Understanding DNS Suffix Resolution Analysis: A Deep Dive into Packet Analysis

Background: Understanding DNS Suffix Resolution

My understanding of the DNS protocol and its suffix resolution processes is quite limited. At present, I am familiar with its basic operational principles and can conduct fundamental analyses of DNS packets. In the near future, I intend to engage in a systematic study of the intricacies of the DNS protocol and document any issues I encounter through detailed packet analyses. This particular case centers on a specific problem related to DNS suffix resolution.

Problem Information: DNS Suffix Resolution Challenges

The problem was caused by performing an nslookup analysis on the office computer and capturing it with Wireshark. The information is as follows:

$ nslookup www.baidu.com
Server: UnKnown
Address: xx. xx. xx. xx<---- Company local DNS IP

DNS request timed out.
    timeout was 2 seconds.
Non authoritative response:
name:
Addresses:  180.101.49.12
          180.101.49.11
Aliases:  www.baidu.com

The packet trace file is as follows. The Client and LocalDNS interacted a total of 8 times (Query and Response correspondingly), including PTR, A, and AAAA resolution records.

Problem Analysis: Packet Examination in DNS Suffix Resolution

Data frame No.1-2

First, the client will make a PTR query request to the Local DNS server, and the query IP is the IP of the Local DNS server. The format uses a very specific format, such as IP 192.168.0.1, and the request name is 1.0.168.192.in-addr.arpa, which is the reverse IP address with .in-addr.arpa appended.

The PTR record is the reverse record of the A record, also known as the IP reverse lookup record or pointer record, which is responsible for resolving the IP reversely into a domain name.

After that, the Local DNS server responds to the query result as No such name. The result displayed in nslookup is Server: UnKnown. This is because the Local DNS server usually only uses the default normal search area, that is, it only uses the DNS server to resolve the domain name into an IP address. The above situation actually occurs because the DNS server has not created a reverse search area, and the DNS server cannot resolve the corresponding domain name according to its own IP address. It is also worth noting that this message will contain an AUTHORITY SECTION, which includes the SOA record of the primary domain name (such as 168.192.in-addr.arpa).

The following takes 114.114.114.114 PTR resolution as an example, specifies the DNS server as 8.8.8.8, and queries 114.114.114.114 as follows:

$ nslookup -qtype=ptr 114.114.114.114 8.8.8.8
Server: dns.Google
Address:  8.8.8.8

Non authoritative response:
114.114.114.114.in-addr.arpa    name = public1.114dns.com

$

First, the client will still make a PTR query request for IP 8.8.8.8 to the DNS server 8.8.8.8, and the query response domain name returned normally is dns.google. Then, it will make a PTR query request for IP 114.114.114.114 to the DNS server 8.8.8.8, and the query response domain name returned normally is http:// public1.114dns.com.

Data frame No.3-6

Before I captured the packet, I thought it was directly 

http://www. baidu.comThe A record and AAAA record request are then received, and then the relevant response is obtained. However, from the actual 

packet capture results, the process is not like this.

First, the client will make a No.3 A record query request to the Local DNS server, and the domain name to be queried is http://www.baidu.com.xx.xx.com.cn. The format is specific and will be found at http://www.baidu.com with the suffix http://xx.xx.com.cn added.

The suffix added here is http:// xx.xx.com.cn What is it? I checked a lot of information and found that it should be related to the domain used by the company, such as the domain http:// aa.bb.com.cn, through ipconfig/all, you can see that the primary DNS suffix is http://aa.bb.com.cn, and also includes the DNS suffix search list http:// aa.bb.com.cn, http://bb.com.cn and http:// com.cn.

The typical name resolution process uses the primary DNS suffix and any connection-specific DNS suffixes. If these suffixes do not work, the name resolution process will try to resolve the primary DNS suffix. When the domain suffix search list is configured on the client, only that list is used. The primary DNS suffix and any connection-specific DNS suffixes are not used, and the primary suffix is ​​not attempted to be resolved. The client has a DNS suffix 

search list (ipconfig /all can query the contents of this list), and when the domain name we query does not exist, DNS will add the DNS suffix to the address you queried and try to search again.

$ ipconfig/all

Windows IP configuration

Host Name: A123
Primary DNS suffix: aa.bb.com.cn
Node type...: blend
IP routing enabled...: no
WINS proxy enabled...: no
DNS suffix search list...: aa.bb.com.cn
bb.com.cn

$ nslookup -all
Default server: (null)

Setting options:
nodebug
defname
search
recurse
nod2
novc
noignoretc
port=53
type=A+AAAA
class=IN
timeout=2
retry=1
root=A.ROOT-SERVERS.NET.
domain=aa.bb.com.cn
MSxfr
IXFRversion=1
srchlist=aa.bb.com.cn/bb.com.cn/com.cn

Default server: UnKnown
Address:  xx.xx.xx.xx

>

Therefore, the client will first make a No.3 A record query request to the Local DNS server, and the queried domain name is http://www. baidu.com.aa.bb.com.cn, and then the Local DNS server responds to the query with the result No.4 No such name, and also contains an AUTHORITY SECTION containing the primary domain name (for example, http:// aa.bb.com.cn)’s SOA record.

**The client will then continue** **to query the No.5 AAAA record to the Local DNS server, and the domain name queried is** [http://www.baidu.com.aa.bb.com.cn](https://link.zhihu.com/?target=http%3A//www.baidu.com.aa.bb.com.cn), **and then the Local DNS server responds to the query with the result No.6 No such name,** which also contains an AUTHORITY SECTION with the primary domain name (for example, [http://aa.bb.com.cn](https://link.zhihu.com/?target=http%3A//aa.bb.com.cn))’s SOA record.

Data frame No.7-10

From the analysis of the above No.3-6 process, we know that the DNS query request will add a domain suffix search list, and the additional suffix http://aa.bb.com.cn. If there is no result, continue to add the suffix http://bb.com.cn. Try the request, the process remains the same.

**The client makes a No.7 A record query request to the Local DNS server, and the domain name queried is** http://www. baidu.com.bb.com.cn**, and then the Local DNS server responds to the query with the result No.8 No such name,** and also contains an AUTHORITY SECTION containing the primary domain name (for example, http:// bb.com.cn)’s SOA record.

**The client continues** **to query the No.9 AAAA record to the Local DNS server, and the domain name queried is [http://www. baidu.com.bb.com.cn](https://link.zhihu.com/?target=http%3A//www.baidu.com.bb.com.cn)**, **and then the Local DNS server responds with the query result No.10 No such name,** which also contains an AUTHORITY SECTION with the primary domain name (for example, [http:// bb.com.cn](https://link.zhihu.com/?target=http%3A//bb.com.cn)’s SOA record.

Data frames No.11 and No.18, No.12-13

Add the suffix http://bb.com.cn. If there is no result, continue to add the suffix http://com.cn. Try the request, the process remains the same.

There is a slight problem here. When the client makes a No.11 A record query request to the Local DNS server, the domain name queried is http://www. baidu.com.com.cnHowever, the Local DNS server response timed out for more than 2 seconds, so the DNS request timed out prompt was displayed during the nslookup execution process. The packet capture result showed that the Local DNS server did not return a response until the 18th data packet, and the query result was No.18 No such name.

$ nslookup www.baidu.com
...

DNS request timed out.        <----- DNS request timeout
    timeout was 2 seconds.

...

The client then continues to query the No.12 AAAA record to the Local DNS server, and the queried domain name is http://www. baidu.com.com.cn, and then the Local DNS server responded to the query with the result No.13 No such name.

Data frame No.14-17

The last data frame No.14-17 is the actual request to http://www.baidu.comThe A record and AAAA record request are not described in detail. The final request response result contains CNAME and A records.

$ nslookup www.baidu.com
...

Non authoritative response:
Name: www.a.shifen.com
Addresses:  180.101.49.12
180.101.49.11
Aliases:  www.baidu.com

Summary of the problem

As mentioned at the beginning, the test was conducted on a company office computer, which includes a domain-related environment, so the domain suffix search list was utilized. If the DNS query request is made by a single machine, there is no relevant content unless the relevant configuration is manually set, including the primary DNS suffix, any connection-specific DNS suffix, or suffix search list.