DNS Suffixes on Windows, (Sun, May 12th)

Category :

SANS Full Feed

Posted On :

I was asked if I could provide mote details on the following sentence from my diary entry “nslookup’s Debug Options“:

     (notice that in my nslookup query, I terminated the FQDN with a dot: “example.com.”, I do that to prevent Windows from adding suffixes)

A DNS suffix is a configuration of the Windows DNS client (locally, via DHCP, …) to have it append suffixes when doing domain lookups.

For example, if a DNS suffix local is configured, then Windows’ DNS client will not only do a DNS lookup for example.com, but also for example.com.local.

As an example, let me configure mylocalnetwork as a suffix on a Windows machine:

With DNS suffix mylocalnetwork configured, nslookup will use this suffix. For example, when I perform a lookup for “example.com”, nslookup will also do a lookup for “example.com.mylocalnetwork”.

I can show this with nslookup’s debug option d2:

You can see in these screenshots DNS type A and AAAA resolutions for example.com.mylocalnetwork and example.com.

One of the ideas behind DNS suffixes, is to reduce typing. If you have a NAS, for example, named mynas, you can just access it with https://mynas/login. No need to type the fully qualified domain name (FQDN) https://mynas.mylocalnetwork/login.

Notice that the suffix also applies for AAAA queries, while in the screenshots above I only configured it for IPv4. That’s because the DNS suffix setting applies both to IPv4 and IPv6:

Before I show the results with “example.com.” (notice the dot character at the end), let me show how I can summarize the lookups by grepping for “example” (findstr):

If I terminate my DNS query with a dot character (.), suffixes will not be appended:

Notice that there are no resolutions for mylocalnetwork in this last example. That’s because the trailing dot instructs Windows’ DNS client to start resolving from the DNS root zone.

A domain name consists of domain labels separated by dots:

If you are adding a trailing dot, you are actually adding an empty domain label:

The empty label represents the DNS root zone, and no suffixes are appended to the DNS root zone, as it is the top-level (root) DNS zone.

A small tip if you want to restrict nslookup’s resolutions to A records, for example. There is an option for that.

If you use nslookup’s help option /?, you will see that you can provide options, but the actual options are not listed:

To see the available options, start nslookup, and then type “?” at its prompt, like this:

Now you can see that option “type” allows you to specify which type of records to query. Here is an example for A records:


Didier Stevens
Senior handler

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.