DNS Resolution Issue for ONE external domain

I have an issue where alrahden.com domain is getting no resolution because MYDOMAIN.COM is being appended. This doesnt happen with any other lookup of an external domain. alrahden.com query comes back with "authority records = 1" and shouldnt. We use OPENDNS, but this domain is the only one with a problem.

C:Documents and Settingsadm1n>nslookup
Default Server: dc1.mydomain.com
Address: 10.0.10.150

> set debug=true
> www.google.com
Server: dc1.mydomain.com
Address: 10.0.10.150

------------
Got answer:HEADER:opcode = QUERY, id = 2, rcode = NXDOMAIN
header flags: response, auth. answer, want recursion, recursion avail.
questions = 1, answers = 0, authority records = 1, additional = 0

QUESTIONS:www.google.com.mydomain.com, type = A, class = IN
AUTHORITY RECORDS:-> mydomain.com
ttl = 3600 (1 hour)
primary name server = dc1.mydomain.com
responsible mail addr = adm1n.mydomain.com
serial = 2003681859
refresh = 3600 (1 hour)
retry = 600 (10 mins)
expire = 86400 (1 day)
default TTL = 3600 (1 hour)

------------
------------
Got answer:HEADER:opcode = QUERY, id = 3, rcode = NOERROR
header flags: response, want recursion, recursion avail.
questions = 1, answers = 6, authority records = 0, additional = 0

QUESTIONS:www.google.com, type = A, class = IN
ANSWERS:-> www.google.com
internet address = 74.125.137.103
ttl = 259 (4 mins 19 secs)
-> www.google.com
internet address = 74.125.137.104
ttl = 259 (4 mins 19 secs)
-> www.google.com
internet address = 74.125.137.147
ttl = 259 (4 mins 19 secs)
-> www.google.com
internet address = 74.125.137.105
ttl = 259 (4 mins 19 secs)
-> www.google.com
internet address = 74.125.137.106
ttl = 259 (4 mins 19 secs)
-> www.google.com
internet address = 74.125.137.99
ttl = 259 (4 mins 19 secs)

------------
Non-authoritative answer:Name: www.google.com
Addresses: 74.125.137.103, 74.125.137.104, 74.125.137.147, 74.125.137.105
74.125.137.106, 74.125.137.99

> alrahden.com
Server: dc1.mydomain.com
Address: 10.0.10.150

------------
Got answer:HEADER:opcode = QUERY, id = 4, rcode = NXDOMAIN
header flags: response, auth. answer, want recursion, recursion avail.
questions = 1, answers = 0, authority records = 1, additional = 0

QUESTIONS:alrahden.com.mydomain.com, type = A, class = IN
AUTHORITY RECORDS:-> mydomain.com
ttl = 3600 (1 hour)
primary name server = dc1.mydomain.com
responsible mail addr = adm1n.mydomain.com
serial = 2003681859
refresh = 3600 (1 hour)
retry = 600 (10 mins)
expire = 86400 (1 day)
default TTL = 3600 (1 hour)

------------
DNS request timed out.
timeout was 2 seconds.
timeout (2 secs)
*** Request to dc1.mydomain.com timed-out
> randominvalid.com
Server: dc1.mydomain.com
Address: 10.0.10.150

------------
Got answer:HEADER:opcode = QUERY, id = 6, rcode = NXDOMAIN
header flags: response, auth. answer, want recursion, recursion avail.
questions = 1, answers = 0, authority records = 1, additional = 0

QUESTIONS:randominvalid.com.mydomain.com, type = A, class = IN
AUTHORITY RECORDS:-> mydomain.com
ttl = 3600 (1 hour)
primary name server = dc1.mydomain.com
responsible mail addr = adm1n.mydomain.com
serial = 2003681859
refresh = 3600 (1 hour)
retry = 600 (10 mins)
expire = 86400 (1 day)
default TTL = 3600 (1 hour)

------------
------------
Got answer:HEADER:opcode = QUERY, id = 7, rcode = NXDOMAIN
header flags: response, want recursion, recursion avail.
questions = 1, answers = 0, authority records = 1, additional = 0

QUESTIONS:randominvalid.com, type = A, class = IN
AUTHORITY RECORDS:-> com
ttl = 900 (15 mins)
primary name server = a.gtld-servers.net
responsible mail addr = nstld.verisign-grs.com
serial = 1430524039
refresh = 1800 (30 mins)
retry = 900 (15 mins)
expire = 604800 (7 days)
default TTL = 86400 (1 day)

------------
*** dc1.mydomain.com can't find randominvalid.com: Non-existent domain
>



When you run nslookup it will by default append any domain names you have listed in your network configuration to the name you enter and try to resolve it unless the name you enter ends in a period.

So instead of entering "alrahden.com", try entering "alrahden.com."



When you run nslookup it will by default append any domain names you have listed in your network configuration to the name you enter and try to resolve it unless the name you enter ends in a period.

So instead of entering "alrahden.com", try entering "alrahden.com."



was going to say what was said above. Do you actually have a problem caused for actual resolving, and is this the actual domain name you have issue with?

What do you get with just

Nslookup
Thedomain.com.
Server 8.8.8.8
Thedonain.com.

Without any debug on etc.



in an AD environment, you should only have your own DNS servers on your own systems.
You of course could add within the configuration of your own DNS server settings, forwarders to forward all outgoing requests to opendns or google's DNS if you like.

DNS cache responses based on the settings within the domain. When you use external DNS servers that are widely used, you may run into a situation where prior requests attempting to resolve the same domain ran into an issue such that it now has a negative cache (did not receive a response and is listing the domain as non-existent for the negative response duration)

The issue could be caused by several items. one of the authoritative DNS servers for the domain is malfunctioning/misconfigured. the path to it is not available. etc.

To minimize this, let your own DNS server retrieve the data and cache the responses. This way you know that if there is an issue it is limited to the destination when few domains are impacted, if all external domains are impacted you know the issue is with your side dns/external connection.

Earlier experts commented on terminating the domain to avoid the appending of the search and local domain when resolving an entry.



This appears to be an issue with OPENDNS. Support has acknowledged that this is occuring at their end and is investigating it.



I believe the comment I made addressed this. You are pointing your DNS/workstations to opendns meaning it is a configuration issue. Remove that and you will not be susceptible to misconfigurations of third parties.

Share this

Related Posts

There was an error in this gadget