search and ndots support in bind utilities

Mon Sep 30 16:53:56 UTC 2019

The following is not specific to BIND, but concerns the operating 
environment for DNS software. Ebersman in a later post links to a document 
which foreshadows what I'm about to discuss.

On Mon, 30 Sep 2019, Petr Mensik wrote:
> [...]
> I am aware search is a no-no in DNS community.

That's barely the "other 10%" of it. It reaches as far as cooked Google 
servers (Stucke's still amusing talk from Black Hat some years ago) and 
comes down to a simple: "whose name do you trust?"

I know from experience with the data that in some $VENDOR's streaming 
NXDOMAIN telemetry feed, on any given day, depending which way the wind is 
blowing, that .belkin will be one of the top 10 TLDs. Luckily Cisco bought 
.cisco, so you can see for yourself if your Passive DNS data provider is 
any good by looking for A queries which resolved to 127.0.53.53.

Why does so much DNS traffic show up inadvertently stemmed with .cisco and 
.belkin? Rhetorically speaking, of course.

The DNS is just one naming service which is queried in attempts to resolve 
resource names into actual instances. Others include hosts, LDAP, NIS, you 
get the idea. If you go down the "no search lists" path, then that means 
everywhere, not just the DNS. (This may also be part of the reason for 
inconsistent behavior; earlier this year I personally saw DNS lookups 
suddenly become case sensitive on SuSE Leap when using getaddrinfo().)

What about Active Directory? If your domain can't resolve inside of 
Windows, does it fall back to the DNS?

Resources doesn't include just web sites, CRLs, adverts, tracking beacons. 
It includes database servers, etcd and other resolution / configuration 
services, drives containing executables to, you know, execute...

It doesn't stop with best practices according to the DNS community. Plenty 
of developers will think they know best for their particular situation, so 
you will see them trying various things that will oftentimes result in 
stemming and trying things from your search list. (Guilty as charged, 
during the SuSE episode I coded an option to force the use of dnspython 
for name resolution.)

Prohibitions like "no search lists" do next to nothing. Clever programmers 
will use whatever domain you specify for your hosts as something to 
deconstruct and use for stemming. An (enforced) search list might be 
preferable!

Look at your DNS traffic, particularly NXDOMAIN. (I'd look for stuff 
resolving in typoed / bit flipped domains too.)

Add a domain you own but do not use as the final fallback in your search 
list, and monitor all DNS traffic going to it.

Even resolving stuff may not stop it from leaking (stop resolution 
attempts), because the developer may not trust your answer. I wouldn't do 
that, of course. ;-) But clearly people obsessed with "happy eyeballs" 
don't share my sensibilities.

Good luck, and a good tomorrow...

--

Fred Morris