Change in behaviour regarding ndots and searchlist
Mark Andrews
marka at isc.org
Mon Sep 15 09:16:48 UTC 2014
Partially qualified names are DANGEROUS. You realy do not want
to use them ever no matter how convient or useful they appear to be.
In message <20140915083532.GA29404 at danton.fire-world.de>, Sebastian Wiesinger w
rites:
> Hello,
>
> I noticed a change in the host tool in regard to how searches are done
> when there are >= "ndots" dots in the query. In the following case
> ndots is always nonexistant in the configuration.
>
> With bind 9.8 (Debian 1:9.8.4.dfsg.P1):
>
> $ host -d test.example
> Trying "test.example"
> Received 105 bytes from 127.0.0.1#53 in 6 ms
> Trying "test.example.office.example.com"
> Trying "test.example.backup.example.org"
> Trying "test.example.example.com"
> Trying "test.example.example.org"
> Trying "test.example.winzone.example.com"
> Trying "test.example.nms.example.com"
> Host test.example not found: 3(NXDOMAIN)
> Received 104 bytes from 127.0.0.1#53 in 1 ms
>
>
> With bind 9.9 (Debian 1:9.9.5.dfsg-4~bpo70, same on Ubuntu
> 1:9.9.5.dfsg-3):
>
> $ host -d test.example
> Trying "test.example"
> Host test.example not found: 3(NXDOMAIN)
> Received 105 bytes from 127.0.0.1#53 in 15 ms
> Received 105 bytes from 127.0.0.1#53 in 15 ms
>
>
> So with "host" from bind 9.8 the absolute name is tried first and
> after that the search list is tried.
>
> With bind 9.9 this is no longer the case.
>
> Does anyone know if that was a deliberate change? I liked the old
> behaviour because I could search for internal subdomains without
> specifying/knowing the full FQDN.
>
> As a workaround I raised the ndots value to 2 but that increases the
> number of queries because the searchlist is tried first for things
> like linux.org. Also it increases the potential for MITM as
> "linux.org.example.com." is tried first.
>
> Regards
>
> Sebastian
>
> --
> GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A 9D82 58A2 D94A 93A0 B9CE)
> 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYT
> HE.
> -- Terry Pratchett, The Fifth Elephant
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list