DNS Suffixes on Windows

    Published: 2024-05-12
    Last Updated: 2024-05-12 13:02:10 UTC
    by Didier Stevens (Version: 1)
    0 comment(s)

    I was asked if I could provide mote details on the following sentence from my diary entry "nslookup's Debug Options":

         (notice that in my nslookup query, I terminated the FQDN with a dot: "example.com.", I do that to prevent Windows from adding suffixes)

    A DNS suffix is a configuration of the Windows DNS client (locally, via DHCP, ...) to have it append suffixes when doing domain lookups.

    For example, if a DNS suffix local is configured, then Windows' DNS client will not only do a DNS lookup for example.com, but also for example.com.local.

    As an example, let me configure mylocalnetwork as a suffix on a Windows machine:

    With DNS suffix mylocalnetwork configured, nslookup will use this suffix. For example, when I perform a lookup for "example.com", nslookup will also do a lookup for "example.com.mylocalnetwork".

    I can show this with nslookup's debug option d2:

    You can see in these screenshots DNS type A and AAAA resolutions for example.com.mylocalnetwork and example.com.

    One of the ideas behind DNS suffixes, is to reduce typing. If you have a NAS, for example, named mynas, you can just access it with https://mynas/login. No need to type the fully qualified domain name (FQDN) https://mynas.mylocalnetwork/login.

    Notice that the suffix also applies for AAAA queries, while in the screenshots above I only configured it for IPv4. That's because the DNS suffix setting applies both to IPv4 and IPv6:

    Before I show the results with "example.com." (notice the dot character at the end), let me show how I can summarize the lookups by grepping for "example" (findstr):

    If I terminate my DNS query with a dot character (.), suffixes will not be appended:

    Notice that there are no resolutions for mylocalnetwork in this last example. That's because the trailing dot instructs Windows' DNS client to start resolving from the DNS root zone.

    A domain name consists of domain labels separated by dots:

    If you are adding a trailing dot, you are actually adding an empty domain label:

    The empty label represents the DNS root zone, and no suffixes are appended to the DNS root zone, as it is the top-level (root) DNS zone.

    A small tip if you want to restrict nslookup's resolutions to A records, for example. There is an option for that.

    If you use nslookup's help option /?, you will see that you can provide options, but the actual options are not listed:

    To see the available options, start nslookup, and then type "?" at its prompt, like this:

    Now you can see that option "type" allows you to specify which type of records to query. Here is an example for A records:

     

    Didier Stevens
    Senior handler
    blog.DidierStevens.com

    Keywords:
    0 comment(s)

      Comments

      Login here to join the discussion.


      Diary Archives