DHCP Option 119
Kevin Darcy
kcd at daimlerchrysler.com
Tue Oct 19 01:44:12 UTC 2004
David Botham wrote:
>bind-users-bounce at isc.org wrote on 10/18/2004 04:45:37 PM:
>
>
>>Is Option 119 available for Windows Server 2003 DHCP servers? I would
>>like to use this option to distribute a DNS Suffix Search List to
>>clients.
>>
>>
>
>Perhaps you should ask this question on a list dedicated to Windows Server
>2003 DHCP or even a DHCP mailing list. The BIND list is probably not the
>best place for this question.
>
It is, however, a good place IMO to point out how evil searchlists (aka
"suffix search lists") are, since this "feature" impacts many if not
most BIND installations.
There's nothing quite like planting a bunch of wild-ass domain *guesses*
in your clients' brains, if you want to chew up significant network and
nameserver resources answering pointless, doomed queries, not to mention
adding query latency for the user, whenever the domain *guess* they need
happens to be far down into the searchlist. And heaven help anyone who
uses diverse searchlists on their clients and also creates the same
shortnames in different domains -- now all of a sudden people can end up
at the *wrong* resource, depending on the order of their searchlist.
Don't you have better uses for your time than troubleshooting
ridiculous, self-created problems like that? Do you understand that this
raises an important *security* issue, since people (rightly or wrongly)
put trust in DNS resolution, and going to the "wrong" shortname can
therefore result in a form of unexpected privilege escalation?
I would highly recommend to the original poster to wean his users from
their shortname dependency, rather than indulge it with searchlists and
have it grow into a full-blown addiction. We've been down the
shortname-addiction path, and trust me, it ain't pretty...
- Kevin
More information about the bind-users
mailing list