Dns tries to qualify a domain not found by appending its domain

[Kevin Darcy]

The Borg wrote:

> I have a Solaris box that when you try to do an nslookup on a domain, if it
> can not find the domain then it appends it's own domain to the end of the
> domain and then resolves it.
> example
> nslookup nonexistantdomain.com
> answer nonexistantdomain.com.mydomain.com
>                208.230.11.1
>
> it resolves to my main domain because I have a record with an * in the
> db.mydomain.com file to catch all nonexistant hostnames.
>
> Any answers... please send email to lonie at mediaone.net -  greatly
> appreciated

The domain-appending is a function of the resolver, not the nameserver. If you
rip the "domain" and/or "search" directives out of /etc/resolv.conf, and have
no so-called "NIS domain" set via the "domainname" command (see
/etc/rc2.d/S69inet, which uses the contents of the /etc/defaultdomain file),
then the Solaris resolver won't have any idea what domain you're in and won't
append anything. Of course, this will inhibit the ability to use short names
for hosts (probably no big loss), and may also have a negative impact on
things like sendmail, which use the "NIS domain" by default to
"canonify" names and format headers correctly (although, as the man page for
"domainname" describes, it is possible to make separate arrangements for
sendmail).

Another option is to leave the resolver behavior as is, but "block" bogus
matches by defining all of the TLD's in your main domain, e.g.
com.mydomain.com, net.mydomain.com, org.mydomain.com, all of the
country-codes, etc. You could just put something innocuous like TXT records
for each of these. Once those records exist, they will take precedence over
the wildcard and thus prevent bogus matches.

Just out of curiosity, why do you need a wildcard A record anyway? As you can
see, they tend to be problematic.


- Kevin