nslookup domain search order

Kevin Darcy kcd at daimlerchrysler.com
Tue Sep 26 20:16:12 UTC 2000 

The default behavior of the resolver when presented a name with a dot in it is to look up the name as is. If that fails, then use the
default domain or search list. With very new resolvers, you may be able to change this default behavior with the "ndots" resolver
option.

Note that there are security issues with using "partially-qualified" domain names. For instance, we have a subdomain "is.chrysler.com",
but there is also an "is" TLD. If I send a mail message to "foo.is", where should it go? To the "foo.is.chrysler.com" machine
internally, or to the mail server "foo.is" on the Internet? Make the wrong decision, and internal mail could end up in the hands of an
external entity. Ditto for other protocols like FTP, telnet, etc. -- you could connect to entirely the wrong host, and it could steal
your password. Because of this confusion, "partially-qualified" domain names are generally frowned upon. Use fully-qualified domain
names whenever possible. Failing that, use totally *unqualified* names. Partially-qualified names should be used only when you have no
other choice.

                                                                                                                                    -
Kevin

sandra at ccuec.unicamp.br wrote:

> Hi,
>
>    I have a doubt about how nslookup works.
>    When I try to resolve a name without putting the domain after it with nslookup , the dns server asks before to a root name server,
> and after doing that it asks to my name server, appending the domain to the
> name I have asked.
>    Why is the name server doing that? The correct action is to look up in my
> domain, and if it hasn't fount it ask the roots name server?
>    Example :
>
>
> # more /etc/resolv.conf
> domain test.machine.br
> search test.machine.br machine.br
> nameserver xxx.xxx.xxx.xxx
>
> # nslookup (on my desktop)
> Default Server:  ns.test.machine.br
> Address:  xxx.xxx.xxx.xxx
>
> > rachel.test
> Server:  ns.test.machine.br
> Address:  xxx.xxx.xxx.xxx
>
> *** ns.test.machine.br can't find rachel.test: Non-existent host/domain
>
> This is the output from tcpdump on  my name server interface :
>
> 15:51:27.537605 test-gw.machine.br.2871 > ns.domain: 5536+ A? rachel.test. (30)  <<<<<<<
>                                                         ^^^^^^^^^^^^^^
>                                            why this first?
>
> 15:51:28.300632 ns.domain > test-gw.machine.br.2871: 5536 NXDomain* 0/1/0 (106)
> 15:51:28.303246 test-gw.machine.br.2871 > ns.domain: 25625+ A? rachel.test.test.machine.br. (47)
> 15:51:28.303571 ns.domain > test-gw.machine.br.2871: 25625 NXDomain* 0/1/0 (112)
> 15:51:28.305822 test-gw.machine.br.2871 > ns.domain: 10964+ A? rachel.test.machine.br. (41)
> 15:51:28.306111 ns.domain > test-gw.machine.br.2871: 10964 NXDomain* 0/1/0 (106)
>
> -----
> :-):-):-):-):-):-):-):-):-):-):-):-):-):-):-):-):-):-):-):-):-):-):-):-):-):-):-
>  Sandra Regina de Souza                Internet: sandra at cuecc.unicamp.br
>  Suporte Redes - Centro de Computacao
>  Universidade Estadual de Campinas     Fone    : (019) 788-2239
>  Campinas - SP - Brasil
> :-):-):-):-):-):-):-):-):-):-):-):-):-):-):-):-):-):-):-):-):-):-):-):-):-):-):-

More information about the bind-users mailing list