Internal clients' queries for "myhostname." get sent to forwarders. Why?

Lawrence K. Chen, P.Eng. lkchen at ksu.edu
Wed Mar 12 20:27:33 UTC 2014 


On 03/12/14 06:50, Tony Finch wrote:
> Lawrence K. Chen, P.Eng. <lkchen at ksu.edu> wrote:
> 
>> If you have FQDN for machines, the problem might be that the domain
>> isn't set in resolv.conf?
> 
> The machines are configured with a bare hostname. If there isn't a search
> or domain directive in /etc/resolv.conf and there isn't an entry for the
> machine in /etc/hosts then `hostname -f` will fail.
> 
> It is probably a bug that `hostname -f` does not have any "ndots" logic.
> See also RFC 1535.
> 
> Tony.
> 

Around here, the users insist on being able to only use hostname to
reach everything....so our resolv.conf's have search is max'd...though
some systems seem to work when 7 subdomains are listed for "search".
Though most of the time, we'll find that we have to ask them which
subdomain can they live without to add a new one to "search".

One time, they removed the first one...because the department doesn't
exist anymore and they don't (think they) have anything in it they need.
 Except that the backup jobs they run all stopped working.  Yeah, the
backup server is in that subdomain (and the fqdn is baked into the
library catalog's Oracle DB backend, so we can never change it...though
every few years they look at switching us to another vendor's product
rather than upgrading...and we end up upgrading.)

Also we still have a large number of Solaris systems around...where
typing 'hostname -f' would change the hostname of the system to '-f'.
(or an error if not root.)

And, virtually every system here uses just hostname....since lots of
people call `hostname` in their prompts, and don't like the added length
of getting an fqdn. (or figuring out what they need to do to make it right.)

Though I did discover that search appends to all lookups, not just bare
hostnames.  Could not understand why new SA saying machines could be
reached with <hostname>.campus (years ago when we started having systems
with RFC1918 IPs...they decided to make up a TLD.  The DNS administrator
said that it wasn't possible to do split DNS, yet he didn't ask what I
meant when I had asked him about it.

After he quit, DNS got thrown in my lap.  and .campus.ksu.edu was born,
which was good, because we had a policy at the time requiring user
facing sites to use Thawte certificates...which were hard to get for
.campus fqdn's...but we can get for .campus.ksu.edu fqdn's, which can't
be resolved from off campus (well, not fully...)

Several years ago, another admin tried to get force everybody to stop
using the .campus TLD.  (I've joked that its only a matter of time that
some one goes and registers it....or perhaps one of the other fake TLDs
we used, like .wireless ;)

Problem was there was a big move of Oracle DBs into the TLD...and with
the name baked into the installation....renaming isn't going to happen
until those systems are abandoned (though a big hardware refresh is near
on the horizon...along with a network reorg for data classification.)

Though everything that was .campus is in .campus.ksu.edu (except that we
had functional subdomains in .campus and functional hostnames in
.campus.ksu.edu....)  But, a host in .campus.ksu.edu is often not in
.campus (since its deprecated....)  And, there's a mix on which domain
the reverses are pointed to....which is important for the particular
system he was setting up at the time.  (Some old systems have had their
reverses updated, but not all users have switched to using the new
forward.... in service requests to him....)

Oh, there have been cases where we've added hostnames to /etc/hosts so
that they could use bare hostnames to reach things in other
subdomains....other times its to ensure the desired hostname is reached
when the name exists in more than one subdomain.  Some also have names
that are not in DNS (not sure if they thought of CNAMEs) so they can
find the application.  Which was especially important before we forced a
consistent functional naming scheme across our datacenter.  They were
using Sith Lords to name their machines, some where very similar in
spelling but significantly different functions or classifications.

Probably ran out of Sith lords with names starting with p, t, d, a or b
(prod, test, dev, alpha or beta).  It was whole bunch of very similar
names starting with 's' that made my manager snap.

-- 
Who: Lawrence K. Chen, P.Eng. - W0LKC - Sr. Unix Systems Administrator
For: Enterprise Server Technologies (EST) -- & SafeZone Ally

More information about the bind-users mailing list