Troubleshooting DNS Resolution Failures in Domain-Joined Machines When nslookup Works But Browser Fails


4 views

We're encountering an enterprise networking anomaly where domain-joined Windows 7 machines exhibit DNS resolution failures specifically for our company domains (company.com and subdomain.company.com) when:

  1. Connected externally (non-corporate networks)
  2. Using browser-based access (Chrome, Firefox, Edge all affected)
  3. While nslookup returns correct records
  4. Direct IP access works fine

After packet analysis and registry inspection, we've identified the Windows DNS client cache behaving differently for domain-joined machines. The key findings:

# PowerShell to check DNS cache behavior
Get-DnsClientCache -Entry "company.com" | Format-Table -AutoSize

# Expected output when working:
# Entry                        Record Name    Record Type  Data
# -----                        ----------    -----------  ----
# company.com                  company.com   A            203.0.113.45

The issue manifests when the domain suffix search list from Group Policy interacts with the public DNS resolution.

The problem stems from these technical factors:

  • Domain-joined machines append corporate domain suffixes (AD behavior)
  • Windows DNS client prioritizes different resolution methods than nslookup
  • Group Policy settings affecting the Name Resolution Policy Table (NRPT)

Here's the step-by-step resolution we implemented:

:: Batch script to fix NRPT issues
reg add "HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters" /v "DisableNRPTForAdapterDomain" /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters" /v "DisableParallelAandAAAA" /t REG_DWORD /d 1 /f
ipconfig /flushdns
net stop dnscache & net start dnscache

For environments where registry changes aren't desirable:

# PowerShell to modify DNS suffix search list
$adapters = Get-DnsClientGlobalSetting
$adapters.SuffixSearchList = @("company.com", "subdomain.company.com")
Set-DnsClientGlobalSetting -SuffixSearchList $adapters.SuffixSearchList

To confirm the resolution worked:

  1. Run Resolve-DnsName company.com in PowerShell
  2. Check event logs for DNS Client events (Event ID 1014, 1016)
  3. Validate with browser access and packet capture

Key takeaways from this troubleshooting exercise:

  • Domain-joined machines handle DNS resolution differently
  • The Windows DNS client cache has complex logic beyond simple nslookup
  • Group Policy can unexpectedly impact external network connectivity

This week I encountered one of those infrastructure gremlins that makes you question everything you know about Windows networking. Our domain-joined Windows 7 Enterprise machines suddenly couldn't resolve our company domain (company.com) through browsers when connected externally, despite nslookup working perfectly. Here's my technical deep dive into the issue and solution.

Our environment features:

  • Active Directory Domain Controller (172.16.1.3) running DNS/DHCP/IIS
  • Split-DNS configuration with internal and external zones
  • NAT rules forwarding HTTP/HTTPS to the DC
  • Company-managed Windows 7 Enterprise machines with a standardized image

The root cause turned out to be Name Resolution Policy Table (NRPT) rules applied via Group Policy. These rules are typically used for DirectAccess but were interfering with our split-DNS setup. Here's how to check:

# PowerShell command to check NRPT rules
Get-DnsClientNrptPolicy | Format-Table -AutoSize

# Expected output if problematic rules exist:
Namespace            : .company.com
QueryPolicy          : {}
SecureNameQueryFallback : False
DirectAccessIPsecCARestriction : {}
DirectAccessProxyName : 
NameServers         : {172.16.1.3}

When connected externally, the domain-joined machines were:

  1. First checking NRPT rules (found a match for company.com)
  2. Attempting to use the internal DNS server (172.16.1.3) which wasn't reachable
  3. Failing completely rather than falling back to public DNS

For immediate remediation on affected machines:

# Command to remove all NRPT rules (admin PowerShell)
Remove-DnsClientNrptRule -Force

# Alternative via registry (if PowerShell unavailable)
reg delete "HKLM\SYSTEM\CurrentControlSet\Policies\Microsoft\Windows NT\DNSClient" /v EnableNRPTForSplitDNS /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Policies\Microsoft\Windows NT\DNSClient" /v EnableNRPTForDirectAccess /f

To prevent recurrence, modify these GPO settings:

  • Computer Configuration -> Policies -> Administrative Templates -> Network -> DNS Client
  • Disable "Turn off multicast name resolution"
  • Disable "Configure DNS over HTTPS" (if not needed)
  • Set "Name Resolution Policy Table" to "Disabled"

Here's a PowerShell script to verify the fix:

function Test-DnsResolution {
    param([string]$Domain = "company.com")

    try {
        $nslookup = nslookup $Domain 2>&1 | Out-String
        $webRequest = Invoke-WebRequest -Uri "http://$Domain" -UseBasicParsing -DisableKeepAlive
        
        return [PSCustomObject]@{
            Domain = $Domain
            NslookupSuccess = $nslookup -match "Address"
            WebRequestSuccess = $webRequest.StatusCode -eq 200
            ResolvedIP = ([System.Net.Dns]::GetHostAddresses($Domain)).IPAddressToString
        }
    }
    catch {
        return [PSCustomObject]@{
            Domain = $Domain
            NslookupSuccess = $false
            WebRequestSuccess = $false
            ResolvedIP = $null
        }
    }
}

Test-DnsResolution