DNS Client Name Resolution behavior in Windows Vista vs. Windows XP

In Windows, the DNS Client service is the client component that resolves and caches Domain Name System (DNS) domain names. When the DNS Client service receives a request to resolve a DNS name that it does not contain in its cache, it queries an assigned DNS server for an IP address for the name. All computers that use DNS to resolve domain names (including DNS servers and domain controllers) use the DNS Client service for this purpose.

To extend or revise the DNS search capabilities, in Windows you have DNS domain suffix search list. By adding additional suffixes to the list you can search for short, unqualified computer names in more than one specified DNS domain. If a DNS query fails, the DNS client service can use this list to append other name suffix endings to your original name and repeat DNS queries to the DNS server for these alternate FQDNs (Fully Qualified Domain names).

When the suffix search list is empty or unspecified, the primary DNS suffix of the computer is appended to short unqualified names and DNS query is used to resolve the resultant FQDN. If no connection-specific suffixes are configured or queries for these connection-specific FQDNs fail, the client can then begin to retry queries based on systematic reduction of the primary suffix (also known as devolution). For example, if the primary suffix were "ad.contoso.corp", the devolution process would be able to retry queries for the short name by searching for it in the "contoso.corp".

When the suffix search list is not empty and has at least one DNS suffix specified, attempts to qualify and resolve short DNS names is limited to searching only those FQDNs made possible by the specific suffix list.

A change with respect to the DNS queries for multi-label names has been made in the default behavior of Windows Vista as compared to that of Windows XP. The change is as follows:

Windows XP:
When a Windows XP machine attempts to resolve an unqualified multi-label name, the
DNS client will attempt to resolve the name as specified, then will append the domains
that are listed in the DNS suffix search order.

Windows Vista:
When a Windows Vista machine attempts to resolve an unqualified multi-label name, the
DNS client will attempt to resolve the name as specified. The DNS suffix search
order will NOT be used.

Example:

Suppose you have a domain structure where you have the following DNS Suffix Search List:

Ad.Contoso.corp

Contoso.corp

From a command prompt, ping the hostname of a machine using the following
unqualified multi-label syntax:

<hostname>.site1

XP will attempt to resolve:

1. <hostname>.site1
2. <hostname>.site1.ad.contoso.com
3. <hostname>.site1.contoso.com

When viewed in a network capture:

192.168.1.1 192.168.1.5 DNS Query for hostname.site1 of type Host Addr on class Internet
192.168.1.5 192.168.1.1 DNS Response - Name Error 
192.168.1.1 65.52.16.29 DNS Query for hostname.site1.ad.contoso.corp of type Host Addr on class Internet
192.168.1.5 192.168.1.1 DNS Response - Name Error 
192.168.1.1 65.52.16.29 DNS Query for hostname.site1.contoso.corp of type Host Addr on class Internet
192.168.1.5 192.168.1.1 DNS Response - Name Error

Vista will attempt to resolve:

1. <hostname>.site1

Vista does not attempt name resolution any further.

When viewed in network capture:

192.168.1.1 192.168.1.5 DNS Query for hostname.site1 of type Host Addr on class Internet
192.168.1.5 192.168.1.1 DNS Response - Name Error

How to control this behavior

This registry entry works for both Windows XP and Windows Vista

HKLM\Software\Policies\Microsoft\Windows NT\DNSClient\AppendToMultiLabelName

Type = DWORD

Data:

  • 0 (Do not Append Suffix)
  • 1 (Append suffix)

If the registry entry is not present, the default in Windows XP is 1, and 0 in Windows Vista.

This registry changes and its effect apply only to the ping command, they do not apply to the Nslookup tool. This is because Nslookup contains its own DNS resolver and does not rely on the resolver built into the operating system (DNS Client). The DNS (multi-label) query packets sent by the nslookup tool will append the domains listed in the suffix search order irrespective of the registry key settings mentioned here.

Group Policy location (for Windows Vista only) – (run gpedit.msc):

Computer Configuration -> Administrative Templates -> Network -> DNS Client -> “Allow DNS Suffix Appending to Unqualified Multi-Label Name Queries”

Note: As with other GPOs, if you change the registry and there is also a GPO configured then GPO will override this registry value.

– Sneh Shah with additional information from Kapil Thacker