Whenever I’d do an nslookup
I noticed these timeout messages as below:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
C:\>nslookup www.msftncsi.com Server: win-dc01.rakhesh.local Address: 10.50.0.20 DNS request timed out. timeout was 2 seconds. DNS request timed out. timeout was 2 seconds. Non-authoritative answer: Name: a1961.g.akamai.net Addresses: 88.221.217.26 88.221.217.59 Aliases: www.msftncsi.com www.msftncsi.com.edgesuite.net |
Everything seemed to be working but I was curious about the timeouts.
Then I realized the problem was that I had missed the root domain at the end of the name. You see, a name such as “www.msftncsi.com” isn’t an absolute name. For all the DNS resolver knows it could just be a hostname – like say “eu.mail” in a full name such as “eu.mail.somedomain.com”. To tell the resolver this is the full name one must terminate it with a dot like thus: “www.msftncsi.com.“. When we omit the dot in common practice the DNS resolver puts it in implicitly and so we don’t notice it usually.
The dot is what tells the resolver about the root of the domain name hierarchy. A name such as “rakhesh.com.” actually means the “rakhesh” domain in the “com” domain in the “.” domain. It is “.” that knows of all the sub-domains such as “com”, “io”, “net”, “pl”, etc.
In the case above since I had omitted the dot my resolver was trying to append my DNS search suffixes to the name “www.msftncsi.com” to come up with a complete name. I have search suffixes “rakhesh.local.” and “dyn.rakhesh.local.” (I didn’t put the dot while specifying the search suffixes but the resolver puts it in because I am telling it these are the absolute domain names) so the resolver was actually expanding “www.msftncsi.com” to “www.msftncsi.com.rakhesh.local.” and “www.msftncsi.com.dyn.rakhesh.local.” and searching for these. That fails and so I get these “DNS request timed out” messages.
If I re-try with the proper name the query goes through fine:
1 2 3 4 5 6 7 8 9 10 |
C:\>nslookup www.msftncsi.com. Server: win-dc01.rakhesh.local Address: 10.50.0.20 Non-authoritative answer: Name: a1961.g.akamai.net Addresses: 88.221.217.59 88.221.217.26 Aliases: www.msftncsi.com www.msftncsi.com.edgesuite.net |
Just to eliminate any questions of whether a larger timeout is the solution, no it doesn’t help:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
C:\>nslookup Default Server: win-dc01.rakhesh.local Address: 10.50.0.20 > set timeout=5 > www.msftncsi.com Server: win-dc01.rakhesh.local Address: 10.50.0.20 DNS request timed out. timeout was 5 seconds. DNS request timed out. timeout was 5 seconds. Non-authoritative answer: Name: a1961.g.akamai.net Addresses: 88.221.217.26 88.221.217.59 Aliases: www.msftncsi.com www.msftncsi.com.edgesuite.net |
If I replace my existing DNS suffixes search list with the dot domain, that too helps (not practical because then I can’t query by just the hostname, I will always have to put in the fully qualified name):
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
C:\>nslookup Default Server: win-dc01.rakhesh.local Address: 10.50.0.20 > set srchlist=. > www.msftncsi.com Server: win-dc01.rakhesh.local Address: 10.50.0.20 Non-authoritative answer: Name: a1961.g.akamai.net Addresses: 88.221.217.26 88.221.217.59 Aliases: www.msftncsi.com www.msftncsi.com.edgesuite.net |
Or I could tell nslookup
to not use the DNS suffix search lists at all (a more practical solution):
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
C:\>nslookup Default Server: win-dc01.rakhesh.local Address: 10.50.0.20 > set nosearch > www.msftncsi.com Server: win-dc01.rakhesh.local Address: 10.50.0.20 Non-authoritative answer: Name: a1961.g.akamai.net Addresses: 88.221.217.26 88.221.217.59 Aliases: www.msftncsi.com www.msftncsi.com.edgesuite.net |
So there you go. That’s why I was getting those timeout errors.