Nslookup suffixing behavior

By Ace Fekay, MCT, MVP, MCSE 2012/Cloud, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & 2010, Exchange 2010 Enterprise Administrator, MCSE 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP: Directory Services
Active Directory, Exchange and Windows Infrastructure Engineer

Original compilation: 2/17/2013



Many IT folks who are not familiar with nslookup’s suffixing behavior in some cases may believe it’s a DNS issue. Nope, it’s not a DNS issue, rather a combination of nslookup’s suffixing behavior, which DNS server nslookup is using, Forwarders if configured, and the operating system’s Search Suffixes.


NSLOOKUP and requiring a trailing dot

Keep in mind, nslookup’s resolver service has its own built-in resolver service and is totally *independent* of the operating system’s client side resolver algorithm, (although it will use the machine’s suffixes to devolve names), and will behave differently than if you were to say ping a host by single name.

When using nslookup, you need to fully qualify the name (querying an FQDN), instead of a single name, then you must supply a trailing dot with the query.

If not, it will append the current context, that is the suffix(es) configured on the machine, which it will suffix each one in the order they are configured.

If you want to use a better tool for nameserver queries, I suggest to use DIG. DIG is downloadable as part of ISC’s BIND DNS server. You can  download BIND for free from https://www.isc.org/wordpress/. Expand the files into a folder, and the tools will be available for use. No, this doesn’t mean you have to install the BIND DNS server service, I’m just suggesting to download and use the utilities in the folder. Matter of fact, BIND also has its own version of nslookup that some say works better than Microsoft’s nslookup, but I haven’t found that true. I’ve found DIG very beneficial when trying to troubleshoot DNS issues.

Additional nslookup information

Here are some links explaining nslookup’s behavior. The first one is a doc that explains more of this in greater detail. This doc actually was compiled from KB200525, the second link, which is also mentioned in the Microsoft Official Curriculum Course# 688, “Using TCP/IP,” Courseware.

Using NSlookup (File Format: Microsoft Word) – “Nslookup will always devolve the name from the current context. If you fail to fully qualify a name query (that is, use trailing dot), the query will be …; “

Using NSlookup.exe

Using NSlookup – (Microsoft Word Doc)
”Nslookup will always devolve the name from the current context. If you fail to fully qualify a name query (that is, use trailing dot), the query will be … “

Nslookup, Sep 28, 2007 … This applies when the set and the lookup request contain at least one period, but do not end with a trailing period. Nslookup /set srchlist …

As the last link suggests, you can run nslookup with the /set srchlist, such as nslookup /set srchlist to set your own search lists that changes the default search suffix nslookup uses that it grabs from the operating system’s Search Suffixes. You can also set it in interactive mode by the following and leaving it blank to remove any search suffixes it’s pulling from the machine:

> set srchlist


Will removing the Primary DNS Suffix affect AD functionality?

Yes and No. Yes if you remove the Primary DNS Suffix, which the default search list comes from and the machine uses in such cases as DirectSMB connectivity, among other things. And no, nslookup’s requirement of using a dot doesn’t affect or indicate any issues with AD, it’s just an nslookup thing.


In summary:

No, it’s not something that’s saying there is a DNS problem. To determine if you have a DNS problem, I suggest to use nslookup querying FQDNs with a trailing dot, or better, download and use DIG.

Further, you will need to use the trailing dot (a period) unless you remove the search suffix. You can also remove the suffix from the machine, and it will work without a trailing dot. But the search suffix is derived from the Primary DNS Suffix, which is set by the domain it’s joined to. You can remove it in the registry and not touch the Primary DNS Suffix.

You can also uncheck the computer’s client side resolver behavior, as shown in this screenshot (https://utgkjq.sn2.livefilestore.com/y1ppjK9K5o-JVAQJqWMjf9NSpoI9kTGnkjX_q5PGS3whQEFD-TPNXHMC0PU8rKjKt3AKPD5kuN0k9MyqK2I2sXd0mD2DSiTFiF0/DNS%20-%20Stop%20Suffix%20from%20Appending.jpg?psid=1).


Additional links to read on this subject:

Thread: “Weird NSLOOKUP results” 6/10/2010

Windows Appending Domain Suffix To All Lookups

Thread: “DNS server strange behavior” 2/9/2013

It’s just something to keep in mind when using nslookup.

I hope you find this info helpful.

Ace Fekay

Comments, corrections and suggestions are welcomed.

Leave a Reply