Difference between PING and NSLOOKUP in combination with wildcard DNS records

The estimated reading time 2 minutes

Difference between PING and NSLOOKUP in combination with wildcard DNS records

hi everyone,

if you found this site, probably you are wondering about the special behaviour of nslookup and ping. Our customer found out that in his environment he pinged some websites in the internet everything works. If he gives the same website to NSLOOKUP a complete different ip address is returned. He had no problems reaching websites internal and external.

It turned out, that only NSLOOKUP returns false ipaddress, powershell and dns cache were fine.

Nevertheless I felt some discomfort and gave a search on this “strange” behavior.

The internal domainname is internal.customer.com

No other Forward Lookupzones are defined.

Outside the customer also can be reached with customer.com, so everything is bestpractices.

After some time of searching on DC and checking parameters I saw the external domain containing a wildcard dns record (see link ).

So the fog gives away on this “issue”. Wildcard DNS record means *.customer.com will be redirected to the website of the customer.

blabla.customer.com will be transfered to the website also.

NSLOOKUP works slightly different than other dns resolution processes, but what does it?

The focus on NSLOOKUP is NOT to resolve FQDNs, in other words NSLOOKUP appends the primary DNS suffix to every expression (also to FQDNs).

I sniffed the behavior and it looks like shown in the following screenshot:

nslookup www.it-koehler.com

In CMD no error is shown and you can not see what NSLOOKUP does in the background. In reality it resolves www.it-koehler.com.it-koehler.com which does not exist on my external domain.

Now it was also clear why I found this “strange” behavior on customers side.

*.customer is the answer to any question of NSLOOKUP .

Ping or other dns queries know the TLD and resolves the right ipaddress.

ping blog.it-koehler.com

There is one way to tell nslookup where the TLD ends and this is very simple. Just put a Dot at the end of the FQDN.

nslookup blog.it-koehler.com.


As DNS Sniffer I used DNSQerySniffer .

Hope this articel helps to understand NSLOOKUP.

Remember, for troubleshooting issues you should not use nslookup anymore, please use powershell with the cmdlet Resolve-DnsName

Link: https://docs.microsoft.com/en-us/powershell/module/dnsclient/resolve-dnsname?view=winserver2012r2-ps

Have fun.

Print Friendly, PDF & Email
Was this article helpful?
0 0 votes
Article Rating
Notify of
Inline Feedbacks
View all comments