nslookup domain search order

Jim Reid jim at rfc1035.com
Tue Sep 26 22:01:30 UTC 2000


>>>>> "Sandra" == Sandra R de Souza -CONECT-#200502# <sandra at ccuec.unicamp.br> writes:

    Sandra>    I have a doubt about how nslookup works.

Join the club! :-) How nslookup ever works is a mystery. It's an
appalling tool. Use dig: this is far and away the best DNS lookup
tool. It doesn't have any of the unusual and exasperating "features"
that plague nslookup. Just throw it in the bin and use dig.

    Sandra> When I try to resolve a name without putting the domain
    Sandra> after it with nslookup , the dns server asks before to a
    Sandra> root name server, and after doing that it asks to my name
    Sandra> server, appending the domain to the name I have asked.
    Sandra> Why is the name server doing that?

Because it's nslookup and nslookup is a stupid tool. Your tcpdump logs
show nslookup making several  queries to your name server. When the
first one (for rachel.test) fails, nslookup appends test.machine.br
and tries again. That lookup fails too. Then the idiotic nslookup
and/or resolver library walks up the domain name by trying a lookup
for rachel.test.machine.br. This is stupid and anti-social because it
generates lots of extra and unnecessary lookups, most of which end up
causing your name server to query the root servers. Nasty.

    Sandra> The correct action is to look up in my domain, and if it
    Sandra> hasn't fount it ask the roots name server?

I'm not sure what you mean. The correct action for a DNS lookup tool
should be to lookup the name that was asked for. No more, no less.
As a general rule, nslookup doesn't do that. The tcpdump logs you
provided showed just how bizarrely nslookup can behave.

Modern resolvers don't automatically append a default domain name to
the name that's being looked up, especially if that name contains a
dot. [The ndots directive in /etc/resolv.conf can change this.] To
make matters worse, nslookup sometimes uses different resolver code
from that provided by the system's C/resolver library. So how nslokup
behaves can be markedly different from how the resolver used by other
applications behaves.

So what you're seeing is a typical quirk of nslookup: try the name
as-is and if that fails, append the default domain name and try
again. This is stupid. And if that fails, chop off the left-most lable
from the default domain name and try again. This is even more
stupid. It's also partly responsible for overloading the root name
servers with junk queries for local names. And this sort of behaviour
is also confusing, especially for novices.

Use dig for querying/testing name servers. It does exactly what you
tell it and only looks up the name you ask for. (Well normally unless
some fancy + query-options are tried.) dig won't try to "guess" what's
to be looked up, or insist on reverse lookups for the name server's
address to work, or inverse queries to work, or.....



More information about the bind-users mailing list