In this post I want to show what impact the DNS primary suffix and the DNS suffix search list had on the DNS name resolution.


Table Of Contents
  1. Introduction
  2. Configure a primary DNS Suffix
  3. Configure the DNS Suffix Search List
  4. Disable Name Resolution on Windows
  5. Links



Introduction

In order to show this and because I will use therefore a Windows Server 2022 server, I will first need to disable some alternative name resolution methods which is Windows Server 2022 using like mDNS, Link-Local Multicast Name Resolution(LLMNR) and NetBIOS over TCP/IP (NBT).

More about multicast DNS or mDNS which was not before Windows 10 1703  and Windows Server 2019 natively supported on Windows OS, you will find in my following post.

What is Multicast DNS (mDNS) and how does it work?



To show what the difference between the DNS primary suffix and the DNS suffix search list is exactly, I will use here as mentioned a Windows Server 2022 which is so far not domain joined and just have a hostname named W2K22-Testing-VM01 like shown below.


This Windows Server is placed within my lab network which is using the matrixpost-lab.net Active Directory Domain but as mentioned so far is not domain joined.

What is now happen when I will send an ICMP Echo Request Message (Ping) to another computer and just its hostname (not the FQDN) which is in this lab network and the same subnet.

Below I will ping the computer with the hostname Matrix-Veeam. The hostname couldn’t be resolved into an IP address by using DNS despite the W2K22-Testing-VM01 server has already assigned the correct DNS server.

!! Note !!
As mentioned we first need to disable some alternative name resolution methods which is Windows Server 2022 using in addition to DNS.


The reason for that the hostname here couldn’t be resolved into its IP adddress, is that DNS servers are just enable to resolve so called fully qualified domain names (FQDNs). These FQDNs consists of at least three or more names (labels) which are starting from the right to the left with the top level domain (like .com), the domain names (like google.com), optional subdomains and finally the hostname (like host1.google.com). The hostname label in case of distinct services, departments, or sections of a website is also called subdomain.

For the sake of completeness there is one point missing for the FQDN but is also important to mention that the first starting point from the right is actually not the top level domain but the root label (zone) which usually remains hidden and is the trailing dot. This is the root of the DNS hierarchy under which all top level domains are registered.

So actually the FQDN looks for instance like: www.example.com.
The trailing dot is the root hierarchy.




Configure a primary DNS Suffix

In order name resolution by using DNS will work here, we either need to set a primary DNS suffix on the computer we want to be able to resolve names by DNS or we need to configure the DNS suffix search list.

I will first set a primary DNS suffix to show what then happens when trying to resolve hostnames by using DNS.

Open the advanced system settings on the computer which should be able to resolve hostnames.


Click on Change within the Computer Name tab and on the More … button. Here we can enter a primary DNS suffix for the computer.


I will enter here the Active Directory domain of my lab network and environment matrixpost-lab.net.


In order to apply the suffix we also need to restart the computer.


After a restart we can see that the primary DNS suffix was also added to the DNS suffix search list of the computer.


The reason for is the following setting on its network adapter (NIC).

Append primary and connection specific DNS suffixes.



Using Wireshark to see the Impact of a configured primary DNS Suffix

So now what’s happen under the hood when trying to ping the Matrix-Veeam computer again. Now it works and the computer can resolve the hostname of the Matrix-Veeam host into its IP address.


The reason for why it now works is because we configured the primary DNS suffix on the computer which tries to resolve the hostname (Matrix-Veeam) into its IP address.

Now by default the computer which tries to resolve the hostname into its IP address, will always append this suffix to the hostname to try to resolve the hostname resp. now its FQDN.

Finally this works because on the DNS server this primary DNS suffix is configured as DNS zone and includes an A-record for the Matrix-Veeam host as shown below.


!! Note !!
For domain joined computers the domain is configured by default as primary DNS suffix and DNS name resolution works out-of-the-box.




Configure the DNS Suffix Search List

As shown when using the default settings, the primary DNS suffix will be added by default to the DNS suffix search list. We can also append further DNS suffixes to this DNS suffix search list like shown below and we can also set them in a specific order.

What this order actually means I think you can already imaging but I will show it by using Wireshark to capture the network traffic when sending further ICMP echo request messages (Pings) to our Matrix-Veeam host.

So I was also adding two more DNS suffixes which are matrixpost.de and matrixpost.net and put the already existing primary DNS suffix matrixpost-lab.net to the end of the list.

By executing the ipconfig /all command we can also see our added DNS suffixes and their order.




Using Wireshark to see the Impact of a configured DNS Suffix Search List

When I will now send again some ICMP echo request messages (Pings) to our Matrix-Veeam host, we can see that our W2K22-Testing-VM01 server is first trying to resolve the hostname by appending the first DNS suffix with matrixpost.de and then the second with matrixpost.net and both couldn’t resolved successfully into an IP address.

Finally our last configured DNS suffix with matrixpost-lab.net was working of course like previously because on the DNS server a corresponding DNS zone is configured for and includes an A-record for this FQDN.




Disable Name Resolution on Windows

To show what impact the DNS Primary Suffix and the DNS Suffix Search List have on DNS name resolution, I first have to disable some alternative name resolution methods like mDNS (since Windows Server 2019), Link-Local Multicast Name Resolution (LLMNR) and NetBIOS over TCP/IP.

Finally my W2K22-Testing-VM01 server shouldn’t be able to resolve hostnames by using other methods than DNS.

After disabling all three other methods below, the computer isn’t able to resolve the Matrix-Veeam host which is located in the same subnet. You will also see below that mDNS was disabled successfully because no process is listening on UDP port 5353.

As mentioned further above, there could be multiple mDNS resolvers on the system running at the same time like when you have opened chromium-based browsers (Chrome, Edge, etc.) which had their own mDNS resolver and is not disabled by the registry settings below. So when you have opened chromium-based browsers you will nevertheless see an UDP port 5353 socket.




Disable mDNS in Windows

Open the registry and navigate to the following Parameters key and add a new DWORD (32-bit) value named EnableMDNS and leave the value on 0 for disabling mDNS.

Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters







Disable Link-Local Multicast Name Resolution (LLMNR)

Open the Local Group Policy Editor and navigate to:

Computer Configuration -> Administrative Templates -> Network -> DNS Client and enable Turn off multicast name resolution.






Disable NetBIOS over TCP/IP (NBT) Name Resolution Broadcasts

To disable NetBIOS over TCP/IP (NBT) open the properties of the network adapter (NIC) as shown below. Navigate to the advanced settings and the WINS tab. Select Disable NetBIOS over TCP/IP.

When NetBIOS over TCP/IP is enabled and use for name resolution it will looks like below captured with Wireshark. You can filter here for nbsn.

Display Filter Reference: NetBIOS Name Service
https://www.wireshark.org/docs/dfref/n/nbns.html

Below I was first sending a ping to the Matrix-Veeam host.


In Wireshark you will immediately see a name query to the broadcast address 192.168.2.255 by using the NetBIOS over TCP/IP protocol searching for the hostname Matrix-Veeam. For the name resolution below both hosts using the UDP port 137.

NetBIOS provides three distinct services:
Name service for name registration and resolution (ports: 137/udp and 137/tcp)
Datagram distribution service for connectionless communication (port: 138/udp)
Session service for connection-oriented communication (port: 139/tcp)

The query from my host W2K22-Testing-VM01.


The answer from the Matrix-Veeam host.





Links

How to configure a domain suffix search list on the Domain Name System clients
https://learn.microsoft.com/en-us/troubleshoot/windows-client/networking/configure-domain-suffix-search-list-domain-name-system-clients

What is mDNS?
https://techcommunity.microsoft.com/t5/networking-blog/mdns-in-the-enterprise/ba-p/3275777

Multicast DNS
https://en.wikipedia.org/wiki/Multicast_DNS

IP multicast
https://en.wikipedia.org/wiki/IP_multicast

Multicast address
https://en.wikipedia.org/wiki/Multicast_address

NetBIOS over TCP/IP
https://en.wikipedia.org/wiki/NetBIOS_over_TCP/IP

Fully qualified domain name (FQDN)
https://en.wikipedia.org/wiki/Fully_qualified_domain_name