short names for remote hosts not in my network

Kevin Darcy kcd at daimlerchrysler.com
Mon Feb 20 21:45:46 UTC 2006


reader at newsguy.com wrote:

>Setup: Gentoo linux
>       bind-9.3.2
>
>Until I started running a local home network nameserver I used short
>names for 2 remote hosts where I have user accounts, by listing them
>in /etc/hosts:
>  207.106.84.135  io.jtan.com                io       # gentoo
>  207.106.84.134  callisto.jtan.com          callisto # obsd
>
>Then at the command line I could `ssh io' and ssh would know it was
>io.jtan.com.
>
>My domain is a private home domain `local.net0'
>
>I still have those entries in /etc/hosts but now that I'm running
>bind, my system thinks `io' is a completely different machine not in
>jtan.com domain at all.
>
>So `ssh io' now tries to contact a different io.
>
>   nslookup io
>  Server:         127.0.0.1
>  Address:        127.0.0.1#53
>  
>  Non-authoritative answer:
>  Name:   io
>  Address: 80.249.100.38
>====================================
>
>   nslookup io.jtan.com
>  Server:         127.0.0.1
>  Address:        127.0.0.1#53
>  
>  Non-authoritative answer:
>  Name:   io.jtan.com
>  Address: 207.106.84.135
>
>The name io does not appear anywhere in my bind setup files.  So I'm
>wondering why the short name is not known to be the one listed in
>/etc/host?  Or why it doesn't just fail if /etc/hosts isn't coming
>into play.
>
>Is it coming from a cached lookup or what?
>
This is a good example of why shortnames are evil. They produce 
unexpected, unreliable results. In this case, you should use the -debug 
option to nslookup to see what it is *actually* looking up. Chances are, 
there is some whacky domain in the "domain" or "searchlist" directives 
of /etc/resolv.conf that's causing "io" to resolve in a way that you 
didn't expect. Imagine if someone set up a website under the other "io" 
that looked just like your "io" website. You might be fooled into 
logging into that website, and voila! your password is stolen and maybe 
your identity too...

Get in the habit of using fully-qualified names. It may seem like a pain 
now, but in the long run you're better off for it.

- Kevin




More information about the bind-users mailing list