2

The Allow DNS Suffix Appending to Unqualified Multi-Label Name Queries group policy was introduced in Windows Vista, and blocks the behaviour of child subdomains being tested against domain suffix, for example:

ping example will check example, but also example.mydnssuffix.local, however ping example.tld will check example.tld, but not example.tld.mydnssuffix.local.

Because this is disabled by default, I assume there are security implications involved in enabling this. Does anyone know what those security implications would be?

HopelessN00b
  • 53,385
  • 32
  • 133
  • 208
Steven Blom
  • 23
  • 4
  • Closely related, the headaches that the new TLDs are causing on search suffix resolution: [DNS just started resolving my server.prod addresses to 127.0.53.53](http://serverfault.com/questions/626612/dns-just-started-resolving-my-server-prod-addresses-to-127-0-53-53) – Andrew B Dec 05 '14 at 04:35

1 Answers1

4

DNS clients that spend more time appending suffixes to ambiguous names and retrying their searches will take longer before giving up. This can cause significant slowdowns in applications that perform a lot of DNS queries.

It can also create a security concern if DNS clients erroneously resolve a name that is under the control of an external, malicious entity. Appending DNS suffixes is basically the opposite of devolution, which can present similar concerns. I'll copy the example from the Windows IT Pro website (which is primarily about devolution, but also applies somewhat to appending suffixes) :

A domain-joined computer's primary domain suffix is mycompany.fl.us (mycompany is located in Florida, hence the extension fl.us) and tries to connect to mailserver1. In this example, the DNS client will try to resolve mailserver1.mycompany.fl.us and mailserver1.fl.us. The last name in this list, mailserver1.fl.us, is outside of the control of my company. If a malicious person has registered mailserver1.fl.us in the DNS, the name resolution will succeed, the domain-joined computer will try to connect to it, and the malicious user could spoof an internal server.

So why would you want to turn it on? You might want to give DNS clients the added flexibility of hopefully being able to resolve ambiguous names. But it could theoretically lead to a security concern. So it's up to the administrator to decide what is more appropriate for his or her environment.

Further reading:

http://blogs.technet.com/b/networking/archive/2009/04/16/dns-client-name-resolution-behavior-in-windows-vista-vs-windows-xp.aspx

And:

http://windowsitpro.com/networking/whats-dns-name-devolution

Ryan Ries
  • 55,011
  • 9
  • 138
  • 197
  • The example you quote has a single label name. As such the Windows setting doesn't apply to it; any configured suffixes will always be attempted. A more apt example would be trying to connect to mailserver1.mycompany.fl.us and ending up at a fake server mailserver1.mycompany.fl.us.fl.us, assuming that fl.us is in your search list. – Jirka Hanika Feb 21 '18 at 12:11
  • Your example explains side-effects of devolution, but does not apply to multi-label suffixing at all. The worst thing that can happen is that a non-existent domain (such as a typo, I don't know, `goodle.com`) ends up being checked as `goodle.com.company.org`, which should not be a problem if you trust your company (which you should if you use their domain as a DNS suffix). Of course, setting up `.com` as a DNS suffix would be an issue if you want to go to `google.com`, type `google.comm` and someone registered `comm.com` - but that is an issue regardless of multilabel-suffix application. – bers Feb 24 '20 at 09:26