Domain Name System

Connection DNS suffix and query processing order?

Good day to all!

I ran into a problem and I don't know how to fix it.

There is a domain (AD), the main DNS suffix of the domain is company.ru. Inside the network, everything works correctly, but there are problems with remote users.

Domain machines have the following DNS suffix settings.

Windows IP Setting

Computer Name . . . . . . . . . : USER-LAPTOP
Primary DNS suffix . . . . . . : company.ru
Node type. . . . . . . . . . . . . : Hybrid
IP Routing is enabled. . . . : No
WINS proxy enabled. . . . . . . : No
DNS suffix lookup order. : company.ru

Recently, a domain name - company.ru - has been registered in the RU zone. Not registered by us.
Remote users, when connected to a guest (personal home network), start submitting requests - for example. ya.ru, the system automatically adds the suffix - company.ru and a request like "ya.ru.company.ru" flies to the DNS server of the newly registered domain in the RU zone. DNS servers that support this domain always give "positive" answers to A-records and a station that is not in the enterprise network receives left IP addresses for its queries.
For example:
nslookup ya.ru
╤хЁтхЁ: hdns1.corbina.net
Address: 213.234.192.8 Untrustworthy

response:
╚ь : ya.ru.company.ru
Address: xx.xx.xx.xx

A week ago, attackers tried to configure users' browsers via wpad.
Users address with impossibility to be connected through cisco anyconnect, at the same time there are machines (domain) which normally work. Browsers, for example, work everywhere without problems, but nslookup always produces such entries when debugging a problem.
Right now I am writing from a laptop with this problem, the browser works, cisco anyconnect works correctly, but almost every day users contact me.

It is not entirely clear why the browser works? Request processing order?
What to do in this situation? We need to fix this problem, but there is no understanding yet.
I would appreciate any advice.