nslookup domain search order

Bob Vance bobvance at alumni.caltech.edu
Wed Sep 27 04:40:19 UTC 2000 

I think that you're way too hard on 'nslookup'.
But then again, IIRC, you also enjoy typing FQDNs for everything,
and deprecate the use of "search" :)
So I wouldn't expect you to appreciate the attempt of resolver code to
allow you to use short names.

'nslookup' is simply trying to emulate this behavior of the resolver
library, which is why you should use the vendor's version that
corresponds to the resolver lib that your programs are using.

Personally, I find this very useful for internal use.  I can configure a
Win95 client to use "mailx" for the SMTP relay, for example, and it will
still work when I move it to another sub-domain without re-configuring
the mail client (assuming that I have configured the requisite servers
and DNS properly).

With a large number of servers and domains you certainly have
diminishing returns, but that doesn't mean it's totally useless.

BTW, what "modern" resolver code are you referring to that doesn't allow
this?  I still consider Win98, NT4, and HP-UX 11.00 fairly modern.



-------------------------------------------------
Tks        | <mailto:BVance at sbm.com>
BV         | <mailto:bobvance at alumni.caltech.edu>
Senior Tech. Consultant,   SBM, A Gates/Arrow Co.
Vox 770-623-3430           11455 Lakefield Dr.
Fax 770-623-3429           Duluth, GA 30097-1511
=================================================

-----Original Message-----
From: jim at gromit.rfc1035.com [mailto:jim at gromit.rfc1035.com]On Behalf Of
Jim Reid
Sent: Tuesday, September 26, 2000 6:02 PM
To: Sandra R. de Souza -CONECT-#200502#
Cc: bind-users at isc.org
Subject: Re: nslookup domain search order


>>>>> "Sandra" == Sandra R de Souza -CONECT-#200502#
<sandra at ccuec.unicamp.br> writes:

    Sandra>    I have a doubt about how nslookup works.

Join the club! :-) How nslookup ever works is a mystery. It's an
appalling tool. Use dig: this is far and away the best DNS lookup
tool. It doesn't have any of the unusual and exasperating "features"
that plague nslookup. Just throw it in the bin and use dig.

    Sandra> When I try to resolve a name without putting the domain
    Sandra> after it with nslookup , the dns server asks before to a
    Sandra> root name server, and after doing that it asks to my name
    Sandra> server, appending the domain to the name I have asked.
    Sandra> Why is the name server doing that?

Because it's nslookup and nslookup is a stupid tool. Your tcpdump logs
show nslookup making several  queries to your name server. When the
first one (for rachel.test) fails, nslookup appends test.machine.br
and tries again. That lookup fails too. Then the idiotic nslookup
and/or resolver library walks up the domain name by trying a lookup
for rachel.test.machine.br. This is stupid and anti-social because it
generates lots of extra and unnecessary lookups, most of which end up
causing your name server to query the root servers. Nasty.

    Sandra> The correct action is to look up in my domain, and if it
    Sandra> hasn't fount it ask the roots name server?

I'm not sure what you mean. The correct action for a DNS lookup tool
should be to lookup the name that was asked for. No more, no less.
As a general rule, nslookup doesn't do that. The tcpdump logs you
provided showed just how bizarrely nslookup can behave.

Modern resolvers don't automatically append a default domain name to
the name that's being looked up, especially if that name contains a
dot. [The ndots directive in /etc/resolv.conf can change this.] To
make matters worse, nslookup sometimes uses different resolver code
from that provided by the system's C/resolver library. So how nslokup
behaves can be markedly different from how the resolver used by other
applications behaves.

So what you're seeing is a typical quirk of nslookup: try the name
as-is and if that fails, append the default domain name and try
again. This is stupid. And if that fails, chop off the left-most lable
from the default domain name and try again. This is even more
stupid. It's also partly responsible for overloading the root name
servers with junk queries for local names. And this sort of behaviour
is also confusing, especially for novices.

Use dig for querying/testing name servers. It does exactly what you
tell it and only looks up the name you ask for. (Well normally unless
some fancy + query-options are tried.) dig won't try to "guess" what's
to be looked up, or insist on reverse lookups for the name server's
address to work, or inverse queries to work, or.....

More information about the bind-users mailing list