NSLOOKUP returning the domain appended to non-authoritative answer, along with wrong address

domain-name-systemwindows-server-2008-r2

I recently installed a Windows 2008r2 server (workgroup only, no AD or Domain). This server has DNS enabled.

From a different client machine on the LAN, I run NSLOOKUP to test DNS operation.

When starting up, it correctly lists the server name and IP address.

when I type in "realdomain.com" from the > prompt, NSLOOKUP returns:

Non-authoritative answer:
Name:   realdomain.com.my.domain.net
Address:  67.215.65.132

The client system is able to resolve names, so DNS is working to some extent, but I don't understand why "my.domain.net" is appended.

The 67.215.65.132 address returned for realdomain.com is also incorrect. The address actually belongs to OpenDNS. I am using OpenDNS as the forwarders, but those addresses are 208.67.xxx.xxx.

"my.domain.net" is the primary DNS suffix of the my local LAN server. It is not a publicly visible domain, since the server is on a private network.

This question seems to be quite similar, but I don't understand how to apply the solution: "…remove the wild card entry from your network solutions configuration". What wild card entry? Where is the "network solutions configuration"?

As in the referenced question, if I enter realdomain.com. (with the period at the end), it works correctly and returns the correct address.

Best Answer

I get a similar result:

D:\Users\tannerf>nslookup domain.net 208.67.222.222
Server:  resolver1.opendns.com
Address:  208.67.222.222

Non-authoritative answer:
Name:    domain.net.MYSUFFIX.COM
Address:  67.215.65.132

Looks like OpenDNS is redirecting when the name can't be resolved. You can change the query to any subdomain that won't resolve, and it will return the same:

D:\Users\tannerf>nslookup mdmarra.local 208.67.222.222
Server:  resolver1.opendns.com
Address:  208.67.222.222

Non-authoritative answer:
Name:    mdmarra.local.microsoft.com
Address:  67.215.65.132

nslookup is, by default, appending the search suffix. Take a look at this question. And here's a thread bemoaning OpenDNS' decision. I find it terribly confusing myself.

If you'd like to prevent OpenDNS from redirecting, you might take a look here.

Related Solutions

Windows Appending Domain Suffix to All Lookups – Solutions

If you launch nslookup and turn on debugging you'll see that Windows always tries to append its suffix first.

C:\>nslookup
Default Server:  itads.example.com
Address:  0.0.0.0

> set debug=true
> www.yahoo.com
Server:  itads.example.com
Address:  0.0.0.0

------------
Got answer:
    HEADER:
        opcode = QUERY, id = 2, rcode = NXDOMAIN
        header flags:  response, auth. answer, want recursion, recursion avail.
        questions = 1,  answers = 0,  authority records = 1,  additional = 0

    QUESTIONS:
        www.yahoo.com.example.com, type = A, class = IN
    AUTHORITY RECORDS:
    ->  example.com
        ttl = 3600 (1 hour)
        primary name server = itads.example.com
        responsible mail addr = itads.example.com
        serial  = 12532170
        refresh = 1200 (20 mins)
        retry   = 600 (10 mins)
        expire  = 1209600 (14 days)
        default TTL = 3600 (1 hour)

------------
------------
Got answer:
    HEADER:
        opcode = QUERY, id = 3, rcode = NOERROR
        header flags:  response, want recursion, recursion avail.
        questions = 1,  answers = 4,  authority records = 0,  additional = 0

    QUESTIONS:
        www.yahoo.com, type = A, class = IN
    ANSWERS:
    ->  www.yahoo.com
        canonical name = www.wa1.b.yahoo.com
        ttl = 241 (4 mins 1 sec)
    ->  www.wa1.b.yahoo.com
        canonical name = www-real.wa1.b.yahoo.com
        ttl = 30 (30 secs)
    ->  www-real.wa1.b.yahoo.com
        internet address = 209.131.36.158
        ttl = 30 (30 secs)
    ->  www-real.wa1.b.yahoo.com
        internet address = 209.191.93.52
        ttl = 30 (30 secs)

------------
Non-authoritative answer:
Name:    www-real.wa1.b.yahoo.com
Addresses:  209.131.36.158, 209.191.93.52
Aliases:  www.yahoo.com, www.wa1.b.yahoo.com

As you can see above my machine tried to look for www.yahoo.com.example.com first, and the DNS server responded NXDOMAIN (entry not found). You can confirm this by running nslookup www.yahoo.com. (note the dot at the end of .com!) and you'll see that it is resolved normally.

What's happening is that your external DNS server is responding that they have an entry for "www.yahoo.com.example.com" and is returning your IP address for the root of your site. I'm not sure what service you use but I'm guessing that you have a wildcard mapping that tells your server to respond to any unknown query with a valid response, rather than returning NXDOMAIN. You'll need to double check your settings for the server and confirm that it is only set to respond to queries for entries it actually has (example.com, www.example.com, mail.example.com, etc.).

Remember that DNS works by checking the configured server and working its way up from there. The DNS query can take a path like the following pattern (of course this is just a example, it is probably wrong): Machine -> Local Router DNS (linksys) -> ISP DNS -> (2nd ISP DNS?) -> Root Server DNS -> TLD DNS -> Your External DNS server. Someone along that path is saying that www.yahoo.com.example.com exists. Chances are it's your external DNS server.

EDIT

I figured I'd include one more tidbit about the randomness you mention. If this is really happening sporadically you may have a misconfigured external DNS server or their ISP could be providing a DNS hijacking service. Unfortunately I've seen more and more residential ISPs provide a "search service" for invalid domain names. Since almost all end users use their ISP DNS servers, the ISPs are now starting to redirect invalid domain entries to a search page - one usually laden with ads, irrelevant links and a small "Did you mean www.example.com?" with some results that may or may not be related to the domain name. I know that Verizon and Comcast are starting to do this, I believe Quest is starting to as well. Another possibility is OpenDNS, since they provide the same "search for a related domain" if it doesn't exist (it's their revenue after all).

My problem with suggesting that as the problem, though, is the fact that you say it's returning the address of your root record, which none of these would do if they were trying to search for it, they'd give you an IP of one of their web servers to handle the search.

DYNDNS.org Custom DNS returning odd results with Windows’ NSLOOKUP

Maybe nslookup attaches the default DNS suffix? Try asking for

sugarcreekcctexas.com.

instead of

sugarcreekcctexas.com

Best Answer

Related Solutions

Windows Appending Domain Suffix to All Lookups – Solutions

DYNDNS.org Custom DNS returning odd results with Windows’ NSLOOKUP

Related Topic