0

We have a VPN with multiple search domains. One component of these domains specifies the country in which the hosts are located.

  • servers.fr.internal.example.org. contains all the servers in France.
  • servers.ca.internal.example.org. contains all the servers in Canada.

The configured list of search domains is:

internal.example.org.

I've found multiple references to Partially Qualified Domain Names (PQDNs), but all the examples only show PQDNs as hostnames. I'm wondering if the DNS protocol/most widely deployed resolvers allow for PQDNs with multiple labels, i.e. foo.servers.ca.

I've tried this on my local machine macOS 10.13.6 and it doesn't appear to work, I just get NXDOMAIN.

Should this work? Is there a special format for PQDNs with multiple labels? I understand this works fine on other systems (Linux, Windows).

Patrick Mevzek
  • 9,273
  • 7
  • 29
  • 42
Arran Cudbard-Bell
  • 1,514
  • 1
  • 9
  • 18
  • This is expected to _fail_ to do what you want. Related: [DNS just started resolving my server.prod addresses to 127.0.53.53](https://serverfault.com/q/626612/126632) – Michael Hampton Aug 20 '18 at 18:35
  • Where are your souces about `PQDNs`? I work in the DNS industry since 20 years and your post is the first time I read about this acronym... – Patrick Mevzek Aug 22 '18 at 03:14

1 Answers1

1

This is very normal inside a DNS zone. A FQDN inside DNS always ends with a full stop (.) If a domain name does not end with a full stop then it has the current zone appended to the end of it.

The reason you cannot do this via dig or nslookup is because the convention of searching for PQDN's differs depending on the tool you're using and even its configuration. For example, enabling dns devolution on Windows makes nslookup behave very differently to, say, dig on Linux.

Mark Henderson
  • 68,316
  • 31
  • 175
  • 255
  • @PatrickMevzek I rolled back your edit, as DNS Devolution is actually what I meant to type: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee683928(v=ws.10) – Mark Henderson Aug 22 '18 at 17:28
  • Ok. Sad, but not so surprised, that some company just invents new names out of the blue for no reason, where the feature already exists as it is called "search list" or "search suffix". This makes everything more complicated for no gain. – Patrick Mevzek Aug 22 '18 at 17:37
  • 1
    DNS Devolution is more complicated than just a search suffix. Unfortunately. Honestly I hate that it even exists. – Mark Henderson Aug 22 '18 at 17:38