FQDNs resolving correctly via ping but not nslookup
6,999
Using nslookup's debug mode, I found that this was due to DNS recursion devolution (thanks @joeqwerty) and a previously existing but unknown public root wildcard DNS RR (*.example.co.uk. IN A <unknown public IP address>).
Specifically, I found that in this case where there is one DNS suffix;:
- The given DNS name is a FQDN with a suffixed
.; and DNS recursion is enabled (default),nslookupwas:- Appending no DNS suffix and succeeding.
- The given DNS name is a FQDN without a suffixed
.; and DNS recursion is enabled (default),nslookupwas:- Appending the primary DNS suffix and failing.
- Appending the primary DNS suffix a level up and "succeeding" because the given DNS name matched the wildcard DNS RR.
- The given DNS name is a FQDN without a suffixed
.; and DNS recursion is disabled,nslookupwas:- Appending the primary DNS suffix and failing.
- Appending the primary DNS suffix a level up and failing.
- Appending no DNS suffix and succeeding.
This is demonstrated in the following, anonymised Command Prompt output when recursion was enabled (default):
C:\Users\username>nslookup
Default Server: UnKnown
Address: ::1
> set debug=true
> internal.example.co.uk
Server: UnKnown
Address: ::1
------------
Got answer:
HEADER:
opcode = QUERY, id = 2, rcode = NXDOMAIN
header flags: response, auth. answer, want recursion, recursion avail.
questions = 1, answers = 0, authority records = 1, additional = 0
QUESTIONS:
internal.example.co.uk.internal.example.co.uk, type = A, class = IN
AUTHORITY RECORDS:
-> internal.example.co.uk
ttl = 3600 (1 hour)
primary name server = DC2.internal.example.co.uk
responsible mail addr = hostmaster.internal.example.co.uk
serial = 170
refresh = 900 (15 mins)
retry = 600 (10 mins)
expire = 86400 (1 day)
default TTL = 3600 (1 hour)
------------
------------
Got answer:
HEADER:
opcode = QUERY, id = 3, rcode = NXDOMAIN
header flags: response, auth. answer, want recursion, recursion avail.
questions = 1, answers = 0, authority records = 1, additional = 0
QUESTIONS:
internal.example.co.uk.internal.example.co.uk, type = AAAA, class = IN
AUTHORITY RECORDS:
-> internal.example.co.uk
ttl = 3600 (1 hour)
primary name server = DC2.internal.example.co.uk
responsible mail addr = hostmaster.internal.example.co.uk
serial = 170
refresh = 900 (15 mins)
retry = 600 (10 mins)
expire = 86400 (1 day)
default TTL = 3600 (1 hour)
------------
------------
Got answer:
HEADER:
opcode = QUERY, id = 4, rcode = NOERROR
header flags: response, want recursion, recursion avail.
questions = 1, answers = 1, authority records = 0, additional = 0
QUESTIONS:
internal.example.co.uk.example.co.uk, type = A, class = IN
ANSWERS:
-> internal.example.co.uk.example.co.uk
internet address = <unknown public IP address>
ttl = 599 (9 mins 59 secs)
------------
Non-authoritative answer:
------------
Got answer:
HEADER:
opcode = QUERY, id = 5, rcode = NOERROR
header flags: response, want recursion, recursion avail.
questions = 1, answers = 0, authority records = 1, additional = 0
QUESTIONS:
internal.example.co.uk.example.co.uk, type = AAAA, class = IN
AUTHORITY RECORDS:
-> example.co.uk
ttl = 599 (9 mins 59 secs)
primary name server = ns.domaincheck.co.uk
responsible mail addr = dns.domaincheck.co.uk
serial = 2017092801
refresh = 7200 (2 hours)
retry = 3600 (1 hour)
expire = 604800 (7 days)
default TTL = 3600 (1 hour)
------------
Name: internal.example.co.uk.example.co.uk
Address: <unknown public IP address>
> internal.example.co.uk.
Server: UnKnown
Address: ::1
------------
Got answer:
HEADER:
opcode = QUERY, id = 6, rcode = NOERROR
header flags: response, auth. answer, want recursion, recursion avail.
questions = 1, answers = 2, authority records = 0, additional = 0
QUESTIONS:
internal.example.co.uk, type = A, class = IN
ANSWERS:
-> internal.example.co.uk
internet address = 172.16.233.2
ttl = 600 (10 mins)
-> internal.example.co.uk
internet address = 172.16.233.1
ttl = 600 (10 mins)
------------
------------
Got answer:
HEADER:
opcode = QUERY, id = 7, rcode = NOERROR
header flags: response, auth. answer, want recursion, recursion avail.
questions = 1, answers = 0, authority records = 1, additional = 0
QUESTIONS:
internal.example.co.uk, type = AAAA, class = IN
AUTHORITY RECORDS:
-> internal.example.co.uk
ttl = 3600 (1 hour)
primary name server = DC2.internal.example.co.uk
responsible mail addr = hostmaster.internal.example.co.uk
serial = 170
refresh = 900 (15 mins)
retry = 600 (10 mins)
expire = 86400 (1 day)
default TTL = 3600 (1 hour)
------------
Name: internal.example.co.uk
Addresses: 172.16.233.2
172.16.233.1
>
This is demonstrated in the following, anonymised Command Prompt output when recursion was disabled:
C:\Users\username>nslookup
Default Server: UnKnown
Address: ::1
> set debug=true
> set norecurse
> internal.example.co.uk
Server: UnKnown
Address: ::1
------------
Got answer:
HEADER:
opcode = QUERY, id = 2, rcode = NXDOMAIN
header flags: response, auth. answer, recursion avail.
questions = 1, answers = 0, authority records = 1, additional = 0
QUESTIONS:
internal.example.co.uk.internal.example.co.uk, type = A, class = IN
AUTHORITY RECORDS:
-> internal.example.co.uk
ttl = 3600 (1 hour)
primary name server = DC2.internal.example.co.uk
responsible mail addr = hostmaster.internal.example.co.uk
serial = 170
refresh = 900 (15 mins)
retry = 600 (10 mins)
expire = 86400 (1 day)
default TTL = 3600 (1 hour)
------------
------------
Got answer:
HEADER:
opcode = QUERY, id = 3, rcode = NXDOMAIN
header flags: response, auth. answer, recursion avail.
questions = 1, answers = 0, authority records = 1, additional = 0
QUESTIONS:
internal.example.co.uk.internal.example.co.uk, type = AAAA, class = IN
AUTHORITY RECORDS:
-> internal.example.co.uk
ttl = 3600 (1 hour)
primary name server = DC2.internal.example.co.uk
responsible mail addr = hostmaster.internal.example.co.uk
serial = 170
refresh = 900 (15 mins)
retry = 600 (10 mins)
expire = 86400 (1 day)
default TTL = 3600 (1 hour)
------------
------------
Got answer:
HEADER:
opcode = QUERY, id = 4, rcode = SERVFAIL
header flags: response, recursion avail.
questions = 1, answers = 0, authority records = 0, additional = 0
QUESTIONS:
internal.example.co.uk.example.co.uk, type = A, class = IN
------------
------------
Got answer:
HEADER:
opcode = QUERY, id = 5, rcode = SERVFAIL
header flags: response, recursion avail.
questions = 1, answers = 0, authority records = 0, additional = 0
QUESTIONS:
internal.example.co.uk.example.co.uk, type = AAAA, class = IN
------------
------------
Got answer:
HEADER:
opcode = QUERY, id = 6, rcode = NOERROR
header flags: response, auth. answer, recursion avail.
questions = 1, answers = 2, authority records = 0, additional = 0
QUESTIONS:
internal.example.co.uk, type = A, class = IN
ANSWERS:
-> internal.example.co.uk
internet address = 172.16.233.2
ttl = 600 (10 mins)
-> internal.example.co.uk
internet address = 172.16.233.1
ttl = 600 (10 mins)
------------
------------
Got answer:
HEADER:
opcode = QUERY, id = 7, rcode = NOERROR
header flags: response, auth. answer, recursion avail.
questions = 1, answers = 0, authority records = 1, additional = 0
QUESTIONS:
internal.example.co.uk, type = AAAA, class = IN
AUTHORITY RECORDS:
-> internal.example.co.uk
ttl = 3600 (1 hour)
primary name server = DC2.internal.example.co.uk
responsible mail addr = hostmaster.internal.example.co.uk
serial = 170
refresh = 900 (15 mins)
retry = 600 (10 mins)
expire = 86400 (1 day)
default TTL = 3600 (1 hour)
------------
Name: internal.example.co.uk
Addresses: 172.16.233.2
172.16.233.1
>
Related videos on Youtube
03 : 21
Fix Nslookup works but Ping fails in Windows
07 : 26
Using NSLOOKUP to Troubleshoot DNS Issues
05 : 16
Using nslookup to resolve domain names to ip addresses
14 : 34
Network Troubleshooting using PING, TRACERT, IPCONFIG, NSLOOKUP COMMANDS
03 : 06
DevOps & SysAdmins: FQDNs resolving correctly via ping but not nslookup
Author by
mythofechelon
Updated on September 18, 2022Comments
-
mythofechelon almost 2 years
The following AD DS domain was freshly setup:
- DNS domain name, FLZ, and only DNS suffix:
internal.example.co.uk - DC OSes: Windows Server 2016 Standard
- DC #1 DNS servers: 172.16.233.2, 127.0.0.1
- DC #2 DNS servers: 172.16.233.1, 127.0.0.1
- DNS forwarders: 8.8.8.8, 208.67.222.222
By all accounts, the domain and DNS is working correctly.
However,
nslookupbehaves very strangely:nslookup <any FQDN> <any DC server>works incorrectly, appendingexample.co.uk(notinternal.example.co.uk) and resolves to the same, unknown public IP address.nslookup <any FQDN>. <any DC server>works correctly.
I determined that routing, the file
hosts, Windows serviceDNS Server, etc weren't relevant and no DNS PTR RR existed for the unknown public IP address.I know that you're supposed to suffix a
.to a FQDN but I've never had to and never seen it behave like this before.I couldn't find a suitable resolution online, hence this post.
The following, anonymised Command Prompt output demonstrates this:
Microsoft Windows [Version 10.0.14393] (c) 2016 Microsoft Corporation. All rights reserved. C:\Users\username>ipconfig /all Windows IP Configuration Host Name . . . . . . . . . . . . : DC2 Primary Dns Suffix . . . . . . . : internal.example.co.uk Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : internal.example.co.uk Ethernet adapter Ethernet 2: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Microsoft Hyper-V Network Adapter #2 Physical Address. . . . . . . . . : 00-15-5D-9E-13-07 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes Link-local IPv6 Address . . . . . : fe80::45fd:755c:e86d:eed3%14(Preferred) IPv4 Address. . . . . . . . . . . : 172.16.233.2(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 172.16.233.254 DHCPv6 IAID . . . . . . . . . . . : 100668765 DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-21-42-DF-91-00-15-5D-9E-13-05 DNS Servers . . . . . . . . . . . : ::1 172.16.233.1 127.0.0.1 NetBIOS over Tcpip. . . . . . . . : Enabled Tunnel adapter isatap.{DEFCF64F-0919-47F6-8206-DA42E6828191}: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Microsoft ISATAP Adapter Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes C:\Users\username>ping internal.example.co.uk Pinging internal.example.co.uk [172.16.233.2] with 32 bytes of data: Reply from 172.16.233.2: bytes=32 time<1ms TTL=128 Reply from 172.16.233.2: bytes=32 time<1ms TTL=128 Reply from 172.16.233.2: bytes=32 time<1ms TTL=128 Reply from 172.16.233.2: bytes=32 time<1ms TTL=128 Ping statistics for 172.16.233.2: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms C:\Users\username>nslookup internal.example.co.uk 127.0.0.1 Server: localhost Address: 127.0.0.1 Non-authoritative answer: Name: internal.example.co.uk.example.co.uk Address: <unknown public IP address> C:\Users\username>nslookup internal.example.co.uk. 127.0.0.1 Server: localhost Address: 127.0.0.1 Name: internal.example.co.uk Addresses: 172.16.233.1 172.16.233.2 C:\Users\username>ping DC1 Pinging DC1.internal.example.co.uk [172.16.233.1] with 32 bytes of data: Reply from 172.16.233.1: bytes=32 time=1ms TTL=128 Reply from 172.16.233.1: bytes=32 time<1ms TTL=128 Reply from 172.16.233.1: bytes=32 time<1ms TTL=128 Reply from 172.16.233.1: bytes=32 time<1ms TTL=128 Ping statistics for 172.16.233.1: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 1ms, Average = 0ms C:\Users\username>nslookup DC1 127.0.0.1 Server: localhost Address: 127.0.0.1 Name: DC1.internal.example.co.uk Address: 172.16.233.1 C:\Users\username>ping google.co.uk Pinging google.co.uk [74.125.133.94] with 32 bytes of data: Reply from 74.125.133.94: bytes=32 time=11ms TTL=49 Reply from 74.125.133.94: bytes=32 time=11ms TTL=49 Reply from 74.125.133.94: bytes=32 time=11ms TTL=49 Reply from 74.125.133.94: bytes=32 time=15ms TTL=49 Ping statistics for 74.125.133.94: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 11ms, Maximum = 15ms, Average = 12ms C:\Users\username>nslookup google.co.uk 127.0.0.1 Server: localhost Address: 127.0.0.1 Non-authoritative answer: Name: google.co.uk.example.co.uk Address: <unknown public IP address> C:\Users\username>nslookup google.co.uk. 127.0.0.1 Server: localhost Address: 127.0.0.1 Non-authoritative answer: Name: google.co.uk Addresses: 2a00:1450:4007:80e::2003 216.58.208.227 C:\Users\username> - DNS domain name, FLZ, and only DNS suffix:
-
joeqwerty over 6 years1.This is the expected behavior of nslookup for non-fully qualified queries. Any query omitting the trailing . is not fully qualified.2.What you're seeing is a function of DNS devolution, not recursion. - technet.microsoft.com/en-us/library/ee683928(v=ws.10).aspx -
mythofechelon over 6 years@joeqwerty
1.I know that that's the expected behaviour now but I didn't used to, hence why I documented it for others.2.Interesting. I assumed that it was caused by recursion as disabling it "resolved" the problem but I stand corrected. Thanks.