Resolve single word names?
Kevin Darcy
kcd at daimlerchrysler.com
Mon Jul 17 23:19:01 UTC 2006
Barry Margolin wrote:
> In article <e9eh8p$2443$1 at sf1.isc.org>,
> "Jim McAtee" <jmcatee at mediaodyssey.com> wrote:
>
>
>> Can I run BIND on a on my home network to resolve names consisting of a
>> single word? If so, how do I go about doing this? I can't always use
>> HOSTS files or WINS, as some devices on the network have no way to use
>> either.
>>
>
> The usual way to accomplish this is to configure the clients to use your
> domain as their domain search list. When they type unqualified names,
> the domain will be appended.
>
If your network is completely disconnected from any other network, and
will *always* be that way, you could theoretically set up your own root
zone and those single-label names could be root names. Be aware,
however, that if your clients have any kind of domain suffix configured,
that will be appended to the initial query *before* the root name is
queried, therefore there is probably no saving of query traffic by doing
things this way, as opposed to the domain search list Barry described.
There are a lot of downsides to the "root name" approach, especially if
you ever plan to connect your network to any other network, e.g. the
Internet. It's not very manageable to run your own "private" root zone
and at the same time provide resolution of Internet names on your own
network. It can be done, but it's messy, e.g. tracking every change to
every TLD delegation and mirroring them in your own version of the root.
For enterprises, I wouldn't recommend _either_ of these approaches:
instead, I'd recommend forming user habits early of using FQDNs for
lookups *exclusively*, since from a DNS infrastructure standpoint,
that's the most efficient lookup form, and doesn't run the risk of
"accidental" resolution (e.g. "http://jupiter" connects you to
jupiter.sub2.example.com instead of jupiter.sub1.example.com, as you
expected, because sub2 happened to be ahead of sub1 in your suffix
search list), which can lead to security vulnerabilities (to continue
the example, imagine if the domain administrators of sub2.example.com
are far less trusted than those of sub1.example.com and
jupiter.sub2.example.com is actually a Trojan Horse version of
jupiter.sub1.example.com, which steals people's login passwords for the
site)
- Kevin
More information about the bind-users
mailing list