search and ndots support in bind utilities
m3047
m3047 at m3047.net
Mon Sep 30 16:53:56 UTC 2019
The following is not specific to BIND, but concerns the operating
environment for DNS software. Ebersman in a later post links to a document
which foreshadows what I'm about to discuss.
On Mon, 30 Sep 2019, Petr Mensik wrote:
> [...]
> I am aware search is a no-no in DNS community.
That's barely the "other 10%" of it. It reaches as far as cooked Google
servers (Stucke's still amusing talk from Black Hat some years ago) and
comes down to a simple: "whose name do you trust?"
I know from experience with the data that in some $VENDOR's streaming
NXDOMAIN telemetry feed, on any given day, depending which way the wind is
blowing, that .belkin will be one of the top 10 TLDs. Luckily Cisco bought
.cisco, so you can see for yourself if your Passive DNS data provider is
any good by looking for A queries which resolved to 127.0.53.53.
Why does so much DNS traffic show up inadvertently stemmed with .cisco and
.belkin? Rhetorically speaking, of course.
The DNS is just one naming service which is queried in attempts to resolve
resource names into actual instances. Others include hosts, LDAP, NIS, you
get the idea. If you go down the "no search lists" path, then that means
everywhere, not just the DNS. (This may also be part of the reason for
inconsistent behavior; earlier this year I personally saw DNS lookups
suddenly become case sensitive on SuSE Leap when using getaddrinfo().)
What about Active Directory? If your domain can't resolve inside of
Windows, does it fall back to the DNS?
Resources doesn't include just web sites, CRLs, adverts, tracking beacons.
It includes database servers, etcd and other resolution / configuration
services, drives containing executables to, you know, execute...
It doesn't stop with best practices according to the DNS community. Plenty
of developers will think they know best for their particular situation, so
you will see them trying various things that will oftentimes result in
stemming and trying things from your search list. (Guilty as charged,
during the SuSE episode I coded an option to force the use of dnspython
for name resolution.)
Prohibitions like "no search lists" do next to nothing. Clever programmers
will use whatever domain you specify for your hosts as something to
deconstruct and use for stemming. An (enforced) search list might be
preferable!
Look at your DNS traffic, particularly NXDOMAIN. (I'd look for stuff
resolving in typoed / bit flipped domains too.)
Add a domain you own but do not use as the final fallback in your search
list, and monitor all DNS traffic going to it.
Even resolving stuff may not stop it from leaking (stop resolution
attempts), because the developer may not trust your answer. I wouldn't do
that, of course. ;-) But clearly people obsessed with "happy eyeballs"
don't share my sensibilities.
Good luck, and a good tomorrow...
--
Fred Morris
More information about the bind-users
mailing list