All DNS queries to AD DNS server suffixed with xxxxx.cloudapp.net

Question

I configured an Azure VM with Windows 2012 R2 and the DNS Server role installed. I have another VM in the same VNet and I am using nslookup to query the DNS server.

Every time I query any domain name on this DNS server specifically, it times out the first two tries and then resolves successfully. The reason is that it's appending the query with a long cloudapp.net domain.

For example, I set the d2 option on nslookup and queried cnn.com:

> cnn.com Server:  [10.51.5.4] Address:  10.51.5.4

------------ SendRequest(), len 77
    HEADER:
        opcode = QUERY, id = 19, rcode = NOERROR
        header flags:  query, want recursion
        questions = 1,  answers = 0,  authority records = 0,  additional = 0

    QUESTIONS:
        cnn.com.g2dibntere1erjhcdrrozsaeod.bx.internal.cloudapp.net, type = A, class = IN

------------ DNS request timed out.
    timeout was 2 seconds. timeout (2 secs) SendRequest failed

How can I disable this behavior?

Update I found the suffixed domain in ipconfig results:

C:\Users\admin>ipconfig

Windows IP Configuration


Ethernet adapter Ethernet 3:

   Connection-specific DNS Suffix  . : g2dibntere1erjhcdrrozsaeod.bx.internal.cl
oudapp.net
   Link-local IPv6 Address . . . . . : fe80::a90f:bb70:be04:ef2c%16
   IPv4 Address. . . . . . . . . . . : 10.51.10.4
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.51.10.1

Tunnel adapter isatap.g2dibntere1erjhcdrrozsaeod.bx.internal.cloudapp.net:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : g2dibntere1erjhcdrrozsaeod.bx.internal.cl
oudapp.net

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Connection-specific DNS Suffix  . :
   IPv6 Address. . . . . . . . . . . : 2001:0:5ef5:79fd:1c9f:fbe8:d78d:f134
   Link-local IPv6 Address . . . . . : fe80::1c9f:fbe8:d78d:f134%14
   Default Gateway . . . . . . . . . : ::

So now how do I disable this connection-specific suffix?

Nobody said anything about disabling IPv6! Besides, Azure doesn't even _have_ IPv6! — Michael Hampton, Nov 03 '15 at 06:31
Good point :) But I don't think it will help to disable those adapters since as I understand the DNS settings are global across the interface, plus the ethernet adapter on the same interface also has this connection-specific suffix — blizz, Nov 03 '15 at 06:48
[This question](https://serverfault.com/q/74067/449860) is highly related. — Nae, Jan 02 '21 at 00:39

score 4 · Answer 1 · answered Nov 03 '15 at 06:33

4

What you're seeing is normal behavior. Your nslookup query is technically not a fully qualified query because you left out the trailing dot (.). If you want to see the difference, run the same query but instead add the trailing dot (.), as such:

cnn.com.

This is the behavior you'll see when issuing queries with nslookup that aren't fully qualified. The connection specific DNS suffix is being appended to your nslookup query because your nslookup query isn't fully qualified. Nslookup uses it's own DNS client resolver but does use the DNS search suffixes that are configured for the computer.The Windows DNS client resolver doesn't suffer from this behavior so you really don't need to change anything in the DNS client settings. What you've done by adding a dot (.) as a DNS suffix is not an appropriate corrective action and is likely to cause DNS name resolution problems for the operating system and applications. Have a read here:

http://blogs.msmvps.com/acefekay/2013/02/17/nslookup-suffixing-behavior

answered Nov 03 '15 at 06:33

joeqwerty

109,901
6
81
172

Well how can I disable the behavior, or change the suffix? I am unable to join my domain because that suffix is added to the DC name and then it just times out. – blizz Nov 03 '15 at 06:51
That's a different problem and it isn't related to the behavior of nslookup. Why don't you post a new question about your AD domain join problem. I suspect it's a simple configuration issue. Do you have a running DC? Is the DNS server role installed on the DC? Is the DNS client on client machine configured to use the DC/DNS server for DNS? These are all questions we can investigate in a new question. Let's not muddy this nslookup question with domain join problems. – joeqwerty Nov 03 '15 at 06:54
Also, see my answer here regarding the name resolution behavior of Windows computers when joining a domain. It may help you to understand your domain join problem. At the end of the day, the connection specific DNS suffix assigned to your Azure VM isn't going to prevent you from joining it to an AD domain. - http://serverfault.com/questions/717689/cannot-join-client-to-domain-non-virtual-dns-issue/717914#717914 – joeqwerty Nov 03 '15 at 07:01

score 1 · Accepted Answer · answered Nov 03 '15 at 06:24

1

Fixed it by forcing it to append a dot '.' as a DNS suffix. Unfortunately this is a hassle to apply on each VM so I'm still waiting for other answers before accepting my own.

answered Nov 03 '15 at 06:24

blizz

1,134
1
26
47

score 1 · Answer 3 · answered Nov 03 '15 at 10:03

Are you setting up your vnet to use you DC as a DNS server? That's what allows you to find your DC.

Also, are you specifying the full domain name of your domain when doing the domain join and does your domain have at least two labels? As long as your domain name is at least two labels long (e.g. something.local) then the suffix shouldn't be appended during domain join or any normal DNS lookup. As previously mentioned nslookup has it's own logic.

We're working on a change to not provide the Azure internal suffix when you use your own DNS server but provided your domain name has two labels the suffix should be ignored even now.

Gareth.

All DNS queries to AD DNS server suffixed with xxxxx.cloudapp.net

3 Answers3