If you launch nslookup and turn on debugging you'll see that Windows always tries to append its suffix first.
C:\>nslookup
Default Server: itads.example.com
Address: 0.0.0.0
> set debug=true
> www.yahoo.com
Server: itads.example.com
Address: 0.0.0.0
------------
Got answer:
HEADER:
opcode = QUERY, id = 2, rcode = NXDOMAIN
header flags: response, auth. answer, want recursion, recursion avail.
questions = 1, answers = 0, authority records = 1, additional = 0
QUESTIONS:
www.yahoo.com.example.com, type = A, class = IN
AUTHORITY RECORDS:
-> example.com
ttl = 3600 (1 hour)
primary name server = itads.example.com
responsible mail addr = itads.example.com
serial = 12532170
refresh = 1200 (20 mins)
retry = 600 (10 mins)
expire = 1209600 (14 days)
default TTL = 3600 (1 hour)
------------
------------
Got answer:
HEADER:
opcode = QUERY, id = 3, rcode = NOERROR
header flags: response, want recursion, recursion avail.
questions = 1, answers = 4, authority records = 0, additional = 0
QUESTIONS:
www.yahoo.com, type = A, class = IN
ANSWERS:
-> www.yahoo.com
canonical name = www.wa1.b.yahoo.com
ttl = 241 (4 mins 1 sec)
-> www.wa1.b.yahoo.com
canonical name = www-real.wa1.b.yahoo.com
ttl = 30 (30 secs)
-> www-real.wa1.b.yahoo.com
internet address = 209.131.36.158
ttl = 30 (30 secs)
-> www-real.wa1.b.yahoo.com
internet address = 209.191.93.52
ttl = 30 (30 secs)
------------
Non-authoritative answer:
Name: www-real.wa1.b.yahoo.com
Addresses: 209.131.36.158, 209.191.93.52
Aliases: www.yahoo.com, www.wa1.b.yahoo.com
As you can see above my machine tried to look for www.yahoo.com.example.com first, and the DNS server responded NXDOMAIN
(entry not found). You can confirm this by running nslookup www.yahoo.com.
(note the dot at the end of .com!) and you'll see that it is resolved normally.
What's happening is that your external DNS server is responding that they have an entry for "www.yahoo.com.example.com" and is returning your IP address for the root of your site. I'm not sure what service you use but I'm guessing that you have a wildcard mapping that tells your server to respond to any unknown query with a valid response, rather than returning NXDOMAIN
. You'll need to double check your settings for the server and confirm that it is only set to respond to queries for entries it actually has (example.com
, www.example.com
, mail.example.com
, etc.).
Remember that DNS works by checking the configured server and working its way up from there. The DNS query can take a path like the following pattern (of course this is just a example, it is probably wrong): Machine -> Local Router DNS (linksys) -> ISP DNS -> (2nd ISP DNS?) -> Root Server DNS -> TLD DNS -> Your External DNS server. Someone along that path is saying that www.yahoo.com.example.com
exists. Chances are it's your external DNS server.
EDIT
I figured I'd include one more tidbit about the randomness you mention. If this is really happening sporadically you may have a misconfigured external DNS server or their ISP could be providing a DNS hijacking service. Unfortunately I've seen more and more residential ISPs provide a "search service" for invalid domain names. Since almost all end users use their ISP DNS servers, the ISPs are now starting to redirect invalid domain entries to a search page - one usually laden with ads, irrelevant links and a small "Did you mean www.example.com?" with some results that may or may not be related to the domain name. I know that Verizon and Comcast are starting to do this, I believe Quest is starting to as well. Another possibility is OpenDNS, since they provide the same "search for a related domain" if it doesn't exist (it's their revenue after all).
My problem with suggesting that as the problem, though, is the fact that you say it's returning the address of your root record, which none of these would do if they were trying to search for it, they'd give you an IP of one of their web servers to handle the search.
Joel,
Since you have trunks setup and can duplicate the issue at will.
Install Wireshark on a laptop and mirror/span a uplink port.
If you see the packet rate over 10,000 or port utilization near
max speed you have problem.
You might have a bad hardware/spanning tree issue. Normally
I've found users plugging in both nics on their machine "to get more
throughput".
Normally for Spanning tree issues you can turn on Loop detect or broadcast
limiting on per port from your vendor. This will kill any port with a loop found.
You can also turn on "bpdu protection" which means to disable the port the bpdu
was received on and throw an error to the syslog/snmp trap receivers.
Joe
Best Answer
You're doing this the hard way. It would be easier to use a spreadsheet to track the computer names you've assigned. If you have a team that is responsible for naming computers a shared Google Sheets or the equivalent would be perfect.
At places I've worked we've used this method and included in the spreadsheet helpful details like Date Created, Date Decommissioned, Assigned User and the like.
This problem is best addressed with a behavior solution. Attempts to solve human problems with technical solutions usually fail. If the process for identifying and assigning a new name is simple then it is not unreasonable to expect all technicians to adhere to it as an expectation of employment.