primary name server = DC2.internal.example.co.uk
            responsible mail addr = hostmaster.internal.example.co.uk
            serial  = 170
            refresh = 900 (15 mins)
            retry   = 600 (10 mins)
            expire  = 86400 (1 day)
            default TTL = 3600 (1 hour)
    
    ------------
    Name:    internal.example.co.uk
    Addresses:  172.16.233.2
              172.16.233.1
    
    >
    

    Source: https://serverfault.com/questions/887101/fqdns-resolving-correctly-via-ping-but-not-nslookup
    Author: mythofechelon
    Creative Commons License
    This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

Viewing 2 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.