[Vpn-help] DNS suffix search list

Matthew Grooms mgrooms at shrew.net
Tue Jan 15 02:37:54 CST 2008 

Tai-hwa Liang wrote:
> 
>   I'm using 2.1.0-alpha5.  It turns out that if I have manually specified
> DNS search suffix which is different from VPN gateway specified one,
> I'll have to use FQDN to reach to the server. For example,
> 
>     Manually specified suffix: example.com
>     Connection-specific DNS Suffix(VPN adapter): vpn.net
> 
>     C:\> ping srv1
>     Ping request could not find host srv1. Please check the name and try 
> again.
> 
>     If I remove example.com from the DNS suffixes listing:
> 
>     C:\> ping srv1
>     Pinging srv1.vpn.net [192.168.0.1] with 32 bytes of data:
> 
>     Reply from 192.168.0.1: bytes=32 time=253ms TTL=31
>     Reply from 192.168.0.1: bytes=32 time=109ms TTL=31
>     Reply from 192.168.0.1: bytes=32 time=46ms TTL=31
>     Reply from 192.168.0.1: bytes=32 time=58ms TTL=31
> 
>   'net stop/start dnscache' wouldn't help in this case unless I remove
> all manually specified DNS appending suffixes.
> 

Tai-hwa,

Thanks for the input! This is very consistent with my findings. I can 
think of a few ways to work around this but it looks like the behavior 
is by design. The only information I could find that describes how the 
Microsoft DNS resolver system works claims to be Windows 2000 specific. 
I doubt windows XP is much different in this respect.

http://technet.microsoft.com/en-us/library/bb742582.aspx

The following section agrees with the behavior we are seeing ...

Unqualified Single-Label Query

A name containing no dots is called an Unqualified Single-Label name, 
for example ntserver.

If such a name needs to be resolved it must be fully-qualified using 
some suffix before being placed on the wire. The list of suffixes to try 
can come from two places:

     * Global suffix search order, and
     * Primary and per-adapter domain names.

If a suffix search order is predefined, then it is used. If it is not 
defined then the Primary and per-adapter domain names are used.

... I find the way a user would configure the global suffix search list 
quite strange as its done under the adapters TCP/IP binding properties. 
This would lead me to believe it is specific to the adapter. It doesn't 
say global anywhere that I can see :/

In any case, I am very interested to hear how many of these DNS related 
issues are resolved by removing any global suffix search order settings.

Thanks,

-Matthew

More information about the vpn-help mailing list